Split QR code attacks are a new twist on quishing in which attackers divide a single QR code into two or more image segments that look harmless in isolation but form a scannable code when viewed together. For businesses leaning into QR codes in business for touchless workflows, event check-ins, and modern marketing strategies, this technique is especially dangerous: it exploits the very convenience that makes QR codes a popular digital transformation tool while bypassing common email and link defenses.
In practice, attackers embed separate image halves (or nested overlays) inside an email, PDF, or landing page. Automated scanners often analyze each image independently and see no complete code, but a smartphone camera stitches the visual together and resolves the malicious URL. As outlined in Barracuda’s threat spotlight on split and nested QR codes, some campaigns even layer a malicious code atop a benign one to confuse both users and detectors.
QR-based phishing sidesteps secure email gateways by shifting victims to mobile devices, where enterprise controls are often lighter and users are conditioned to scan codes on the go. Attackers then deliver brand-perfect credential harvesters, MFA-bypass flows, or multi-step redirects. Microsoft’s analysis of QR code phishing tactics highlights how adversaries manipulate QR design, color, and placement to obscure payloads—tactics that translate neatly to split QR campaigns aimed at busy executives and frontline staff.
Researchers and journalists have tracked credible sightings of fragmented QR codes in the wild, including coverage of mosaic-style and nested techniques. See IT Brew’s reporting on split QR code campaigns and Barracuda’s technical write-ups for patterns, tooling, and target profiles. Government warnings underscore the stakes: the FBI’s 2026 alert on malicious QR code spearphishing details how state-aligned actors are operationalizing QR lures to move users off protected endpoints and into controlled phishing sites.
Once a victim scans and authenticates, attackers can pivot to business email compromise, payment fraud, data exfiltration, and session hijacking. Marketing and customer teams face brand risks too: a tampered poster, invoice, or storefront QR can redirect customers to spoofed portals, eroding trust in modern marketing strategies that rely on code-based engagement. The bottom line is that fragmented QR tactics expand the attack surface created by otherwise legitimate digital transformation tools.
Blend people, process, and technology. On the technology side, prioritize email and document security that performs visual QR analysis (not just URL inspection), applies OCR and pixel-level detection, and sandboxes QR-resolved destinations. Extend protections to mobile through MDM, managed browsers, and DNS-layer filtering. From a controls standpoint, enforce phishing-resistant MFA, conditional access, and least-privilege for systems commonly targeted through quishing, such as identity portals and finance apps.
Create a QR handling standard: employees should verify unexpected codes through a second channel before scanning, and never authenticate or pay from a code received via unsolicited email or signage. Require marketing, facilities, and field teams to track every public-facing QR to a known URL, with versioning and takedown protocols. Add QR-specific reporting options to your phishing program and measure response time, block rates, and user-reported events to tune training.
Split QR code attacks succeed because they exploit trust and speed. Treat QR workflows as first-class assets: instrument them with the same rigor you apply to email and SSO, educate staff on fragmented and nested QR tricks, and validate every public code used in campaigns. By building QR-aware defenses and policies now, you’ll protect customers and employees, preserve brand equity, and keep QR codes in business as safe, effective components of your digital transformation tools and modern marketing strategies.
