How QR code phishing exploits the gap between email security and mobile devices
In January 2026, the FBI issued a flash alert about North Korea’s Kimsuky threat group. The advisory wasn’t about zero-day exploits or sophisticated malware. It was about QR codes. According to the bureau, Kimsuky actors had targeted think tanks, academic institutions, and government entities by embedding malicious QR codes in spear-phishing emails. The FBI characterized quishing as “a high-confidence, MFA-resilient identity intrusion vector in enterprise environments.”
The warning reflects a broader shift. Cofense reported a 331 percent year-over-year increase in QR code phishing campaigns, making it one of the fastest-growing attack vectors in enterprise security. The appeal to attackers is structural: QR codes bypass the email security filters that have learned to catch malicious links, and they shift the attack from monitored corporate endpoints to personal mobile devices that sit outside the security perimeter.
How quishing bypasses email security
Traditional phishing defense relies on URL analysis. Security tools scan email content for suspicious links, check domains against reputation databases, and flag known malicious patterns. A QR code is an image. The URL it contains is invisible until someone scans it, which means it bypasses the detection layer entirely.
Sophos learned this firsthand. In late 2024, one of the company’s own employees was compromised through a QR code embedded in a PDF attachment. The email appeared to be a routine Microsoft 365 notification. The QR code directed to a fake login page using adversary-in-the-middle techniques, capturing both the employee’s credentials and MFA token in a single interaction. The attack worked precisely because the malicious URL never appeared in the email body where security tools could analyze it.
This pattern has become common: 12 percent of quishing incidents now involve hiding codes inside PDF or JPEG attachments rather than displaying them directly in emails. The additional layer of obfuscation defeats security tools that might eventually learn to scan inline images.
Why QR codes target mobile devices
The second structural advantage is where the scan happens. When an employee receives a phishing email on a corporate laptop, endpoint detection, DNS filtering, and browser security all have a chance to intervene. QR codes route around this entirely. The user pulls out a personal phone, scans the code, and opens a link on a device with none of those protections.
According to NordVPN, 73 percent of Americans scan QR codes without verification. The mobile experience compounds the risk: URLs are truncated in mobile browsers, and small screens make it harder to spot the differences between a legitimate Microsoft login page and a convincing replica.
Nearly 90 percent of quishing attacks target login credentials, with corporate email systems, cloud storage, and remote access tools among the most common objectives. The FBI noted that Kimsuky’s campaigns specifically targeted senior researchers and policy advisors, using fake conference invitations and document-sharing requests as pretexts.
QR code scams in physical spaces
Quishing also operates in physical space in ways traditional phishing cannot. A malicious sticker placed over a legitimate QR code on a parking meter, restaurant menu, or retail display creates an attack that victims encounter outside any digital security context. The physical presence implies legitimacy.
The Federal Trade Commission issued warnings throughout 2024 and 2025 about fake QR codes appearing on parking payment kiosks and package delivery notices. One retail chain discovered that scammers had placed fake stickers at 200 store locations during a holiday campaign. Within 48 hours, legitimate scans dropped 15 percent and the company spent $2.3 million on damage control before accounting for lost sales.
C-level executives face disproportionate targeting. Research from Abnormal Security found that executives are 42 times more likely to receive quishing emails than average employees, suggesting attackers view QR codes as particularly effective for high-value targets scanning quickly between meetings.
How attackers evade QR code detection
As security vendors develop QR code detection, attackers have responded. Barracuda threat analysts documented a technique from the Gabagool phishing-as-a-service platform that splits QR codes into two separate images. When security tools scan the email, they see two distinct and benign-looking images rather than one complete code. Only when rendered together in the email client does the QR code become functional and scannable.
The cat-and-mouse dynamic mirrors the broader evolution of phishing infrastructure, but QR codes provide less surface area for analysis than traditional URLs. There’s no domain to check against reputation databases, no link text to analyze for suspicious patterns. The entire payload is encoded in pixels.
Defending against quishing attacks
Addressing quishing requires capabilities most organizations haven’t deployed: email security with computer vision that can detect QR codes in images and attachments, decode the URLs they contain, and correlate that analysis with threat intelligence. It also requires extending visibility to the mobile devices employees use to scan codes, even when those devices aren’t corporate-managed.
As Rob Lee, chief of research at the SANS Institute, told CNBC: “QR codes weren’t built with security in mind, they were built to make life easier, which also makes them perfect for scammers.”
The Bottom Line
Organizations using QR codes in legitimate communications should implement branded, HTTPS-verified domains. Takedown processes need to account for physical fraud, coordinating with facilities teams to identify and remove malicious stickers. When a nation-state threat group adopts a tactic, the window for treating it as an emerging threat has closed.
Key Takeaways
QR code phishing uses malicious codes to redirect victims to credential harvesting sites. Cofense reported a 331% year-over-year increase because QR codes bypass email security filters and shift attacks to unprotected mobile devices.
The malicious URL is encoded in an image, invisible to security tools that scan email text. When employees scan with personal phones, they leave the corporate security perimeter entirely.
C-level executives are 42 times more likely to receive quishing emails than average employees. Nation-state actors including North Korea’s Kimsuky group now use the technique against policy researchers and government advisors.
Email security with computer vision and QR code analysis, mobile device visibility, branded domains for legitimate organizational QR codes, and physical security checks for public-facing codes.
