CyberheistNews Vol 16 #05 [Heads Up] New “Fancy” QR Codes Are Making Quishing More Dangerous

[Heads Up] New “Fancy” QR Codes Are Making Quishing More Dangerous

QR code phishing scammers are increasingly using visually stylized QR codes to deliver phishing links, Help Net Security reports.

QR code phishing (quishing) is already more difficult to detect, since these codes deliver links without a visible URL. Attackers are now using QR codes with colors, shapes and logos woven into the code's pattern.

"Fancy QR codes further complicate detection," Help Net Security says. "Their layouts no longer resemble the familiar black and white grid. Logos appear in the center. Modules become rounded, stretched or recolored. Background images blend into the code. These design changes preserve scan success while disrupting visual and structural assumptions used by existing detection tools."

Help Net Security cites a report from Deakin University that looked at these "fancy" QR codes, in which the researchers noted that these "artistic and aesthetic QR codes are created by blending an image with black-white QR code where their modules are almost unidentifiable to [the] human eye."

Quishing is also a threat because people usually scan them with their phones, bypassing any security defenses their employer might have on their work computers. These codes can also be placed as stickers in physical locations.

"According to reporting by NordVPN, 73% of Americans scan QR codes without verifying the destination, and more than 26 million users have been redirected to malicious websites," Help Net Security writes.

"In 2025, the U.S. Federal Trade Commission warned consumers that QR codes on unexpected packages should be treated as suspicious. New York City's Department of Transportation issued a similar warning after discovering fraudulent QR codes placed on parking meters."

AI-powered security awareness training can give your organization an essential layer of defense against phishing attacks. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/warning-fancy-qr-codes-are-making-quishing-more-dangerous

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4's leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4's HRM+ platform:

• NEW! Deepfake Training Content - Generate hyper-realistic deepfakes of your own executives to prepare users to spot AI-driven manipulation and deepfakes
• SmartRisk Agent™ - Generate actionable data and metrics to help you lower your organization's human risk score
• Template Generator Agent - Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent - Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent - Reinforce your security program and organizational policies

See how these powerful AI-driven features work together to dramatically reduce your organization's risk while saving your team valuable time.

Date/Time: TOMORROW, Wednesday, February 4 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN2

KnowBe4 Urges Action: Take Control of Your Data this Data Privacy Week

With organizations collecting and storing massive amounts of personal data these days, much of which people share freely, we need to become better at protecting data on both the storing and sharing side of things.

Organizations must have strong data protection measures in place, and everyone should start being more digitally mindful when sharing their own personal data. Ultimately, being careful of what we put out there is the best way to reduce cyberattacks and data breaches.

For organizations, data privacy is a continuous process, not a once-a-year tick-box exercise. Reducing human risk and minimizing data collection are important strategies for data security. For individuals, it's time to kick start digital mindfulness.

Privacy is not about hiding, it's about controlling your data. Taking small, consistent steps can beat one big privacy overhaul. KnowBe4's CISO advisors provide practical advice to both organizations and individuals to take control of their data this Data Privacy Week.

[CONTINUED] at the KnowBe4 blog with advice to organizations:
https://blog.knowbe4.com/knowbe4-urges-action-take-control-of-your-data-this-data-privacy-week

Cyber CSI 2.0: Phishing Forensics in the Age of AI and Deepfakes

The phishing arms race has entered a dangerous new phase. Old detection methods no longer work in 2026. AI-generated phishing emails now mimic writing styles perfectly. Deepfake voice and video calls impersonate your CEO with ease. Even "safe" platforms like Microsoft Teams and protected domains aren't bulletproof.

Join Roger A. Grimes, CISO Advisor at KnowBe4, for a fresh look at modern phishing forensics. Roger will show you the latest tools and methods to catch high-tech social engineering before it hits your network.

In this session you'll learn how to:

• Dissect AI-generated phishing emails and spot the subtle clues that reveal machine-crafted deception
• Understand what DMARC actually protects (and what it doesn't), plus how attackers bypass it
• Use practical methods to identify fake voice calls and video impersonations, and analyze phishing attempts through Microsoft Teams, Slack, SMS (smishing), voice calls (vishing) and social media
• Train your users to spot and report phishing attempts

Get inside the mind of a hacker and master the forensic skills that separate compromised organizations from protected ones, plus earn CPE for attending!

