Sign in Subscribe
Threats & Vulnerabilities

Quishing, Data-First Ransomware, and AI-Driven Scams: The Threats Defining September 2025

Quishing, Data-First Ransomware, and AI-Driven Scams: The Threats Defining September 2025

Cyber adversaries are changing tactics faster than ever, and September is already showing clear patterns worth tracking. From QR code phishing (“quishing”) campaigns to data-only ransomware extortion and the rise of AI-assisted social engineering, defenders need to update playbooks now. Here’s what’s trending this month — and what your security team should do about it.

1. Quishing Surges in Back-to-School Season

Attackers are embedding malicious QR codes in emails, package slips, and even printed flyers. These codes lead victims to credential-harvesting sites, often designed to mimic corporate login pages. The trick works because mobile devices bypass traditional email link scanners — and employees are more trusting when scanning on the go.

Thanks for reading ThreatGrid! Subscribe for free to receive new posts and support my work.

Defender moves:

  • Flag or banner external emails containing QR codes.
  • Enforce phishing-resistant MFA such as FIDO2 or passkeys.
  • Train employees to slow down before scanning, especially if a login is involved.

2. Ransomware Without Encryption

A growing number of ransomware groups have dropped encryption entirely. Instead, they quietly steal sensitive data and threaten to leak it unless paid. This data-first approach lowers their operational risk while increasing pressure on victims.

Defender moves:

  • Monitor for abnormal cloud storage usage or bulk data transfers.
  • Restrict access to management interfaces and enforce egress controls.
  • Run tabletop exercises for data-only extortion scenarios — including legal, PR, and executive decision-making.

3. AI-Assisted Impersonation Scams

From cloned executive voices to near-perfect vendor impersonation emails, attackers are leveraging generative AI to elevate traditional scams. Finance and procurement departments are prime targets, with urgent requests for wire transfers or last-minute vendor bank changes.

Defender moves:

  • Require callback verification on vendor banking changes.
  • Build dual-approval into high-value payment workflows.
  • Train staff to spot urgency and secrecy cues in communication.

Detection & Patch Priorities

  • September Patch Tuesday: Apply Microsoft RCE and exploited-in-the-wild fixes first.
  • Apple/Android: Fast-track WebKit, kernel, and baseband patches.
  • Enterprise Infrastructure (VMware, Citrix, F5, Juniper): Treat authentication bypasses as emergencies — restrict management planes to VPN/admin networks.
  • Detections to deploy now: Hunt for QR images in email attachments, sudden outbound uploads to cloud storage, and unverified OAuth apps requesting broad access.

Awareness Sprint: 30-Minute Quishing Drill

Want to build resilience quickly? Run a short awareness campaign this week:

  1. Send a one-page explainer on QR-based phishing.
  2. Ask employees to forward any suspicious email for validation.
  3. Demonstrate mobile URL expansion and passkey logins.
  4. Reinforce your “Report → Review → Remediate” process.

Why It Matters

Attackers are innovating — not just with malware, but with psychology and delivery techniques. September shows that speed, simplicity, and stealth are the new priorities for threat actors. Quishing bypasses scanners, data-first extortion minimizes noise, and AI clones weaponize trust.

Security teams that combine technical detection with rapid awareness campaigns will be best positioned to blunt these evolving threats.

✉️ Stay updated: Subscribe to ThreatGrid on Substack for monthly threat intelligence, ready-to-use detections, and awareness toolkits.

See More on ThreatGrid Blog

Thanks for reading ThreatGrid! Subscribe for free to receive new posts and support my work.