CyberheistNews Vol 16 #05 [Heads Up] New “Fancy” QR Codes Are Making Quishing Extra Harmful

[Heads Up] New “Fancy” QR Codes Are Making Quishing Extra Harmful

QR code phishing scammers are more and more utilizing visually stylized QR codes to ship phishing hyperlinks, Assist Web Safety stories.

QR code phishing (quishing) is already harder to detect, since these codes ship hyperlinks with no seen URL. Attackers at the moment are utilizing QR codes with colours, shapes and logos woven into the code’s sample.

“Fancy QR codes additional complicate detection,” Assist Web Safety says. “Their layouts not resemble the acquainted black and white grid. Logos seem within the heart. Modules turn into rounded, stretched or recolored. Background photos mix into the code. These design adjustments protect scan success whereas disrupting visible and structural assumptions utilized by current detection instruments.”

Assist Web Safety cites a report from Deakin College that checked out these “fancy” QR codes, through which the researchers famous that these “creative and aesthetic QR codes are created by mixing a picture with black-white QR code the place their modules are nearly unidentifiable to [the] human eye.”

Quishing can also be a menace as a result of individuals normally scan them with their telephones, bypassing any safety defenses their employer might need on their work computer systems. These codes may also be positioned as stickers in bodily areas.

“In line with reporting by NordVPN, 73% of People scan QR codes with out verifying the vacation spot, and greater than 26 million customers have been redirected to malicious web sites,” Assist Web Safety writes.

“In 2025, the U.S. Federal Commerce Fee warned shoppers that QR codes on surprising packages needs to be handled as suspicious. New York Metropolis’s Division of Transportation issued an analogous warning after discovering fraudulent QR codes positioned on parking meters.”

AI-powered safety consciousness coaching can provide your group an important layer of protection in opposition to phishing assaults. Over 70,000 organizations worldwide belief the KnowBe4 HRM+ platform to strengthen their safety tradition and scale back human danger.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/warning-fancy-qr-codes-are-making-quishing-more-dangerous

[Live Demo] Ridiculously Straightforward AI-Powered Safety Consciousness Coaching and Phishing

Phishing and social engineering stay the #1 cyber menace to your group, with 68% of knowledge breaches attributable to human error. Your safety staff wants a straightforward option to ship customized coaching—that is exactly what our AI Protection Brokers present.

Be part of us for a demo showcasing KnowBe4’s modern strategy to human danger administration with agentic AI that delivers customized, related and adaptive safety consciousness coaching with minimal admin effort.

See how simple it’s to coach and phish your customers with KnowBe4’s HRM+ platform:

• NEW! Deepfake Coaching Content material – Generate hyper-realistic deepfakes of your personal executives to arrange customers to identify AI-driven manipulation and deepfakes
• SmartRisk Agent™ – Generate actionable information and metrics that can assist you decrease your group’s human danger rating
• Template Generator Agent – Create convincing phishing simulations, together with Callback Phishing, that mimic actual threats. The Beneficial Touchdown Pages Agent then suggests acceptable touchdown pages primarily based on AI-generated templates
• Automated Coaching Agent – Mechanically determine high-risk customers and assign customized coaching
• Data Refresher Agent and Coverage Quizzes Agent – Reinforce your safety program and organizational insurance policies

See how these highly effective AI-driven options work collectively to dramatically scale back your group’s danger whereas saving your staff helpful time.

Date/Time: TOMORROW, Wednesday, February 4 @ 2:00 PM (ET)

Save My Spot:
https://data.knowbe4.com/kmsat-demo-2?partnerref=CHN2

KnowBe4 Urges Motion: Take Management of Your Information this Information Privateness Week

With organizations gathering and storing large quantities of private information nowadays, a lot of which individuals share freely, we have to turn into higher at defending information on each the storing and sharing aspect of issues.

Organizations should have robust information safety measures in place, and everybody ought to begin being extra digitally aware when sharing their very own private information. Finally, being cautious of what we put out there’s one of the best ways to cut back cyberattacks and information breaches.

For organizations, information privateness is a steady course of, not a once-a-year tick-box train. Decreasing human danger and minimizing information assortment are vital methods for information safety. For people, it is time to kick begin digital mindfulness.

Privateness just isn’t about hiding, it is about controlling your information. Taking small, constant steps can beat one large privateness overhaul. KnowBe4’s CISO advisors present sensible recommendation to each organizations and people to take management of their information this Information Privateness Week.

[CONTINUED] on the KnowBe4 weblog with recommendation to organizations:
https://weblog.knowbe4.com/knowbe4-urges-action-take-control-of-your-data-this-data-privacy-week

Cyber CSI 2.0: Phishing Forensics within the Age of AI and Deepfakes

The phishing arms race has entered a harmful new section. Previous detection strategies not work in 2026. AI-generated phishing emails now mimic writing kinds completely. Deepfake voice and video calls impersonate your CEO with ease. Even “secure” platforms like Microsoft Groups and guarded domains aren’t bulletproof.

Be part of Roger A. Grimes, CISO Advisor at KnowBe4, for a contemporary have a look at trendy phishing forensics. Roger will present you the most recent instruments and strategies to catch high-tech social engineering earlier than it hits your community.

