Cybercriminals are adapting QR code phishing campaigns by replacing image files with text based versions designed to evade email security controls, according to new research from cybersecurity company Kaspersky.
The technique relies on constructing QR codes using text characters rather than traditional image formats, allowing phishing messages to pass through security systems that focus on scanning embedded graphics or identifying suspicious URLs.
The approach builds on an older technique. Before modern graphics became common, computer systems often rendered images using characters from the ASCII character set introduced in 1963. Although broader character libraries are now available, the practice of building visual content using text remains commonly associated with ASCII graphics.
Researchers noted that spam operators experimented with similar methods during the 2000s, when attackers created images from text symbols to avoid image analysis tools looking for hidden links or malicious content.
In the campaigns identified by Kaspersky, the delivery mechanism remains familiar. Recipients receive emails presented as messages from business contacts claiming to share confidential documents for signature through DocuSign. Instead of clicking a link, recipients are instructed to scan a QR code, which directs them to credential harvesting pages designed to collect corporate login information.
“We have previously seen phishers try to avoid link scanning by hiding URLs in images. Now they are attempting to evade image-based scanning by returning to text – this time to render a QR code. Any instance where a QR code prompts someone to enter corporate credentials on a mobile device should raise immediate suspicion. When the QR code is formed using textual ASCII art, it is almost certainly a phishing attempt or a lure to a malicious URL. This trick has only one purpose: bypassing security technologies,” comments Roman Dedenok, Anti-Spam Expert at Kaspersky.
The discovery follows a period of increasing QR phishing activity. Kaspersky reported detecting a fivefold increase in QR phishing attacks during the second half of 2025, suggesting that attackers continue modifying delivery methods as organisations improve email filtering capabilities.
Security teams face a growing challenge because QR code attacks often shift authentication flows away from managed corporate devices and into personal smartphones, reducing visibility into user behaviour and increasing reliance on employee awareness when identifying suspicious requests.
