Using Google's new CAPTCHA puzzle for phishing

Published on 12 May 2026 12:00 AM
#GoogleQR #Phishing #RedTeam
This post thumbnail

In late April 2026 Google released Cloud Fraud Defence: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-fraud-defense-the-next-evolution-of-recaptcha/

The blog explains that todays anti bot technology, such as those annoying and often confusing prove you are a human puzzles, are no longer good enough to protect websites and servers from the mass of AI agents that surf the web alongside us. It seems AI models are able to or soon may be able to solve said puzzles just as well as humans:

Crazy Captcha

Google's new solution is... QR codes. "As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge."(sic)

Below is Google's own example of how the QR codes will look for users:

Google QR code example

Google's support page for the new product (https://support.google.com/recaptcha/answer/16609652) explains that humans will need to prove that they are human by scanning the QR code on a device that runs "Google Play Services version 25.41.30 or greater" or "iOS Version 15.0 or greater". Therefore, someday in the near future folks without a current Google or Apple device could be denied access to websites, even whilst using a desktop. To my mind Google are without doubt using this new mechanism to increase their monopoly on the global internet whilst simultaneously snatching more of the smart phone market and of course not missing the opportunity to slurp more user metadata by presumably linking the devices involved (desktop and phone) together as part of your identity.

Other outlets, industry pros and bloggers have written verbatim about the ramifications of Google's changes (https://cybernews.com/privacy/google-qr-code-recaptcha-requires-approved-phone) but so far I haven't seen anyone address the possible security implications. Google are going to encourage force people to scan QR codes that pop up on their screens?!

If these QR codes become a regular occurrence on the internet, people will become accustomed to seeing them and instantly scanning them to get on with whatever task was at hand. Ransomware gangs, malware as a service and every other miscreant that sends phishing is going to absolutely love this tactic and thank Google for training the world how to fall for it. It's the perfect phishing redirect:

  1. Worldwide population becomes used to scanning Google QR codes when using the web.

  2. The bad guys notice and start sending phishing which pop a similar GUI to the Google QR.

  3. Enterprise IT users, having become used to scanning said QR codes, fall perfectly for the phishing. The best part being the phish is opened on their phone where most organisations have little to no security controls.

As an industry QR code phishing isn't new to us but Google training the whole world to trust and scan their QR code certainly is. Even your own IT department will need to encourage users to scan these things.

I used Claude to create an accurate clone of Google's QR code pop-up and have published it on GitHub as a simple reusable tool. Just edit the HTML to contain your landing page and the QR is generated for you! Code here: https://github.com/secprentice/GoogleFruadDefensePhish/tree/main. Can you tell which screenshot is from Google and which is a phish? (Granted context will apply)

Comparison of Google QR vs phishing QR

If Google go ahead with their QR code masterplan my silly little template might become a great red team trick for landing phish...

Header image from Weasyl: https://www.weasyl.com/~foxridley/submissions/2258308/please-verify-you-are-a-human