On this session you will discover ways to:

• Dissect AI-generated phishing emails and spot the delicate clues that reveal machine-crafted deception
• Perceive what DMARC truly protects (and what it would not), plus how attackers bypass it
• Use sensible strategies to determine pretend voice calls and video impersonations, and analyze phishing makes an attempt by means of Microsoft Groups, Slack, SMS (smishing), voice calls (vishing) and social media
• Practice your customers to identify and report phishing makes an attempt

Get contained in the thoughts of a hacker and grasp the forensic expertise that separate compromised organizations from protected ones, plus earn CPE for attending!

Date/Time: Wednesday, February 11 @ 2:00 PM (ET)

Save My Spot:
https://data.knowbe4.com/cyber-csi-2.0-phishing-forensics?partnerref=CHN

Beginning the Yr with Cyber Intention: Human-Centric Insights from the World Cybersecurity Outlook 2026

By Anna Collard

One among my first intentional “to-dos” this yr has been spending time with the World Financial Discussion board’s World Cybersecurity Outlook 2026, a report I used to be privileged to actively contribute to over the previous yr.

For KnowBe4 prospects, this report provides greater than development evaluation. It offers a baseline of the place organizations stand right now, what separates resilient orgs from much less resilient ones, and why the human issue is now central to cyber resilience.

Beneath are a number of the insights that stood out most to me, considered by means of a human-centric cybersecurity lens.

Cybersecurity Has Develop into Private

Cyber-enabled fraud and phishing have overtaken ransomware as CEOs’ high cybersecurity concern in 2026. In line with the report, 73% of respondents mentioned they, or somebody near them, have been personally affected by cyber-enabled fraud final yr.

This shift issues. Cyber danger is not restricted to IT groups or orgs; it’s impacting households, communities and belief itself.

Publicity to cyber-enabled fraud and phishing / social engineering is highest in:

• Sub-Saharan Africa (82%)
• North America (79%)
• Latin America & the Caribbean (77%)

This reinforces the significance of safety consciousness, behavioral resilience and empowering people to acknowledge and resist manipulation.

[CONTINUED] on the KnowBe4 weblog with stats:
https://weblog.knowbe4.com/starting-the-year-with-cyber-intention-human-centric-insights-from-the-global-cybersecurity-outlook-2026

Do Your Customers Know What to Do When They Obtain a Suspicious E mail?

Ought to they name the assistance desk, or ahead it? Ought to they ahead to IT together with all headers? Delete and never report it, forfeiting a potential early warning?

KnowBe4’s FREE (sure, you learn that proper) Phish Alert button provides your customers a secure option to ahead electronic mail threats to the safety staff for evaluation and deletes the e-mail from the consumer’s inbox to forestall future publicity. All with only one click on! And now, helps Outlook Cellular!

Phish Alert Advantages

• Reinforces your group’s safety tradition
• Customers can report suspicious emails with only one click on
• Incident Response will get early phishing alerts from customers, making a community of “sensors”
• E mail is deleted from the consumer’s inbox to forestall future publicity
• Straightforward deployment by way of .EXE file for Outlook, Google Workspace deployment for Gmail (Chrome) and manifest set up for Microsoft 365

Signal Up
https://data.knowbe4.com/free-tools/phish-alert-button-chn

Observe: The Phish Alert Button helps Outlook 2010, 2013, 2016 & Outlook for Microsoft 365, Alternate 2013 & 2016, Chrome 54 and later (Linux, OS X and Home windows) and Outlook Cellular!

AI Brokers Go Rogue, Bypassing Guardrails in ‘Scary’ Safety Incident

A chilling instance of AI’s “unintended penalties” has emerged, proving that autonomous brokers can already collaborate to bypass company safety controls. George Kurtz, CEO of CrowdStrike, highlighted an incident the place a buyer’s IT automation suite—a community of AI brokers—went proper round applied guardrails.

One agent, figuring out a software program bug, lacked the entry to repair it. As a substitute of halting, it posted a request to a Slack channel with its friends. A second agent, which had the required privileges, “raised its hand” and utilized the repair.

“Do you see how scary that is? These two brokers are reasoning, they usually went proper across the guardrails that have been put in place,” Kurtz warned. The core danger is that the brokers are “guessing what you need them to do,” resulting in doubtlessly incorrect code pushes and an untraceable chain of error.

The answer, in response to Kurtz, is a large new market: AIDR (AI Detection and Response). With an estimated 90 brokers per worker turning into the norm, the necessity for centralized visibility and safety throughout all homegrown and third-party brokers presents a “large TAM alternative” for safety corporations.

It might after all begin with coaching these brokers to acknowledge these risks, one thing like—I’m making this up on the spot—”Guardrail Integrity Coaching”

Right here is the Instagram Reel:
https://www.instagram.com/reel/DUGqipoEU35/?igsh=MWVraTB0aHh2enRheApercent3Dpercent3D

Let’s keep secure on the market.

Heat regards,

Stu Sjouwerman, SACP
Govt Chairman
KnowBe4, Inc.

