Quishing in 2026: How the FBI Warning Changed QR Code Security (And What Businesses Must Do Now)

On January 8, 2026, QR Codes Became a National Security Issue

The FBI doesn't issue Flash Advisories for minor threats. So when Advisory AC-000001-MW landed on January 8, 2026, naming North Korean state-sponsored hackers from the Kimsuky group as active perpetrators of QR code phishing attacks against U.S. organizations, the message was unambiguous. QR code-based phishing (called "quishing") had graduated from a nuisance scam to a weapon deployed by nation-state intelligence services.

This wasn't a theoretical risk assessment. The FBI documented active campaigns where Kimsuky operatives embedded malicious QR codes in spear-phishing emails targeting think tank researchers, government contractors, and policy analysts. The goal was credential theft, giving North Korean hackers access to sensitive accounts and classified networks.

The timing matters. The FBI warning arrived at the tail end of a period where quishing attacks had already surged 5x between August and November 2025, according to data from Cofense. By late 2025, 12% of all phishing emails contained a QR code. The attack vector that security teams had been dismissing as "low priority" had become the fastest-growing phishing technique on the planet.

If your business deploys QR codes on menus, packaging, signage, marketing materials, or anywhere customers interact with them, this article is for you. Not because your customers are targets of North Korean intelligence (probably), but because the same techniques that Kimsuky uses are now standard tools for every low-level scammer with a printer and a sticker.

Here's what quishing is, how bad it's gotten, and exactly what your business needs to do about it.

What Is Quishing?

Quishing is phishing delivered through a QR code instead of a traditional hyperlink. The term combines "QR" and "phishing." An attacker creates a QR code that directs the person scanning it to a fraudulent website designed to steal login credentials, payment information, or personal data. The QR code itself is harmless. The danger lies entirely in the destination it points to.

What makes quishing more dangerous than traditional phishing is the opacity of the delivery mechanism. When you receive an email with a suspicious link, you can hover over it and see the URL before clicking. When you see a QR code, you have no idea where it leads until you scan it. Most people scan first and evaluate later, if they evaluate at all.

How Quishing Differs from Traditional Phishing

Traditional phishing relies on clickable text links in emails, SMS messages, or web pages. Email security filters have gotten remarkably good at detecting these. They parse URLs, check domains against blocklists, analyze link behavior in sandboxed environments, and flag suspicious patterns before the message ever reaches your inbox.

QR codes bypass all of that. A QR code in an email is just an image. Email filters don't decode images to check the embedded URLs. The actual link resolution happens on the victim's personal phone, which typically sits outside the organization's security perimeter. This is why security researchers at Cofense found that quishing emails reach inboxes at significantly higher rates than traditional phishing emails.

The FBI Warning That Changed Everything

What the FBI Flash Advisory Said

FBI Flash Advisory AC-000001-MW, published January 8, 2026, identified the North Korean cyber threat group Kimsuky (also known as APT43, Velvet Chollima, and Emerald Sleet) as conducting active QR code phishing campaigns against U.S.-based targets.

The advisory detailed how Kimsuky operatives crafted convincing spear-phishing emails impersonating trusted contacts. These emails contained QR codes that, when scanned, directed victims to credential-harvesting pages mimicking legitimate login portals. The phishing pages captured usernames, passwords, and in some cases multi-factor authentication tokens.

The FBI specifically warned that these campaigns targeted individuals involved in North Korea policy, nuclear security, and sanctions enforcement. But the techniques described are not sophisticated or unique to state actors. Any attacker can replicate this approach.

Who Is Kimsuky and Why Should Businesses Care?

Kimsuky has operated since at least 2012, primarily conducting intelligence-gathering operations for the North Korean government. They've historically targeted South Korean government entities, but in recent years expanded operations to the United States, Europe, and Japan.

The significance for businesses isn't that Kimsuky will target your restaurant or retail store. It's that a nation-state intelligence service validated QR code phishing as an effective attack vector worth investing resources in. When state-sponsored hackers adopt a technique, criminal groups follow. The tools and playbooks developed for intelligence operations inevitably filter down to financially motivated attackers.

Within weeks of the FBI advisory, security researchers documented a measurable increase in commodity quishing kits available on dark web marketplaces. The FBI warning served as both a threat alert and, unintentionally, an advertisement for the technique's effectiveness.

The Attack Chain From QR Code to Credential Theft

A typical quishing attack follows a predictable pattern.

