Los crecientes riesgos en materia de ciberseguridad derivados del ataque por “quashing” y su impacto en las inversiones en seguridad empresarial

In 2025, a new breed of phishing attack-quishing-emerged as a formidable threat to enterprises. By embedding malicious QR codes into emails, attackers exploited human curiosity and technical vulnerabilities,

compared to 2023. These QR codes, often disguised as innocuous images or Unicode characters, bypassed traditional email filters and led users to phishing sites with alarming efficiency. that AI-enhanced quishing campaigns achieved click-through success rates exceeding 30% in some organizations, outperforming traditional phishing methods. The stakes are high: , including quishing, remains a staggering $4.88 million.

The 2025 Quishing Landscape: Case Studies and Consequences

The real-world impact of quishing became evident in 2025. For example,

linked to the Clop gang, which exploited a third-party vendor's misconfigured system, affecting 3.5 million individuals. Similarly, due to overprivileged API integrations with third-party platforms, exposing 4.4 million and 3.5 million records, respectively. These incidents underscore a critical vulnerability: enterprises are increasingly reliant on third-party systems, which attackers exploit to bypass perimeter defenses.

Quishing's success lies in its ability to weaponize human behavior. Unlike traditional phishing, which relies on URLs, QR codes bypass user skepticism by appearing as scannable images.

, crafting hyper-personalized messages that mimic trusted brands or internal communications. for AI-powered phishing campaigns compared to manual methods.

2026: The Strategic Shift to Identity and Mobile Security

Faced with these evolving threats, enterprises in 2026 are reallocating cybersecurity budgets to prioritize identity and mobile security.

, 40% of cybersecurity spending now targets software solutions, surpassing hardware and outsourcing combined. Identity and access management (IAM) has become a cornerstone of this strategy, of their cybersecurity budgets to IAM platforms. This shift reflects the growing recognition that identity is the new perimeter in a world where third-party integrations and remote work dominate.

Key Investments in 2026

1. Phishing-Resistant MFA: Traditional SMS-based MFA is no longer sufficient.
   Enterprises are adopting FIDO2/WebAuthn security keys
   and biometric authentication to combat MFA fatigue and relay attacks. These methods bind authentication to physical domains, reducing the risk of QR code phishing leading to credential theft.
2. AI-Driven Threat Detection:
   As attackers use AI to generate polymorphic payloads
   , defenders are deploying AI-based tools to analyze behavioral patterns, detect anomalies, and verify the legitimacy of QR codes in real-time.
3. Quantum-Ready Cryptography: With quantum computing threatening traditional encryption,
   Forrester predicts that 5%
   of IT security budgets will be allocated to post-quantum cryptography (PQC) by 2026. This ensures that identity systems remain secure against future threats.
4. Digital Identity Wallets (DIWs):
   Gartner forecasts that 500 million smartphone users
   will use DIWs by 2026, enabling verifiable claims without exposing sensitive data. These wallets, mandated by the EU and adopted globally, reduce reliance on static credentials and mitigate QR code phishing risks.

Vendor Adoption and Market Trends

The market for identity security solutions is consolidating around platforms that integrate mobile and identity-first strategies.

of unified SASE (Secure Access Service Edge) platforms, which combine identity, network security, and cloud access to reduce complexity. Meanwhile, of AI security platforms to defend against AI-native threats, advising CIOs to centralize controls for AI model inference layers.

Regional spending patterns also reveal strategic priorities.

expect cybersecurity budgets to increase by over 10% in 2026, driven by aggressive investments in cloud and identity security. North American enterprises, while more conservative, and reducing false positives through automation.

The Strategic Imperative for 2026

The rise of quishing has forced enterprises to adopt a proactive, identity-centric approach to security. As attackers leverage AI to automate and personalize attacks, defenders must invest in solutions that combine human expertise with machine learning. The 2026 cybersecurity landscape is defined by three imperatives:
1. Prevention: Deploying phishing-resistant MFA and AI-driven detection tools to block attacks at the point of entry.
2. Resilience: Building systems that can recover quickly from breaches, minimizing financial and reputational damage.
3. Future-Proofing: Adopting quantum-safe cryptography and digital identity wallets to stay ahead of emerging threats.

For investors, the shift toward identity and mobile security represents a significant opportunity. Companies like

and are expanding their AI security portfolios, while IAM platforms and SASE providers are seeing rapid adoption. As quishing and AI-powered attacks become the norm, enterprises that prioritize identity-first strategies will not only mitigate risks but also gain a competitive edge in an increasingly digital world.