Quishing: The Rising Threat of QR Code Phishing Attacks

Edward Zhou
Edward Zhou

CEO & Founder

 
July 19, 2025 2 min read

Threat Spotlight: QR Code Phishing Attacks

Key Findings

Barracuda Networks researchers detected over 500,000 phishing emails featuring Quick Response (QR) codes embedded in PDF documents from mid-June to mid-September. This method represents a shift from embedding QR codes in the email body to attaching them in PDFs. The primary goal of these attacks is to capture sensitive login credentials.

Understanding the Threat

QR code phishing, or "quishing," exploits the trust people have in QR codes. Cybercriminals trick victims into scanning codes that lead to malicious websites. Barracuda has identified that 51% of these phishing attempts impersonate Microsoft, with DocuSign and Adobe being the next most common targets. This change in tactics complicates detection since traditional email filters often overlook the risks when direct links are absent.

Quishing Email Characteristics

Phishing emails typically contain a simple PDF with a QR code, directing recipients to scan it for access to essential documents or messages. This method bypasses many corporate defenses, making it particularly effective against small-to-medium businesses lacking advanced security tools.

Brands being impersonated in QR code attacks

Defense Strategies

To combat these attacks, companies should implement multilayered email security, utilize AI-powered technology to detect targeted phishing efforts, and educate employees on the dangers of scanning QR codes from unknown sources.

  1. Multilayered Email Security: Deploy robust spam and malware filters like Barracuda's Email Protection.
  2. AI and Advanced Technology: Supplement existing defenses with AI-driven solutions for heightened detection capabilities against sophisticated phishing attempts, such as Barracuda's Phishing Protection.
  3. User Education: Conduct regular training sessions focused on recognizing and reporting suspicious QR code activity.

Malicious QR Code Attack for Compensation Fraud

In a recent cybersecurity incident, Proofpoint identified a sophisticated QR code attack embedded in an innocent-looking PDF attachment. Attackers used a Cloudflare CAPTCHA to hinder detection by traditional security measures.

Malicious email designed to appear legitimate
The attack sequence included:

  1. Deceptive Lure: Emails masquerading as legitimate requests prompted users to open attachments.
  2. Hidden Malicious QR Code: The QR code was embedded within the PDF, making it less suspicious.
  3. Cloudflare CAPTCHA: This additional layer made it difficult for standard detection tools to identify the threat.

Recommendations for Organizations

Organizations must adopt comprehensive security measures that include:

  • Advanced Email Security: Employ solutions capable of analyzing embedded URLs within attachments, such as Proofpoint's URL sandboxing.
  • Behavioral Analysis: Leverage AI and machine learning to analyze user behavior and detect anomalies that may indicate phishing attempts.
  • Security Awareness Training: Regularly educate employees on the risks associated with scanning QR codes.

Protecting Your Business

Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

Explore how Gopher Security can enhance your organization's defense against emerging threats. For more information, visit Gopher Security.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article