The Federal Bureau of Investigation has issued a warning about a growing cyber threat that turns everyday QR codes into spying tools.

According to the bureau, a North Korean government-sponsored hacking group is using a tactic known as quishing to target people in the United States. 

The goal is simple. Trick you into scanning a QR code that sends you to a malicious website. From there, attackers can steal login credentials, install malware or quietly collect device data.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

WHATSAPP WEB MALWARE SPREADS BANKING TROJAN AUTOMATICALLY

What quishing is and why it works

Quishing is short for QR code phishing. Instead of clicking a suspicious link in an email, the victim scans a QR code that hides the real destination. QR codes themselves are harmless. The danger lies in the link embedded inside them. Once scanned, the link can redirect users to fake login pages, malware downloads or tracking sites. Because QR codes feel familiar and fast, many people scan them without thinking twice. That split second of trust is exactly what attackers rely on.

Who is behind the attacks

The FBI says the activity is tied to a hacking group known as Kimsuky. The group has operated for years as a cyber espionage arm for North Korea. What is new is the delivery method. According to the FBI, the QR code-based attacks began in May 2025. In one example, attackers posed as a foreign policy advisor and emailed a think tank leader with a QR code that linked to a fake questionnaire. Scanning the code sent the victim to a malicious site designed to harvest information.

What happens after you scan the QR code

Once a victim lands on one of these sites, several things can happen. Some pages prompt users to download files that contain malware. Others mimic mobile login portals for popular services such as Okta, Microsoft 365 or VPN services. Even if no form is filled out, the site can still collect device details. That includes IP address, operating system, browser type and approximate location. Over time, that data helps attackers build intelligence profiles on their targets.

Why QR code phishing attacks are highly targeted

The FBI describes these campaigns as spear phishing rather than mass spam. That means the emails are crafted for specific individuals. The language context and sender details are tailored to look relevant and credible. When an email feels personal, people are more likely to trust it. That is why these attacks are especially dangerous for professionals, researchers, executives and anyone working in policy or technology.

Why QR code phishing threats are growing

QR codes are everywhere now. Restaurants, parking meters, event tickets and ads all rely on them. As their use grows, so does the opportunity for abuse. Attackers know people are conditioned to scan without hesitation. That makes caution more important than ever.

Ways to stay safe from QR code phishing

The FBI says one of the best defenses against quishing is slowing down. QR codes remove the visual clues people rely on, so a few extra checks can make a big difference.

1) Be cautious with unexpected QR codes

Treat QR codes like links in emails. If you did not expect it, do not scan it. QR codes sent by email, text or messaging apps are a common entry point for quishing attacks. Criminals rely on curiosity and urgency to push you into scanning without thinking.

2) Verify the source before scanning

Always confirm who sent the QR code. If a message claims to come from a coworker, vendor or organization, reach out through a separate channel before scanning. A quick call or direct message can stop a phishing attempt cold.

JANUARY SCAMS SURGE: WHY FRAUD SPIKES AT THE START OF THE YEAR

3) Never enter logins after scanning a QR code

QR code phishing often leads to fake mobile login pages. Attackers mimic sign-in screens for email, VPNs and cloud services to steal usernames and passwords. If a QR code takes you to a login page, close it and visit the site manually instead.

4) Inspect the website URL carefully

Once a QR code opens a page, check the address bar. Look for misspellings, extra words or unfamiliar domain endings. A strange URL is often the only warning sign that the site is malicious.

5) Use strong antivirus software for QR-based threats

Strong antivirus software adds an extra layer of protection against quishing. Security tools can block known phishing sites, stop malicious downloads and warn you before harmful pages load. This is especially important on mobile devices, where QR codes are most often scanned.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

6) Use a data removal service to limit exposure

Some quishing sites collect device and location data even if you do nothing. A data removal service helps reduce how much personal information is publicly available online. That makes it harder for attackers to target you with convincing spear phishing emails that include QR codes.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

7) Avoid QR code downloads entirely

Do not download files from QR code links unless you are absolutely certain they are safe. Malware delivered through QR codes can quietly install spyware or remote access tools without obvious warning signs.

INSTAGRAM PASSWORD RESET SURGE: PROTECT YOUR ACCOUNT

Kurt’s key takeaways

QR codes are convenient, but convenience can lower defenses. As this FBI warning shows, attackers are evolving and using familiar tools in dangerous ways. A moment of verification can prevent weeks or months of damage.

When was the last time you stopped to question a QR code before scanning it? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com.  All rights reserved.