Step 1. The attacker creates a fraudulent website that closely mimics a legitimate login page. This could be a fake Microsoft 365 portal, a bank login, a payment processor, or any service the target uses.

Step 2. The attacker generates a QR code pointing to the fraudulent URL. In more sophisticated attacks, the QR code first routes through a redirect chain to evade URL scanners.

Step 3. The QR code is delivered to the target. Delivery methods include phishing emails with embedded QR code images, physical stickers placed over legitimate QR codes in public spaces, fake parking tickets or municipal notices, and printed flyers or advertisements.

Step 4. The victim scans the QR code with their phone, lands on the fake page, and enters their credentials. The attacker harvests the credentials in real time and often uses them immediately.

The entire process takes less than 60 seconds from scan to compromise.

Quishing by the Numbers

The data from 2025-2026 tells a story of exponential growth.

Metric	Value	Source
QR code phishing increase (YoY)	331%	Cofense
Quishing surge, Aug-Nov 2025	5x increase	Cofense
Phishing emails containing QR codes	12% of all phishing	Keepnet Labs
QR phishing emails detected (Q3 2025)	249,000+ (up from 47,000 in Q3 2024)	Hoxhunt
Executives targeted vs. average employees	42x more likely	Keepnet Labs
Attacks targeting mobile devices	68%	Industry aggregate
Attacks aimed at credential theft	90%	Palo Alto Unit 42
Average cost of a successful QR code breach	$2.4 million	IBM

The 5x Surge Between August and November 2025

Cofense's threat intelligence team tracked a 5x increase in quishing attacks during the four-month period from August to November 2025. This wasn't a gradual climb. It was a spike driven by the proliferation of quishing-as-a-service kits and the realization among criminal groups that QR codes bypass email security at much higher rates than traditional links.

The volume of QR code phishing emails detected jumped from roughly 47,000 per quarter in mid-2024 to over 249,000 per quarter by late 2025. For context, Cofense also reported a 331% year-over-year increase in QR code phishing campaigns across their customer base.

Executives Are Targeted 42x More Than Average Employees

Quishing attacks are not distributed equally across organizations. Keepnet Labs' analysis found that C-suite executives and senior leadership are 42 times more likely to receive a quishing email than the average employee. This makes sense from the attacker's perspective. Executive credentials provide access to financial systems, strategic plans, and sensitive communications. A compromised CEO email account is orders of magnitude more valuable than a compromised intern account.

This targeting pattern has implications for QR code deployment, too. If your company uses QR codes in executive communications, board materials, or leadership-facing documents, those codes become attractive targets for tampering.

90% of Attacks Target Credentials

Palo Alto Networks' Unit 42 research found that roughly 90% of quishing attacks aim to steal login credentials rather than deliver malware. This aligns with the broader trend in cybercrime toward credential harvesting and account takeover as the primary monetization strategy.

The remaining 10% includes malware delivery, cryptocurrency wallet draining, and social engineering schemes that use the QR code as an initial trust-building mechanism before escalating to more complex fraud.

Real-World Quishing Attack Examples

Parking Meter QR Code Scams

The most widely reported quishing scam in the United States involves fake QR codes placed on parking meters. Cities including Austin, Houston, New York City, and Redondo Beach have documented cases where scammers placed sticker QR codes over legitimate payment codes on parking meters. Drivers scanning the code to pay for parking were redirected to fraudulent payment pages that captured their credit card information.

Austin, Texas was among the first cities to publicize the problem in 2022, and the scam has since spread nationwide. The FBI issued a separate advisory about parking meter QR scams in July 2025, noting that the attack requires nothing more than a printer, adhesive paper, and a fraudulent payment page.

The parking meter scam is instructive because it demonstrates the core vulnerability of physical QR codes. The person scanning has no way to verify authenticity without closely inspecting the code's physical placement, and most people don't.

Restaurant Menu QR Code Tampering

Restaurants that adopted QR code menus during the pandemic face a specific vulnerability. A scammer can place a transparent sticker containing a malicious QR code directly over a restaurant's legitimate menu code. Diners scan the tampered code expecting to see the menu and instead land on a phishing page or a fraudulent payment portal.

Several cases have been documented where attackers printed QR code stickers designed to match the visual style of the restaurant's existing codes, making detection extremely difficult for staff or customers.

This attack vector is particularly relevant for any business that deploys QR codes in unattended physical locations. If nobody is watching the QR code, nobody will notice when it gets swapped.

