Around 800 artists, writers, actors, and musicians signed on to a new campaign against what they call “theft at a grand scale” by AI companies. The signatories of the campaign — called “Stealing Isn’t Innovation” — include authors George Saunders and Jodi Picoult, actors Cate Blanchett and Scarlett Johansson, and musicians like the band R.E.M., Billy Corgan, and The Roots.

“Driven by fierce competition for leadership in the new GenAI technology, profit-hungry technology companies, including those among the richest in the world as well as private equity-backed ventures, have copied a massive amount of creative content online without authorization or payment to those who created it,” a press release reads. “This illegal intellectual property grab fosters an information ecosystem dominated by misinformation, deepfakes, and a vapid artificial avalanche of low-quality materials [‘AI slop’], risking AI model collapse and directly threatening America’s AI superiority and international competitiveness.”

The advocacy effort is from the Human Artistry Campaign, a group of organizations including the Recording Industry Association of America (RIAA), professional sports players unions, and performers unions like SAG-AFTRA. The Stealing Isn’t Innovation campaign messages will appear in full-page ads in news outlets and on social media. Specifically, the campaign calls for licensing agreements and “a healthy enforcement environment,” along with the right for artists to opt out of their work being used to train generative AI.

On the federal level, President Donald Trump and his tech industry allies have been attempting to control how states regulate AI and punish those that try. At the industry level, tech companies and rights owners who were once on opposing sides are increasingly cutting licensing deals that allow AI companies to use protected work — licensing content appears to be a solution both parties can live with, at least for now. Major record labels, for example, have now partnered with AI music startups to provide their catalogues for AI remixing and model training. Digital publishers, some of which have sued AI companies training on their work, have backed a licensing standard that outlets can use to block their content from surfacing in AI search results. Some outlets have signed individual deals with tech companies that allow AI chatbots to surface news content (Disclosure: Vox Media, The Verge’s parent company, has a licensing deal with OpenAI.)

The Federal Bureau of Investigation has issued a warning about a growing cyber threat that turns everyday QR codes into spying tools.

According to the bureau, a North Korean government-sponsored hacking group is using a tactic known as quishing to target people in the United States. 

The goal is simple. Trick you into scanning a QR code that sends you to a malicious website. From there, attackers can steal login credentials, install malware or quietly collect device data.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

WHATSAPP WEB MALWARE SPREADS BANKING TROJAN AUTOMATICALLY

What quishing is and why it works

Quishing is short for QR code phishing. Instead of clicking a suspicious link in an email, the victim scans a QR code that hides the real destination. QR codes themselves are harmless. The danger lies in the link embedded inside them. Once scanned, the link can redirect users to fake login pages, malware downloads or tracking sites. Because QR codes feel familiar and fast, many people scan them without thinking twice. That split second of trust is exactly what attackers rely on.

Who is behind the attacks

The FBI says the activity is tied to a hacking group known as Kimsuky. The group has operated for years as a cyber espionage arm for North Korea. What is new is the delivery method. According to the FBI, the QR code-based attacks began in May 2025. In one example, attackers posed as a foreign policy advisor and emailed a think tank leader with a QR code that linked to a fake questionnaire. Scanning the code sent the victim to a malicious site designed to harvest information.

What happens after you scan the QR code

Once a victim lands on one of these sites, several things can happen. Some pages prompt users to download files that contain malware. Others mimic mobile login portals for popular services such as Okta, Microsoft 365 or VPN services. Even if no form is filled out, the site can still collect device details. That includes IP address, operating system, browser type and approximate location. Over time, that data helps attackers build intelligence profiles on their targets.

Why QR code phishing attacks are highly targeted

The FBI describes these campaigns as spear phishing rather than mass spam. That means the emails are crafted for specific individuals. The language context and sender details are tailored to look relevant and credible. When an email feels personal, people are more likely to trust it. That is why these attacks are especially dangerous for professionals, researchers, executives and anyone working in policy or technology.

Why QR code phishing threats are growing

QR codes are everywhere now. Restaurants, parking meters, event tickets and ads all rely on them. As their use grows, so does the opportunity for abuse. Attackers know people are conditioned to scan without hesitation. That makes caution more important than ever.

Ways to stay safe from QR code phishing

The FBI says one of the best defenses against quishing is slowing down. QR codes remove the visual clues people rely on, so a few extra checks can make a big difference.

1) Be cautious with unexpected QR codes

Treat QR codes like links in emails. If you did not expect it, do not scan it. QR codes sent by email, text or messaging apps are a common entry point for quishing attacks. Criminals rely on curiosity and urgency to push you into scanning without thinking.

2) Verify the source before scanning

Always confirm who sent the QR code. If a message claims to come from a coworker, vendor or organization, reach out through a separate channel before scanning. A quick call or direct message can stop a phishing attempt cold.

JANUARY SCAMS SURGE: WHY FRAUD SPIKES AT THE START OF THE YEAR

3) Never enter logins after scanning a QR code

QR code phishing often leads to fake mobile login pages. Attackers mimic sign-in screens for email, VPNs and cloud services to steal usernames and passwords. If a QR code takes you to a login page, close it and visit the site manually instead.

4) Inspect the website URL carefully

Once a QR code opens a page, check the address bar. Look for misspellings, extra words or unfamiliar domain endings. A strange URL is often the only warning sign that the site is malicious.

5) Use strong antivirus software for QR-based threats

Strong antivirus software adds an extra layer of protection against quishing. Security tools can block known phishing sites, stop malicious downloads and warn you before harmful pages load. This is especially important on mobile devices, where QR codes are most often scanned.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

6) Use a data removal service to limit exposure

Some quishing sites collect device and location data even if you do nothing. A data removal service helps reduce how much personal information is publicly available online. That makes it harder for attackers to target you with convincing spear phishing emails that include QR codes.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

7) Avoid QR code downloads entirely

Do not download files from QR code links unless you are absolutely certain they are safe. Malware delivered through QR codes can quietly install spyware or remote access tools without obvious warning signs.

INSTAGRAM PASSWORD RESET SURGE: PROTECT YOUR ACCOUNT

Kurt’s key takeaways

QR codes are convenient, but convenience can lower defenses. As this FBI warning shows, attackers are evolving and using familiar tools in dangerous ways. A moment of verification can prevent weeks or months of damage.

When was the last time you stopped to question a QR code before scanning it? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com.  All rights reserved.