Threat Spotlight: Split and nested QR codes fuel new generation of 'quishing' attacks
Barracuda Networks, Wednesday, August 20th, 2025
Quishing is a form of phishing that involves the use of QR codes embedded with malicious links. When scanned, these QR codes redirect victims to fake websites designed to steal their credentials or other sensitive information.
Malicious QR codes are popular with attackers for several reasons. They cannot be read by humans so don't raise any red flags, and they can often bypass traditional security measures such as email filters and link scanners. Further, since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection.
As security tools adapt to the threat of quishing, attackers have continued to innovate their approaches. Barracuda has reported previously on the evolution of QR code phishing attacks and the arrival of more sophisticated ASCII QR code attacks.
In this article, we explore the latest advances in QR code attack techniques, including split QR codes and nested (QR-in-QR) codes.