Fake Package QR Codes

The FBI's July 2025 advisory also highlighted QR codes placed on fake delivery notices. Scammers leave notices on doors or in mailboxes claiming a package delivery was missed and instructing the recipient to scan a QR code to reschedule delivery. The code leads to a credential harvesting page.

This attack exploits the expectation that legitimate delivery services use QR codes, which many now do. The victim has no way to distinguish a legitimate FedEx or UPS notification from a fraudulent one without verifying the URL after scanning.

Email-Based QR Code Phishing

The highest-volume quishing attack type involves QR codes embedded directly in phishing emails. The attacker sends an email mimicking a trusted service (Microsoft 365, DocuSign, a company HR portal) and instead of including a clickable link, embeds a QR code with instructions like "Scan to verify your identity" or "Scan to access your document."

This approach exploits a specific behavior gap. When you receive a phishing email at your desk, you interact with it on your computer, which typically has enterprise security tools installed. When you scan a QR code from that email, you switch to your personal phone, which usually has none of those protections. The QR code serves as a bridge from a protected environment to an unprotected one.

Why Traditional Security Doesn't Stop Quishing

Enterprise email security has become extraordinarily effective against traditional phishing. Microsoft, Google, Proofpoint, Mimecast, and dozens of other vendors analyze email content, parse URLs, sandbox suspicious links, and apply machine learning models to detect phishing patterns. These tools catch the vast majority of link-based phishing attempts.

QR codes exploit a fundamental blind spot. Email security tools process text and URLs. A QR code is an image. While some advanced email security platforms have begun adding QR code decoding capabilities, most still treat QR code images the same as any other embedded image. The malicious URL inside the QR code passes through unexamined.

Even when an email security tool detects a QR code, the resolution happens on the user's phone. The phone operates outside the organization's security perimeter. There's no DNS filtering, no web proxy, no endpoint detection and response (EDR) agent inspecting the URL on the employee's personal iPhone. The entire security architecture that protects the desktop environment evaporates the moment the user picks up their phone.

This is why QR code security fundamentals have become an essential topic for any business that deploys or encounters QR codes. The threat isn't going away, and the existing security stack wasn't built to handle it.

The 8-Point Quishing Defense Plan Every Business Needs Now

Every article about quishing tells individuals to "be careful what you scan." That advice is fine for consumers, but it's useless for businesses that deploy QR codes. You can't tell your customers to distrust QR codes while simultaneously asking them to scan yours.

If you're a business that puts QR codes into the world, on menus, packaging, signage, marketing materials, or event badges, your job is to make your codes trustworthy and to make it obvious when they've been tampered with. Here's how.

1. Use Dynamic QR Codes, Not Static Ones

A static QR code encodes a destination URL directly into the code pattern. Once printed, it can never be changed, deactivated, or monitored. If a scammer places a sticker over your static code, you have no way to know it's happening. You can't see scan data. You can't deactivate the original code. You can't redirect legitimate scans to a warning page.

A dynamic QR code encodes a short redirect URL instead. The actual destination is controlled server-side. This gives you three critical security advantages. You can monitor scan activity in real time and detect anomalies. You can instantly deactivate a compromised code. You can update the destination without reprinting.

Dynamic QR codes are the single most important security upgrade a business can make. Static codes are printed-and-forgotten. Dynamic codes are monitored assets.

2. Brand Your QR Codes with Your Logo and Colors

A generic black-and-white QR code is trivially easy to replicate. A scammer with any free QR code generator can produce an identical-looking code in seconds. There's nothing for the customer to verify.

A branded QR code with your logo and brand colors is significantly harder to counterfeit convincingly. Your customers learn to associate your visual brand with your QR codes. When they encounter a plain black-and-white code where they expect to see your branded design, it triggers suspicion.

This isn't theoretical. Research from Deakin University, published in January 2026, specifically examined whether styled and branded QR codes provide a defense against phishing. The finding was that branded codes increase user trust in legitimate codes while simultaneously making fraudulent codes more conspicuous.

Branding your QR codes isn't just a marketing decision. It's a security measure.

3. Monitor QR Code Analytics for Anomalies

If you're using dynamic QR codes with scan tracking and analytics, you have a built-in early warning system. Normal scan patterns have predictable characteristics. Your restaurant menu codes get scanned during lunch and dinner hours. Your product packaging codes get scanned from locations where your product is sold. Your event codes get scanned during the event.

