FBI Warns: QR Codes Are Now a Primary Mobile Phishing Weapon

Zimperium and the FBI IC3 highlight an active campaign by Kimsuky using malicious QR codes (“quishing”) to drive victims from enterprise channels to mobile-optimized phishing pages that harvest credentials and bypass MFA; this mobile-first tactic evades URL-based email and network defenses and can lead to account takeover, lateral movement, and follow-on spearphishing, while mobile threat defense on the device is presented as a primary mitigation.