What Are QR Codes?
Quick-response codes were created by a Japanese automotive company employee in 1994 in response to the data storage limitations UPC barcodes posed.
QR codes feature structural elements, such as three larger squares, which help ensure the code will be recognized when scanned. Additional information is encoded in a series of black-and-white marks.
Unlike UPC codes, which need to be scanned in a particular direction by a special device, QR codes can be read from various distances and angles with high-resolution cell phone cameras.
What Is Quishing?
Much like phishing, in quishing scams, bad actors try to obtain and exploit data. A school staff member might receive a QR code in an email attachment with instructions to scan it, a potentially less conspicuous method of leading the employee a website that asks for their login information.
DIVE DEEPER: Are passkeys right for your K–12 schools?
Using a QR code to obscure a URL is the most frequent type of quishing attack, according to Grimes.
“It’s a really common way for an attacker to avoid content filtering,” he said. “They’re trying to confuse the user and the anti-malware content filters.”
To make things look more official, attackers may insert a real organization’s name in the website address that a fraudulent QR code links to. In 51% of attacks involving QR code-embedded PDFs, cybercriminals impersonated Microsoft, according to a Barracuda analysis. They pretended to be DocuSign and Adobe in 31% and 15% of attacks, respectively.
“We always tell people, stop and look before you click on any URL,” Grimes advised during the webinar. “If you scan [a QR code], you should still be able to see the URL, but — especially with longer URLs — you’re not going to be able to see it as easily, so it’s harder for the end user to evaluate.”
How To Prevent Quishing Attacks
Schools may eventually be able to use self-authenticating, dual-modulated QR codes that two University of Rochester researchers recently developed, which contain an elliptical dot design instead of the standard cube-based QR-code data pattern.
A digital signature within each SDMQR code authenticates its content, says Gaurav Sharma, a professor at the University of Rochester.
These codes open the door to numerous K–12 use cases. State education departments could issue SDMQR codes to offer access to student records or other protected data, for instance.
They’d need to first outfit users’ smartphones and tablets with the required public cryptographic keys so SDMQR codes’ signatures could be validated, Sharma says, or a device provider would have to supply the underlying cryptography infrastructure.