Local News Southington wethersfield
Barrett Ashford
5 min read

Fake Outlook Calendar Invitations Are Stealing Passwords Across Connecticut — What to Know About 'Quishing'

Police and cybersecurity experts warn CT residents about a QR code phishing scam disguised as a payroll notice — part of a national surge in 'quishing' attacks hitting inboxes in 2026.

Last updatedApril 4, 2026
Scam Phone Call
Police across Connecticut are warning about a phishing scam using fake Outlook calendar invitations with QR codes to steal your login credentials.

A scam campaign using fake Microsoft Outlook calendar invitations to steal login credentials is spreading across the United States, and Connecticut law enforcement says residents here are not immune.

The Wethersfield Police Department flagged the scheme in a March 23 "Scam of the Week" community alert, but the threat extends well beyond any single town. Similar warnings from law enforcement agencies in other states and national cybersecurity firms were issued in mid-March, indicating the campaign has been running broadly across the country. Cybersecurity researchers at Palo Alto Networks and Hoxhunt have separately documented calendar-based phishing campaigns exploiting the same technique in workplaces nationwide.

The warning comes as Connecticut residents are already contending with a wave of unrelated scams. In early March, the Connecticut DMV warned that fraudulent text messages claiming recipients owe money for unpaid traffic citations were circulating statewide — messages the DMV said it never sends. The Ridgefield Police Department issued a similar phishing text alert on March 12. And in January, the state's Core-CT system cautioned employees to be on guard for phishing attempts timed to W-2 season.

How the Scam Works

The fraudulent calendar invitations arrive in Microsoft Outlook inboxes with the subject line "Final Notice: Payroll Acknowledgement Required." The language is deliberately alarming — scammers use high-pressure phrasing tied to payroll or employment to push recipients into acting quickly, without pausing to verify the message.

The invite contains a PDF attachment — not a direct link — that includes a QR code with instructions to scan it. Scanning initiates a fake "security verification" step, designed to appear official. After that step, the user is redirected to a fraudulent Microsoft 365 login page that closely mimics the real one.

When a user enters their username and password on that page, those credentials are sent directly to the cybercriminals behind the scam. Attackers can then use the stolen login to access email inboxes, linked cloud storage, internal business tools, and any other service connected to the compromised Microsoft account.

"The invitation is sent by cybercriminals," the Wethersfield Police Department stated in its advisory. Police noted that language like "Final Notice" is specifically engineered to override caution and compel fast action — a hallmark of social engineering.

One detail that makes this attack particularly insidious: Microsoft Outlook can automatically add calendar invitations to a user's schedule the moment the email arrives. Even if the email itself is deleted, the event may remain visible on the calendar, giving the scam a second chance to catch someone off-guard.

What Is 'Quishing' — and Why Should Connecticut Residents Care?

The technique is known in cybersecurity as "quishing" — a combination of "QR code" and "phishing." It has emerged as one of the fastest-growing cyberattack methods because it exploits a gap in many organizations' security infrastructure.

Standard email and endpoint security tools are designed to scan hyperlinks and file attachments for malicious content. Many of those same tools, however, do not analyze the URL encoded within a QR code image — because the code appears to security filters as a picture rather than a link.

By replacing a direct hyperlink with a QR code, attackers route victims to credential-harvesting pages that would otherwise be flagged and blocked. The step of scanning via a mobile phone camera also takes the interaction off a protected workplace computer and onto a personal device, which typically carries fewer security controls.

The scale of the problem is staggering. Cybersecurity firm Keepnet Labs reported that QR-based phishing emails surged from roughly 47,000 in August 2025 to over 249,000 by November 2025. One industry analysis found that quishing attacks have increased by 587% since 2023. Microsoft itself reported blocking approximately 1.5 million quishing attempts per day in 2024.

Connecticut has seen the consequences of phishing at scale. Federal prosecutors in the District of Connecticut announced in early April 2026 that they had recovered more than $600,000 in cryptocurrency stolen through a phishing scam that used a physical letter — a reminder that these attacks are not abstract threats, but ones leading to real financial losses for real people in our state.

How to Protect Yourself

Whether you're in Wallingford, Meriden, Cheshire, North Haven, Middletown, Southington, Hamden, or anywhere else in Connecticut, the guidance is the same:

  • Do not scan QR codes in unsolicited meeting invitations, particularly those referencing payroll, payments, or urgent action.
  • Do not open attachments from unexpected senders or from calendar invitations you did not anticipate.
  • Independently verify any suspicious invitation by contacting the purported sender directly through a known phone number or email — not by replying to the suspicious message.
  • Report suspicious calendar invitations to your organization's IT or cybersecurity team through official channels.
  • Preview the URL before tapping. Most smartphones briefly display the web address after scanning a QR code — read it carefully before proceeding.

As Wethersfield Police summarized: "Stop. Look. Think. And don't be fooled."

Employees in any field who handle payroll systems or human resources functions are especially likely to be targeted, since the scam's subject line is designed to resemble routine payroll administration.

If You Scanned the Code or Entered Credentials

Anyone who scanned the QR code and entered login credentials on a suspicious page should act immediately:

  • Change the compromised password right away and enable multi-factor authentication on all affected accounts, so that a stolen password alone is not sufficient for an attacker to gain access.
  • Notify your employer's IT security team as soon as possible. Attackers may have already accessed internal systems or sensitive data.
  • File a report with the FBI's Internet Crime Complaint Center at ic3.gov, which accepts reports of phishing attacks and online scams from across the country. Local police departments can also take reports of cybercrimes.

Even if you received one of these fake Outlook invitations but did not click or scan anything, reporting the message to your IT department helps security teams track the spread of the campaign and block further attempts.

Got a tip or seen this scam in your community? Reach out to us at tips@thequinnipiacpost.com.

crimecybersecuritypublic safetyphishingsouthingtonwethersfield
Follow The Quinnipiac Post on Google News

Never miss Southington news

Free local news delivered to your inbox — no spam, unsubscribe anytime.