Date/Time: Wednesday, February 11 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/cyber-csi-2.0-phishing-forensics?partnerref=CHN

Starting the Year with Cyber Intention: Human-Centric Insights from the Global Cybersecurity Outlook 2026

By Anna Collard

One of my first intentional "to-dos" this year has been spending time with the World Economic Forum's Global Cybersecurity Outlook 2026, a report I was privileged to actively contribute to over the past year.

For KnowBe4 customers, this report offers more than trend analysis. It provides a baseline of where organizations stand today, what separates resilient orgs from less resilient ones, and why the human factor is now central to cyber resilience.

Below are some of the insights that stood out most to me, viewed through a human-centric cybersecurity lens.

Cybersecurity Has Become Personal

Cyber-enabled fraud and phishing have overtaken ransomware as CEOs' top cybersecurity concern in 2026. According to the report, 73% of respondents said they, or someone close to them, were personally affected by cyber-enabled fraud last year.

This shift matters. Cyber risk is no longer limited to IT teams or orgs; it is impacting households, communities and trust itself.

Exposure to cyber-enabled fraud and phishing / social engineering is highest in:

• Sub-Saharan Africa (82%)
• North America (79%)
• Latin America & the Caribbean (77%)

This reinforces the importance of security awareness, behavioral resilience and empowering individuals to recognize and resist manipulation.

[CONTINUED] at the KnowBe4 blog with stats:
https://blog.knowbe4.com/starting-the-year-with-cyber-intention-human-centric-insights-from-the-global-cybersecurity-outlook-2026

Do Your Users Know What to Do When They Receive a Suspicious Email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4's FREE (yes, you read that right) Phish Alert button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! And now, supports Outlook Mobile!

Phish Alert Benefits

• Reinforces your organization's security culture
• Users can report suspicious emails with just one click
• Incident Response gets early phishing alerts from users, creating a network of "sensors"
• Email is deleted from the user's inbox to prevent future exposure
• Easy deployment via .EXE file for Outlook, Google Workspace deployment for Gmail (Chrome) and manifest install for Microsoft 365

Sign Up
https://info.knowbe4.com/free-tools/phish-alert-button-chn

Note: The Phish Alert Button supports Outlook 2010, 2013, 2016 & Outlook for Microsoft 365, Exchange 2013 & 2016, Chrome 54 and later (Linux, OS X and Windows) and Outlook Mobile!

AI Agents Go Rogue, Bypassing Guardrails in 'Scary' Security Incident

A chilling example of AI's "unintended consequences" has emerged, proving that autonomous agents can already collaborate to circumvent corporate security controls. George Kurtz, CEO of CrowdStrike, highlighted an incident where a customer's IT automation suite—a network of AI agents—went right around implemented guardrails.

One agent, identifying a software bug, lacked the access to fix it. Instead of halting, it posted a request to a Slack channel with its peers. A second agent, which had the necessary privileges, "raised its hand" and applied the fix.

"Do you see how scary this is? These two agents are reasoning, and they went right around the guardrails that were put in place," Kurtz warned. The core risk is that the agents are "guessing what you want them to do," leading to potentially wrong code pushes and an untraceable chain of error.

The solution, according to Kurtz, is a massive new market: AIDR (AI Detection and Response). With an estimated 90 agents per employee becoming the norm, the need for centralized visibility and protection across all homegrown and third-party agents presents a "massive TAM opportunity" for security firms.