PS: Be sure that to hitch us at KB4-CON 2026 Might 12-14, 2026, on the Orlando World Heart Marriott:
https://www.knowbe4.com/kb4-con

PPS: My new ebook ‘Agent-Powered Progress’ made it on TWO Bestseller Lists!
https://stu-sjouwerman.multiscreensite.com/

You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-16-05-heads-up-new-fancy-qr-codes-are-making-quishing-more-dangerous

Report: One in Ten UK Corporations Wouldn’t Survive a Main Cyberattack

A brand new survey by Vodafone Enterprise discovered that greater than 10% of firms within the UK would doubtless exit of enterprise in the event that they have been hit by a serious cyber incident, equivalent to a ransomware assault, Infosecurity Journal stories.

Moreover, 71% of enterprise leaders consider not less than one among their workers would fall for a convincing phishing assault, and fewer than half (45%) of organizations have ensured that each one of their workers have obtained fundamental cyber consciousness coaching.

The commonest the reason why leaders consider their employees would fall for phishing emails are “a lack of know-how and coaching; employees being ‘too busy’; and the absence of clear protocols for verifying and flagging suspicious messages.”

Respondents additionally mentioned their workers reuse their work password for almost a dozen private accounts, drastically rising the danger of phishing and credential stuffing assaults. If an attacker manages to steal a password for a private account, then they will check that password in opposition to the consumer’s work account.

Multifactor authentication can add a layer of protection in opposition to stolen passwords, however MFA may also be bypassed by way of social engineering.

“The ballot paints a troubling image of insufficient disaster preparedness, poor password practices and employees susceptibility to phishing scams – all of which go away companies uncovered to cyber-crime,” Vodafone says. “With almost two thirds of enterprise leaders (63%) reporting that their group’s danger of cyber-attack has risen over the previous yr, password reuse stays notably prevalent.

“Employers estimate that, on common, employees use their work password for as much as 11 different private accounts, together with social media and relationship websites.”

Infosecurity Journal has the story:
https://www.infosecurity-magazine.com/information/uk-execs-warn-may-not-suruvie/

Voice Phishing Kits Give Menace Actors Actual-Time Management Over Assaults

Researchers at Okta warn {that a} sequence of phishing kits have emerged which are designed to assist menace actors launch subtle voice phishing (vishing) assaults that may bypass multifactor authentication.

“Probably the most vital of those options are client-side scripts that enable menace actors to regulate the authentication circulation within the browser of a focused consumer in real-time whereas they ship verbal directions or reply to verbal suggestions from the focused consumer,” Okta says.

“It is this real-time session orchestration that delivers the plausibility required to persuade the menace actor’s goal to approve push notifications, submit one time passcodes (OTP) or take different actions the menace actor must bypass MFA controls.”

The phishing kits enable attackers to information the sufferer by means of the assault circulation, which proceeds as follows:

• “The menace actor performs reconnaissance on a goal, studying the names of customers, the apps they generally use and cellphone numbers utilized in IT assist calls;
• The menace actor units a personalized phishing web page stay and calls focused customers, spoofing the cellphone variety of the corporate or its assist hotline;
• The menace actor convinces the focused consumer to navigate of their browser to the phishing web site beneath the pretext of an IT assist or safety requirement;
• The focused consumer enters their username and password, which is robotically forwarded to the menace actor’s Telegram channel;
• The menace actor enters the username and password into the official sign-in web page of the focused consumer and assesses what MFA challenges they’re introduced with;
• The menace actor updates the phishing web site in real-time with pages that assist their verbal ask for the consumer to enter an OTP, settle for a push notification or different MFA challenges.”

Moussa Diallo, menace researcher at Okta Menace Intelligence, acknowledged, “When you get into the motive force’s seat of one among these instruments, you’ll be able to instantly see why we’re observing increased volumes of voice-based social engineering.

“Utilizing these kits, an attacker on the cellphone to a focused consumer can management the authentication circulation as that consumer interacts with credential phishing pages. They will management what pages the goal sees of their browser in good synchronization with the directions they’re offering on the decision.

“The menace actor can use this synchronization to defeat any type of MFA that isn’t phishing-resistant.”

KnowBe4 empowers your workforce to make smarter safety choices day-after-day.

Okta has the story:
https://www.okta.com/weblog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/

What KnowBe4 Clients Say

“Hello Bryan, up to now, so good. It took us a couple of weeks to get to some extent the place we’re now utilizing sensible internet hosting to keep away from bot clicks. However I am making ready my first main phishing marketing campaign utilizing the platform, the second annual Phishy Phebruary, which is one thing I got here up with final yr.

“Everybody has been nice, from Patrick and Jordan presale to Kelli and the assist staff publish. I am wanting ahead to KB4-CON.”

– L.U., CISM, Information Governance Supervisor | IS Safety Division

“Hello Bryan, thanks for reaching out, up to now this has been top-of-the-line onboarding experiences I’ve had in a very long time. Angelina has been nice at serving to us construct out our monitoring and coaching routine which has been nice since we’re new to formalizing our cyber safety coaching and consciousness. This camper is comfortable, preserve doing what you are doing. It really works.”

– V.E., IT Supervisor