The Federal Bureau of Investigation has issued a warning about a growing cyber threat that turns everyday QR codes into spying tools. According to the agency, a North Korean government-sponsored hacking group is using a tactic known as quishing to target people in the United States. The goal is simple. Trick you into scanning a QR code that sends you to a malicious website. From there, attackers can steal login credentials, install malware or quietly collect device data.
What quishing is and why it works
Quishing is short for QR code phishing. Instead of clicking a suspicious link in an email, the victim scans a QR code that hides the real destination. QR codes themselves are harmless. The danger lies in the link embedded inside them. Once scanned, the link can redirect users to fake login pages, malware downloads or tracking sites. Because QR codes feel familiar and fast, many people scan them without thinking twice. That split second of trust is exactly what attackers rely on.
Who is behind the attacks
The FBI says the activity is tied to a hacking group known as Kimsuky. The group has operated for years as a cyber espionage arm for North Korea. What is new is the delivery method. According to the FBI, the QR code-based attacks began in May 2025. In one example, attackers posed as a foreign policy advisor and emailed a think tank leader with a QR code that linked to a fake questionnaire. Scanning the code sent the victim to a malicious site designed to harvest information.
What happens after you scan the QR code
Once a victim lands on one of these sites, several things can happen. Some pages prompt users to download files that contain malware. Others mimic mobile login portals for popular services such as Okta, Microsoft 365, or VPN services. Even if no form is filled out, the site can still collect device details. That includes IP address, operating system, browser type and approximate location. Over time, that data helps attackers build intelligence profiles on their targets.
Why QR code phishing attacks are highly targeted
The FBI describes these campaigns as spear phishing rather than mass spam. That means the emails are crafted for specific individuals. The language context and sender details are tailored to look relevant and credible. When an email feels personal, people are more likely to trust it. That is why these attacks are especially dangerous for professionals, researchers, executives and anyone working in policy or technology.
Why QR code phishing threats are growing
QR codes are everywhere now. Restaurants, parking meters, event tickets and ads all rely on them. As their use grows, so does the opportunity for abuse. Attackers know people are conditioned to scan without hesitation. That makes caution more important than ever.
Ways to stay safe from QR code phishing
The FBI says one of the best defenses against quishing is slowing down. QR codes remove the visual clues people rely on, so a few extra checks can make a big difference.
1) Be cautious with unexpected QR codes
Treat QR codes like links in emails. If you did not expect it, do not scan it. QR codes sent by email, text or messaging apps are a common entry point for quishing attacks. Criminals rely on curiosity and urgency to push you into scanning without thinking.
2) Verify the source before scanning
Always confirm who sent the QR code. If a message claims to come from a coworker, vendor or organization, reach out through a separate channel before scanning. A quick call or direct message can stop a phishing attempt cold.
3) Never enter logins after scanning a QR code
QR code phishing often leads to fake mobile login pages. Attackers mimic sign-in screens for email, VPNs and cloud services to steal usernames and passwords. If a QR code takes you to a login page, close it and visit the site manually instead.
4) Inspect the website URL carefully
Once a QR code opens a page, check the address bar. Look for misspellings, extra words or unfamiliar domain endings. A strange URL is often the only warning sign that the site is malicious.
5) Use strong antivirus software for QR-based threats
Strong antivirus software adds an extra layer of protection against quishing. Security tools can block known phishing sites, stop malicious downloads and warn you before harmful pages load. This is especially important on mobile devices, where QR codes are most often scanned.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
TotalAV is easy to set up and offers real-time protection for paid users, keeping your devices safe around the clock. It includes tools to block phishing scams, remove ransomware and spyware, and clean up adware and junk files. The software also features a browser manager, system tune-up tools, and protects across Windows, Mac, Android, and iOS devices.
GET MY EXCLUSIVE CYBERGUY TOTALAV DEAL:
Please note:
1) If you're having difficulty seeing either of the above deals, do this:
- If you're on a mobile device, hold down the link above, "Copy Link", and then paste it into a private or incognito browser.
- If you're on a laptop or desktop, right click the link, "Copy Link", and then paste it into a private or incognito browser.
2) During registration you may see optional upsells you can decline. Our top pick is the core antivirus product.
3) If you need help after your purchase, you can reach TotalAV directly through their official support page here.
6) Use a data removal service to limit exposure
Some quishing sites collect device and location data even if you do nothing. A data removal service helps reduce how much personal information is publicly available online. That makes it harder for attackers to target you with convincing spear phishing emails that include QR codes.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.
Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.
- Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
- Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
- The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.
CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.
The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.
Is your personal information exposed online?
Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.
7) Avoid QR code downloads entirely
Do not download files from QR code links unless you are absolutely certain they are safe. Malware delivered through QR codes can quietly install spyware or remote access tools without obvious warning signs.
Watch the latest episode of The CyberGuy Report.
Missed this event? Sign up via the registration form and see our live recording.
See Kurt’s Prime Day picks for useful gadgets, practical upgrades and everyday tech while the deals last.
Related Links:
- Hackers abuse Google Cloud to send trusted phishing emails
- Don’t click that link! How to spot and prevent phishing attacks in your inbox
- Real Apple support emails used in new phishing scam
Kurt’s key takeaways
QR codes are convenient, but convenience can lower defenses. As this FBI warning shows, attackers are evolving and using familiar tools in dangerous ways. A moment of verification can prevent weeks or months of damage.
When was the last time you stopped to question a QR code before scanning it? Let us know in the comments below.
FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2026 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
🎙 Now Streaming: My New Podcast: The CyberGuy Report
Kurt’s Top Deals
Deals move fast and inventory can be limited, so don’t wait too long.
| 🔥 Editor’s pick  Summer entertaining Ninja SLUSHi Machine (26% off) Frozen drinks and slushies at home in minutes. | |
| 💰 Top deal  Outdoor essential TYPEC Solar Bug Zapper (36% off) Solar-powered bug zappers for patios and camping. |
1 comment
I’ve always considered QR code, really any non-human readable code, as a threat until proven not. There are plenty of ways to read codes without actually acting on them. And, yes I look for misspellings.