FBI issues urgent warning over 'quishing' scam — don't fall for this

The FBI issued a warning that a North Korean-sponsored hacking group is using "quishing" attacks in emails to help them spy on US citizens. Quishing, or QR code Phishing, is an attack where bad actors embed malicious URLs inside the QR code.

While QR codes themselves aren't malicious, the links contained in them can be used for duplicitous means.

According to the federal agency, a group known as Kimusky has been using the QR codes to send victims to malicious websites designed to trick people into downloading malware or entering sensitive information.

The FBI says that these websites can also collect device details, including IP addresses, operating system and location. In some cases, the sites mimic mobile versions of login portals for apps like Okla, Microsoft 365 or VPNs to manipulate users into entering their login credentials.

While the hacking group Kimusky has been active for years, this quishing scheme didn't go into effect until May 2025, the FBI says. The group acts as a cyber-spying and intelligence-gathering force for the North Korean government.

"In May 2025, Kimsuky actors spoofing a foreign advisor sent an email requesting insight from a think tank leader regarding recent developments on the Korean Peninsula. The email provided a QR code to scan for access to a questionnaire," the warning reads.

According to the FBI, the recent attacks are going after selected individuals in what's called "spearfishing," where the attempt to get people to click or scan the QR codes is tailored to the person. For the most part, the targets have been people in think tanks, academic institutions and government officials.

The FBI urges people to be wary of scanning unsolicited QR codes. It also suggests people attempt to "verify QR code sources through secondary means (such as contacting the sender directly), especially before entering login credentials or downloading files."

How to avoid being 'quished'

As with most phishing scams, the goal is to look reliable enough that unwary users click through without double or triple-checking. Protect yourself by remaining calm and vigilant.

As with normal emails, you shouldn't click on unsolicited links or attachments, and you shouldn't scan any QR code you receive unexpectedly, or even those you see on street signs, posters, or advertisements. For example, if you receive an email from a company with a QR code, go directly to its website.

If you do scan a QR code, avoid filling out any forms that request your personal information. Additionally, you'll want to inspect the site's URL for suspicious signs.

Does it use a top-level domain like ".com" that you're familiar with? Or does it use one you've never seen before, like ".TV" or ".IT"? It could be a sign of phishing.

If you're on Android, try adding an extra layer of protection with one of the best Android antivirus apps to help shield you from phishing attacks and malware.

If you're worried that you've been scammed or concerned you might be targeted, consider signing up for one of the best identity theft protection services. The programs can help get your identity back, but also recover funds lost to fraud.

With QR codes becoming more commonplace, like using them to access restaurant menus, this threat will become more prevalent. So, stay vigilant and be extra cautious whenever you encounter a QR code, and look for alternatives if you can.

Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.

More from Tom's Guide

• People are the password problem: How you're creating your biggest security risks
• 5 essential security steps to take when setting up your new phone
• I’m a security editor and these are my 3 security New Years resolutions