The FBI issued a public alert in January 2026 warning that North Korean state-sponsored hackers have been embedding malicious QR codes in spear-phishing emails to bypass corporate security controls and steal credentials from government agencies, universities, and think tanks. This technique, called quishing, is no longer a fringe attack method. QR code phishing emails surged from roughly 47,000 in August 2025 to more than 249,000 by November, according to Keepnet Labs, a 430 percent jump in just three months. For organizations investing in employee security training, quishing exposes a gap that most programs have not yet addressed.
Quishing works precisely because it moves the attack off corporate networks and onto personal or unmanaged mobile devices. When an employee scans a QR code from their phone rather than clicking a link on their work computer, they step outside the protections that endpoint detection and response tools and email filters provide. The FBI noted that attackers use this shift to steal session tokens, which lets them bypass multi-factor authentication and gain persistent access to cloud accounts without triggering typical security alerts.
Why Quishing Slips Past Security Controls
Most corporate email security tools scan links embedded in message bodies. A QR code is an image, not a link, so it passes through unexamined. The payload only activates when a mobile camera app reads the code and opens a URL, at which point the employee is on their personal device, on their own network, without the policy enforcement that applies to company equipment.
This creates a detection gap that most organizations have not closed. Keepnet’s research found that only 36 percent of QR phishing incidents were accurately identified and reported by recipients, meaning nearly two thirds of these attacks go undetected internally. Organizations that approach security through a human risk management framework recognize that this kind of behavior gap, not just a technical one, is what attackers reliably exploit.
The Scale of the Problem
Quishing is not a novelty threat. Nearly 4.2 million QR code phishing attempts were identified in early 2025, and 12 percent of all phishing attacks now contain a QR code element, according to Keepnet. The attacks target credentials in 89.3 percent of cases, making them a direct pipeline to account takeover and data breach. The average business loss from a successful quishing incident exceeds one million dollars.
The threat landscape also includes state-actor-level sophistication. North Korean hackers tracked by the FBI as the Kimsuky group used fake conference registration pages, secure document access requests, and policy survey lures to harvest Google credentials from targeted organizations. These are not opportunistic scams. They are targeted, convincing, and built to defeat employees who have only been tested on traditional email phishing.
Where Employee Training Has a Blind Spot
Many security awareness programs were built around email-based scenarios. Employees learn to hover over links, check sender addresses, and spot mismatched domains. These are useful habits. But 73 percent of people scan QR codes without verifying where they lead first, according to Keepnet, and most training programs have never presented employees with a quishing scenario.
The result is a workforce that may pass a standard phishing simulation without difficulty, yet remain vulnerable to an attack delivered through a QR code in a printed meeting agenda, a conference email, or a message from an unknown number. The 68 percent of quishing attacks that specifically targeted mobile users in 2025 were not stopped by the awareness training those users had already completed. A managed security awareness program that includes mobile and QR code threat scenarios gives organizations a much clearer picture of where behavioral risk actually lives.
What to Add to Your Training Program Now
Start by introducing QR code scenarios into your phishing simulation calendar. Employees should encounter simulated quishing attempts that mimic real-world lures: a fake multifactor authentication reset notice, a QR code in an apparent supplier email, or a fake meeting link. Keepnet’s data shows security training improved QR phishing detection by 87 percent within three months of consistent practice. That is a significant return for a straightforward program update.
Second, address mobile device habits directly with your team. Encourage a pause-and-verify reflex before scanning any code that arrives through email, text, or a printed document, regardless of whether it appears to come from a known sender. If you are not sure how to build quishing awareness into your existing program, connect with our team to discuss how to add it to your training calendar. A single addition to your simulation schedule can dramatically reduce your exposure to an attack vector that most organizations are currently underprepared for.
