The Weekly Breach Breakdown Podcast: Gone Quishing – Criminals Use QR Code Phishing in New Attacks – S6E27

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC) Weekly Breach Breakdown for September 5, 2025. I'm Tatiana Cuadras, Communications Assistant for the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we are going to look at how identity criminals are using QR code phishing in new attacks. 

Many of you probably have heard the phrase “Gone Fishing” before. For those who have not, “Gone Fishing” is another way someone might say one is absent, left or no longer present. It can also be an excuse for not being around. The hackers are not “Gone Fishing”; they are “Gone Quishing”. See what I did there? On a more serious note, that is the title of this week’s podcast because they are weaponizing QR codes in new “quishing” attacks. 

Let’s start by defining quishing. Quishing is short for QR code phishing. In April, the United States Postal Inspector Service (USPIS) reported that scammers were incorporating quishing into a new variation of the brushing scam. Now, according to Infosecurity Magazine, security researchers at Barracuda Networks have discovered two novel quishing techniques involving splitting malicious QR codes into two parts or embedding them into legitimate ones. 

The Barracuda researchers observed that operators of Gabagool, a phishing-as-a-service kit, recently started using a new technique to help malicious QR codes evade detection. Infosecurity Magazine reports that the method involves splitting a QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code. 

To the recipient of the email, the QR code in the message looks complete and can be scanned to direct the user to a phishing page designed to steal their credentials. However, when looking at the visual in HTML, it comprises two different images. 

Barracuda researchers also found that operators of another phishing-as-a-service kit, Tycoon, used a different technique to help malicious QR codes evade detection. In one instance observed by Barracuda, the outer QR code pointed to a malicious URL, while the inner QR code led to Google. 

Barracuda’s report emphasized a defense-in-depth approach to email security. There were more findings in the report that you can read here. 

That was a lot of technical information on quishing. What does it mean for you and me? The big takeaway is that QR code phishing continues to become a bigger threat to us consumers. It has never been more important to exercise caution when scanning QR codes. Here are some tips to recognize and avoid fake QR codes: 

1. If it is a physical QR code, check it for signs of tampering. If a QR code is on a flyer, parking meter or at a restaurant, look for a sticker placed over the original code. 
2. Treat a QR code in an email you are not expecting just like a link or attachment. Avoid scanning QR codes from unknown or unexpected sources. If the QR code is from a company, confirm its legitimacy by contacting the company directly. 
3. Preview the URL before you visit it. When you scan a QR code with your phone’s camera, a preview of the website address should appear. Check for any misspellings and make sure the URL starts with “https”. 

If you accessed a website in a QR code and are not sure if it is legitimate, run a security scan on your devices and update your passwords (use passkeys, if possible, and 12+-character passphrases if not). As James E. Lee often says, those scammers are a crafty lot. QR code phishing is more prevalent now than ever. However, with a cautious eye and good cyber-hygiene, those criminals can be “Gone Quishing” and onto their next endeavor. 

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. We will return next week with another episode of the Weekly Breach Breakdown. I'm Tatiana Cuadras. Until then, thanks for listening.