When a QR code's scan pattern suddenly deviates, something may be wrong. Watch for unexpected geographic clusters (scans from a country where you don't operate), unusual time patterns (a restaurant menu code being scanned at 3 AM), sudden volume spikes that don't correlate with any marketing activity, and a high ratio of scans to unique scanners (which could indicate automated scanning by attackers testing the code).

Most businesses never look at this data. Start looking. Anomaly detection is one of the most underutilized defenses against QR code tampering.

4. Enable Instant Deactivation Capability

When you discover that a QR code has been compromised (or even suspect it), you need to kill it immediately. With dynamic QR codes, deactivation takes seconds. The redirect stops working, and anyone scanning the compromised code gets an error page or a redirect to a warning message.

With static QR codes, deactivation is impossible. The URL is baked into the code pattern. Your only option is to physically remove every printed instance of the code, which is impractical for any code deployed at scale.

Build a response plan that includes specific steps for who can deactivate codes, how quickly deactivation should happen, and what message compromised codes should redirect to. Treating this like an incident response protocol, rather than an afterthought, cuts the damage window from days to minutes.

5. Use HTTPS-Only Landing Pages

Every URL behind your QR codes should use HTTPS. This is non-negotiable in 2026. HTTPS ensures the connection between the scanner's phone and your server is encrypted and that the certificate verifies your domain identity.

More importantly, modern mobile browsers display a clear warning when a user navigates to an HTTP page. If your legitimate QR code points to an HTTP URL, you're training your customers to ignore security warnings, which makes them more vulnerable to phishing pages that also lack HTTPS.

If your QR codes point to pages without HTTPS, fix this before doing anything else on this list.

6. Audit Physical QR Code Placements Regularly

Physical QR code tampering requires physical access. A sticker placed over your code at a restaurant table, parking meter, or retail display is the simplest and most common quishing attack in the physical world.

Establish a regular audit schedule. Train front-of-house staff at restaurants to inspect table codes at the start of each shift. Have retail managers check in-store QR displays weekly. If you deploy QR codes on outdoor signage or in public spaces, schedule monthly physical inspections.

What to look for during an audit includes stickers or overlays on top of your printed codes, codes that appear slightly misaligned or different from the original, changes in code color or resolution compared to your standard, and any code that scans to a URL different from what you expect.

A five-minute daily check costs nothing and catches the most common physical attack.

7. Train Employees on QR Code Security

Your employees are both targets of quishing and your first line of defense against physical QR code tampering. They need to understand both sides.

For quishing awareness (employees as targets), train staff to verify URLs after scanning any QR code before entering credentials. Make it policy to never scan QR codes received in unexpected emails. Provide a reporting channel for suspicious QR codes received via email or physical mail.

For tampering detection (employees as defenders), show staff what your legitimate QR codes look like so they can spot fakes. Include QR code inspection in opening/closing procedures for customer-facing locations. Create a clear escalation path for reporting suspected tampering.

Most employee security training programs cover email phishing in detail but barely mention QR codes. Update your training to match the current threat landscape.

8. Establish a QR Code Security Policy

Formalize your organization's approach to QR code security with a written policy. This doesn't need to be a 50-page document. A one-page policy covering the essentials will put you ahead of 95% of businesses.

Your policy should specify which QR code platform is approved for company use (and prohibit free QR code generators that lack security features). It should define who has permission to create and deploy QR codes on behalf of the company. It should require dynamic codes for any customer-facing deployment. It should mandate branding standards for all company QR codes. It should establish an audit schedule for physical placements. And it should define the incident response process for compromised codes.

A policy transforms security from ad hoc to systematic. It also protects the company legally if a quishing incident occurs, since you can demonstrate due diligence.

How QR Code Generators Can Help (Or Hurt) Your Security

Not all QR code platforms are built with security in mind. The cheapest and most common approach to QR code generation involves free tools that create static codes with no tracking, no branding, and no ability to modify or deactivate after creation. These tools are fine for personal use. For businesses deploying QR codes that customers will trust with their attention and potentially their data, they're a liability.

When choosing a secure QR code generator, evaluate the platform against these security criteria.

Dynamic code support. Can you edit the destination URL after printing? Can you deactivate the code remotely? Without dynamic codes, you have zero post-deployment control.

Branding and customization. Can you add your logo, brand colors, and custom styling to the code? Branded codes are harder to spoof and build customer trust.

Analytics and monitoring. Does the platform provide real-time scan data including location, device, time, and scan volume? This data is your anomaly detection system.