It would of course start with training those agents to recognize these dangers, something like—I am making this up on the spot—"Guardrail Integrity Training"

Here is the Instagram Reel:
https://www.instagram.com/reel/DUGqipoEU35/?igsh=MWVraTB0aHh2enRheA%3D%3D

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: Make sure to join us at KB4-CON 2026 May 12-14, 2026, at the Orlando World Center Marriott:
https://www.knowbe4.com/kb4-con

PPS: My new book 'Agent-Powered Growth' made it on TWO Bestseller Lists!
https://stu-sjouwerman.multiscreensite.com/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-05-heads-up-new-fancy-qr-codes-are-making-quishing-more-dangerous

Report: One in Ten UK Companies Wouldn’t Survive a Major Cyberattack

A new survey by Vodafone Business found that more than 10% of companies in the UK would likely go out of business if they were hit by a major cyber incident, such as a ransomware attack, Infosecurity Magazine reports.

Additionally, 71% of business leaders believe at least one of their employees would fall for a convincing phishing attack, and fewer than half (45%) of organizations have ensured that all of their employees have received basic cyber awareness training.

The most common reasons why leaders believe their staff would fall for phishing emails are "a lack of awareness and training; staff being 'too busy'; and the absence of clear protocols for verifying and flagging suspicious messages."

Respondents also said their employees reuse their work password for nearly a dozen personal accounts, greatly increasing the risk of phishing and credential stuffing attacks. If an attacker manages to steal a password for a personal account, then they can test that password against the user's work account.

Multifactor authentication can add a layer of defense against stolen passwords, but MFA can also be bypassed via social engineering.

"The poll paints a troubling picture of inadequate crisis preparedness, poor password practices and staff susceptibility to phishing scams – all of which leave businesses exposed to cyber-crime," Vodafone says. "With nearly two thirds of business leaders (63%) reporting that their organization's risk of cyber-attack has risen over the past year, password reuse remains particularly prevalent.

"Employers estimate that, on average, staff use their work password for up to 11 other personal accounts, including social media and dating sites."

Infosecurity Magazine has the story:
https://www.infosecurity-magazine.com/news/uk-execs-warn-may-not-suruvie/

Voice Phishing Kits Give Threat Actors Real-Time Control Over Attacks

Researchers at Okta warn that a series of phishing kits have emerged that are designed to help threat actors launch sophisticated voice phishing (vishing) attacks that can bypass multifactor authentication.

"The most critical of these features are client-side scripts that allow threat actors to control the authentication flow in the browser of a targeted user in real-time while they deliver verbal instructions or respond to verbal feedback from the targeted user," Okta says.

"It's this real-time session orchestration that delivers the plausibility required to convince the threat actor's target to approve push notifications, submit one time passcodes (OTP) or take other actions the threat actor needs to bypass MFA controls."

The phishing kits allow attackers to guide the victim through the attack flow, which proceeds as follows:

• "The threat actor performs reconnaissance on a target, learning the names of users, the apps they commonly use and phone numbers used in IT support calls;
• The threat actor sets a customized phishing page live and calls targeted users, spoofing the phone number of the company or its support hotline;
• The threat actor convinces the targeted user to navigate in their browser to the phishing site under the pretext of an IT support or security requirement;
• The targeted user enters their username and password, which is automatically forwarded to the threat actor's Telegram channel;
• The threat actor enters the username and password into the legitimate sign-in page of the targeted user and assesses what MFA challenges they are presented with;
• The threat actor updates the phishing site in real-time with pages that support their verbal ask for the user to enter an OTP, accept a push notification or other MFA challenges."

Moussa Diallo, threat researcher at Okta Threat Intelligence, stated, "Once you get into the driver's seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering.

"Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call.

"The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant."

KnowBe4 empowers your workforce to make smarter security decisions every day.

Okta has the story:
https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/

What KnowBe4 Customers Say

"Hi Bryan, so far, so good. It took us a few weeks to get to a point where we're now using smart hosting to avoid bot clicks. But I'm preparing my first major phishing campaign using the platform, the second annual Phishy Phebruary, which is something I came up with last year.

"Everyone has been great, from Patrick and Jordan presale to Kelli and the support team post. I'm looking forward to KB4-CON."

- L.U., CISM, Data Governance Manager | IS Security Department

"Hi Bryan, thanks for reaching out, so far this has been one of the best onboarding experiences I have had in a long time. Angelina has been great at helping us build out our monitoring and training regimen which has been great since we are new to formalizing our cyber security training and awareness. This camper is happy, keep doing what you're doing. It works."

