The FBI has issued an alert warning of a highly organized cybersecurity attack by a North Korean-aligned group, using QR codes.
Quishing (QR Code Phishing) is a phishing technique in which adversaries embed malicious URLs inside QR codes to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional
From the Jan 8, 2026 FBI alert
email security controls…Quishing campaigns commonly deliver QR
images as email attachments or embedded graphics, evading URL inspection, rewriting, and sandboxing.
The warning was directed to NGOs, academic institutions, and generally the type of organizations involved in global affairs. However, the crime described and caution urged in the FBI’s alert should be taken seriously by all businesses and individuals, as malicious QR codes can leveraged against everybody in the same way and for similar reasons.
People have QR codes all around them nowadays — it is a easy, user-friendly, and relatively inexpensive way to communicate a web destination the publisher of the code wants others to visit. QR codes are used in parking lots to direct vehicle owners to a payment portal; restaurants use them to put their menu into a diner’s phone; and they’re increasingly used in the supply chain as a means of track-and-trace.
When you scan a QR code, you have to blindly trust that the Internet location it is sending you to is legitimate. There are countless stories over the last few years of people and businesses defrauded and their privacy compromised, because the website a QR code led to took payment information, personal details, and/or information from the device used, and provided that information to criminals with the end-user oblivious. In some extreme cases, the QR code facilitated the install of malware on the device, infecting it and possibly other devices and systems.
Traceability.FYI is launching a podcast in February, 2026 — our first episode, coincidentally, is on QR codes and their malicious uses, and how they are being forced into adoption by global supply chains through policies and legislation driven by GS1. Our participants on the podcast episode include Mark Manning from iTrace Technologies and Robert Sherwood from Veritrace, both members of GlobalAutoID.
To get notification of when the podcast episode goes live, and to stay in-touch with the latest track-and-trace information and trends, sign up for Traceability Updates via email.
Photo by Brett Jordan on Unsplash