{"id":36135,"date":"2026-05-21T07:05:14","date_gmt":"2026-05-21T05:05:14","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/ascii-qr-phishing\/36135\/"},"modified":"2026-05-21T07:05:28","modified_gmt":"2026-05-21T05:05:28","slug":"ascii-qr-phishing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/ascii-qr-phishing\/36135\/","title":{"rendered":"A lost art finds its way into phishing emails"},"content":{"rendered":"

We\u2019ve written time and again about how QR codes are used in phishing schemes. Our secure email gateway <\/a> solution even includes technology<\/a> to read these codes \u2014 not just from emails, but also from attachments \u2014 and check the embedded links. Yet, attackers haven\u2019t given up on trying to send QR codes to their victims. Lately, we\u2019ve increasingly seen them use ASCII art for this purpose \u2014 images composed of characters. This seems particularly ironic considering that phishers once tried to evade link scanning by hiding links in images, and now they\u2019re trying to dodge image scanning by going back to text. But with a few twists.<\/p>\n

The lost art of ASCII, and how attackers use it<\/h2>\n

It\u2019s hard to believe today, but there was a time when computers couldn\u2019t display graphics. Consequently, the very first computer images were constructed from text characters. Following the adoption of the standard in 1963, characters from the ASCII<\/a> (American Standard Code for Information Interchange) set were used for this type of artwork to ensure that images looked the same across different computers. Over time, other text symbols (for example, from the extended Unicode set) began to be used to create images, but the name \u201cASCII graphics\u201d remained the term used to describe this art form as a whole. There were serious artists working in this medium, the earliest websites were designed with ASCII art, and even the first computer pornography was rendered with text characters.<\/p>\n

As image display technology evolved, ASCII art began to fall out of fashion. It saw a major resurgence in the 2000s during the heyday of email spam. Back then, spammers primarily used it because it allowed them to disguise blatant spam keywords that could trigger mail filters, while also placing less load on mail servers than images. Additionally, since many users paid for volume of internet traffic at the time, they often disabled image loading in their email clients. Naturally, at that time, we augmented our email security solutions with technology specifically designed to block ASCII art.<\/p>\n

Now, ASCII art has been rediscovered \u2014 this time by those looking to bypass technology that recognizes QR codes within images.<\/p>\n

What does ASCII art phishing look like?<\/h2>\n

Here\u2019s a recent example. The pretext itself is pretty run-of-the-mill: someone has supposedly sent to victim a confidential document via DocuSign, but to open it the recipient needs to scan the QR code in the email to visit a website and enter corporate login credentials.<\/p>\n

\"A<\/a>

A QR code rendered with unicode characters. We\u2019ve blurred out a portion of the code to prevent the malicious link from being scanned.<\/p><\/div>\n

Admittedly, the code looks weird. This is primarily because it\u2019s drawn piece-by-piece in pseudo-graphic elements, and even the gaps between the lines can be seen. In reality, there\u2019s no actual image in the e-mail message code; the QR code looks something like this behind the scenes:<\/p>\n

\"ASCII<\/a>

ASCII art inside the email code<\/p><\/div>\n

As a result, link scanners can\u2019t see the link, and image analysis tools can\u2019t find the URL hidden inside the QR code, so the attackers assume the phishing email is going to reach the victim just fine. Spoiler alert: no, we haven\u2019t forgotten how to block ASCII art.<\/p>\n

Is a QR code in an email even normal?<\/h2>\n

In theory, there are situations where using a QR code makes sense. It\u2019s a fairly convenient way to share contacts, a link to a mobile app, a map location, or a configuration. In other words, it works well whenever information needs to be delivered specifically to the recipient\u2019s mobile device.<\/p>\n

However, someone using a QR code to make you enter corporate credentials on a mobile device is an instant red flag. And when that QR code is generated with ASCII art, it\u2019s clearly a phishing attempt or an effort to lure you to a malicious URL. This trick can only have one purpose \u2014 an attempt to bypass security controls.<\/p>\n

How to stay safe?<\/h2>\n

To prevent phishing emails \u2014 whether containing ASCII art or not \u2014 from ever reaching employee inboxes, we recommend using a secure email gateway with advanced anti-phishing capabilities<\/a>. As an additional layer of defense, install security solutions<\/a> on all endpoints used to access the internet.<\/p>\n

Additionally, we recommend regular security awareness training<\/a> to educate employees on modern phishing tactics. Specifically, to explain that ASCII art in modern emails can be a telltale sign of an attempted phishing attack.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Phishers using ASCII art to mask QR-codes. <\/p>\n","protected":false},"author":2598,"featured_media":36139,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3020,3021],"tags":[19,76,1557],"class_list":{"0":"post-36135","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-email","11":"tag-phishing","12":"tag-qr-codes"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ascii-qr-phishing\/36135\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ascii-qr-phishing\/30736\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ascii-qr-phishing\/25785\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ascii-qr-phishing\/30583\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ascii-qr-phishing\/55789\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ascii-qr-phishing\/36242\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/phishing\/","name":"phishing"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/36135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=36135"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/36135\/revisions"}],"predecessor-version":[{"id":36138,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/36135\/revisions\/36138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/36139"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=36135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=36135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=36135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}