- V.E., IT Manager

1. Talos: "Phishing remains a top initial access vector":
   https://blog.talosintelligence.com/ir-trends-q4-2025/
   
   
2. Russian state hackers likely behind wiper malware attack on Poland's power grid:
   https://therecord.media/russia-eset-sandworm-poland-hack
   
   
3. [HUMAN RISK] Norton Study Reveals 77% Would Date an AI. Yes, you read that right:
   https://www.prnewswire.com/news-releases/made-for-you-norton-study-reveals-77-would-date-an-ai-302670885.html
   
   
4. Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation:
   https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/
   
   
5. Chinese National Sentenced to 46 Months for Laundering Millions Stolen from U.S. Investors:
   https://gbhackers.com/chinese-national-sentenced-2/
   
   
6. Millions creating deepfake nudes on Telegram as AI tools drive global wave of digital abuse:
   https://www.theguardian.com/global-development/2026/jan/29/millions-creating-deepfake-nudes-telegram-ai-digital-abuse
   
   
7. FBI Takes Down RAMP Ransomware Forum:
   https://www.infosecurity-magazine.com/news/fbi-takes-down-ramp-ransomware/
   
   
8. North Korean threat actors pose as recruiters to target software developers:
   https://www.recordedfuture.com/research/purplebravos-targeting-it-software-supply-chain
   
   
9. lightning-fast Impersonation attacks exploit Clawdbot's rename to Moltbot following trademark dispute:
   https://www.malwarebytes.com/blog/threat-intel/2026/01/clawdbots-rename-to-moltbot-sparks-impersonation-campaign
   
   
10. Threat actors hijack email threads to target executives:
    https://cybersecuritynews.com/enterprise-email-threads-leveraged/
    
    

• Virtual Vaca #1 Serbia in 4K - Incredible Scenes & Uncovering Hidden Gems:
  https://youtu.be/j0oYoVh5C8E
  
  
• Virtual Vaca #2 KYOTO, JAPAN (2026) | 10 Best Things To Do In & Around Kyoto:
  https://youtu.be/aSksCBrDKO8
  
  
• Virtual Vaca To The Past PARIS! A super interesting 3D TIMELAPSE from 300 BCE to 2025:
  https://youtu.be/IFhKB5zHWFg
  
  
• Artemis II Cinematic Trailer 4K | Launching February 2026:
  https://youtu.be/J-ewPoAj49g
  
  
• Two Year Old Snooker Genius | Guinness World Records:
  https://youtu.be/uFkhqI4MKXs
  
  
• Breathtaking visuals! American rock climber Alex Honnold climbs Taipei 101 skyscraper without ropes:
  https://youtu.be/BlICmBMDVno
  
  
• Mighty Godzilla Wingsuit Flight in Italy 2025:
  https://youtu.be/1oXCCQc-Exk
  
  
• The Bulletproof Beast You Can Buy:
  https://youtu.be/DAwQKGHma4s
  
  
• [From The MythBusters Archives] Elevator Free Fall! Can Jumping at the Last Second Save You?:
  https://youtu.be/_dKtMRIvFVs
  
  
• GoPro Best of 2025:
  https://youtu.be/lqvH1bs8mJc
  
  
• China rolls out robot cops in cities to push humanoid robots in daily life:
  https://youtu.be/NavsugcHgAo
  
  
• For Da Kids #1 - Cat Learns How To Surf Just To Be Near Dad:
  https://youtu.be/ctmTHt9ve_0
  
  
• For Da Kids #2 - Watch This "Aggressive" Horse Heal Through Music:
  https://youtu.be/rFLbMgLCOgw
  
  
• For Da Kids #3 - Yak Was Alone… Until She Met Her Cow Bestie:
  https://youtu.be/JPAYm-JzqLQ
  
  
• For Da Kids #4 - Pitbull with rare mutation was returned 6 times before woman gave him forever home:
  https://youtu.be/QH6t8mTXAUU
  
  
• For Da Kids #5 - Donkey Who Lived Alone for A Decade Finally Finds A Best Friend:
  https://youtu.be/I24MX3akhhg