HTTPS redirect infrastructure. Does the platform use HTTPS for all redirect URLs? Any platform that uses HTTP redirects is creating a security vulnerability for every code it generates.

Instant deactivation. Can you kill a code in seconds if it's compromised? If deactivation requires contacting support and waiting for a ticket, you'll lose precious time during an incident.

QR Insights was designed with these capabilities as core features, not add-ons. Every QR code created on the platform is dynamic by default, supports full brand customization, includes real-time scan analytics, routes through HTTPS infrastructure, and can be deactivated instantly from the dashboard. These aren't premium security features locked behind an enterprise tier. They're how we think every QR code should work.

Frequently Asked Questions About Quishing

What is quishing and how does it work?

Quishing is a phishing attack delivered via a QR code rather than a traditional text link. The attacker creates a QR code that directs the scanner to a fraudulent website, typically one designed to steal login credentials or payment information. The term combines "QR" and "phishing." QR codes are particularly effective for phishing because the encoded URL is invisible to the scanner until after they've scanned it, and because QR codes bypass most email security filters.

What did the FBI warn about QR codes in 2026?

On January 8, 2026, the FBI published Flash Advisory AC-000001-MW warning that the North Korean state-sponsored hacking group Kimsuky was actively using malicious QR codes in spear-phishing campaigns targeting U.S. organizations. The advisory specifically identified QR codes embedded in phishing emails as the delivery mechanism for credential-harvesting attacks aimed at think tank researchers, government contractors, and policy analysts.

How can I tell if a QR code is safe before scanning?

Before scanning any QR code, check for physical signs of tampering such as stickers placed over original codes, misalignment, or different print quality. After scanning, preview the URL your phone shows before navigating to it. Look for HTTPS, verify the domain matches the expected source, and be suspicious of URL shorteners or unfamiliar domains. If a QR code directs you to a login page you didn't expect, do not enter your credentials.

What is the difference between quishing and phishing?

Phishing is the broad category of attacks that trick people into revealing sensitive information through deceptive communications. Quishing is a specific type of phishing where the malicious link is delivered via a QR code image instead of a clickable text hyperlink. The key difference is the delivery mechanism. Clickable links can be inspected before clicking and are caught by email filters. QR codes hide their destination and bypass most email security tools.

How can businesses protect their customers from quishing?

Businesses that deploy QR codes should use dynamic codes (which can be monitored and deactivated), brand all codes with logos and brand colors (making counterfeits more obvious), monitor scan analytics for unusual patterns, audit physical QR code placements regularly, and use only HTTPS landing pages. Establishing a formal QR code security policy and training customer-facing staff to detect tampering are also essential steps.

Can a QR code give your phone a virus?

A QR code itself is inert data and cannot directly infect your device. However, scanning a malicious QR code can redirect you to a website that attempts to download malware, exploit browser vulnerabilities, or trick you into installing a malicious app. The risk is in the destination the QR code points to, not in the code itself. Keeping your phone's operating system and browser up to date is your primary defense against exploit-based attacks.

Are QR codes still safe to use for business in 2026?

Yes. QR codes remain a secure and effective business tool when deployed responsibly. The threat from quishing doesn't come from QR code technology itself but from how codes are created and managed. Businesses that use dynamic QR codes with branding, analytics, and deactivation capabilities face significantly lower risk than those using unmanaged static codes from free generators. The key is treating QR codes as managed digital assets rather than disposable print elements.

QR Codes Aren't Going Away. Attackers Aren't Either.

The FBI's January 2026 warning marked a turning point. Quishing is no longer a niche concern for cybersecurity teams. It's a mainstream threat that affects every business putting QR codes in front of customers.

The 5x surge in attacks, the 331% year-over-year growth, the 42x targeting disparity for executives, and the entry of state-sponsored actors into the space all point in the same direction. QR code security is now a business requirement, not an IT afterthought.

But the response isn't to stop using QR codes. Over 102 million Americans scan QR codes regularly. The technology delivers real value for businesses and customers alike. The response is to deploy QR codes responsibly, with dynamic links, branded designs, active monitoring, and a clear incident response plan.

The businesses that take QR code security seriously now will be the ones that maintain customer trust as quishing awareness grows. The ones that don't will learn the hard way that a tampered QR code doesn't just compromise a customer. It compromises your brand.

Start with the 8-point defense plan above. Audit your existing QR code deployments. Replace static codes with dynamic ones. Brand everything. Monitor everything. And treat your QR codes like what they are: direct connections between your business and your customers that deserve to be protected.