May 01 2025
Security

The Growing Quishing Security Threat

Is your district at risk of a QR code-based security compromise?

Cyberthreats impacted 82% of K–12 schools in the past year and a half, with a high rate of attacks targeting human behavior among the reported approaches. In particular, phishing scams continue to threaten school cybersecurity, as noted in a Consortium for School Networking report. In addition to using deceptive links in emails, attackers are now trying to use QR codes to obtain personal credentials and other information.

Data from Microsoft Defender for Office 365 found that more than 15,000 messages containing malicious QR codes are sent to the educational sector daily.

“Legitimate vendors use QR codes to save time,” Roger Grimes, a data-driven defense evangelist at KnowBe4, said in a recent webinar. “It’s easier for someone to scan a QR code to go to a particular URL. Attackers are using them for same reasons.”

Click the banner below to begin making your schools more cyber resilient.

 

What Are QR Codes?

Quick-response codes were created by a Japanese automotive company employee in 1994 in response to the data storage limitations UPC barcodes posed.

QR codes feature structural elements, such as three larger squares, which help ensure the code will be recognized when scanned. Additional information is encoded in a series of black-and-white marks.

Unlike UPC codes, which need to be scanned in a particular direction by a special device, QR codes can be read from various distances and angles with high-resolution cell phone cameras.

What Is Quishing?

Much like phishing, in quishing scams, bad actors try to obtain and exploit data. A school staff member might receive a QR code in an email attachment with instructions to scan it, a potentially less conspicuous method of leading the employee a website that asks for their login information.

DIVE DEEPER: Are passkeys right for your K–12 schools?

Using a QR code to obscure a URL is the most frequent type of quishing attack, according to Grimes.

“It’s a really common way for an attacker to avoid content filtering,” he said. “They’re trying to confuse the user and the anti-malware content filters.”

To make things look more official, attackers may insert a real organization’s name in the website address that a fraudulent QR code links to. In 51% of attacks involving QR code-embedded PDFs, cybercriminals impersonated Microsoft, according to a Barracuda analysis. They pretended to be DocuSign and Adobe in 31% and 15% of attacks, respectively.

“We always tell people, stop and look before you click on any URL,” Grimes advised during the webinar. “If you scan [a QR code], you should still be able to see the URL, but — especially with longer URLs — you’re not going to be able to see it as easily, so it’s harder for the end user to evaluate.”

How To Prevent Quishing Attacks

Schools may eventually be able to use self-authenticating, dual-modulated QR codes that two University of Rochester researchers recently developed, which contain an elliptical dot design instead of the standard cube-based QR-code data pattern.

A digital signature within each SDMQR code authenticates its content, says Gaurav Sharma, a professor at the University of Rochester.

These codes open the door to numerous K–12 use cases. State education departments could issue SDMQR codes to offer access to student records or other protected data, for instance.

They’d need to first outfit users’ smartphones and tablets with the required public cryptographic keys so SDMQR codes’ signatures could be validated, Sharma says, or a device provider would have to supply the underlying cryptography infrastructure.

Gaurav Sharma
While SDMQR codes can beat quishing with their self-authentication capability, for the self-authentication to work, the application reading the codes does require the infrastructure.”

Gaurav Sharma Professor, University of Rochester

“While SDMQR codes can beat quishing with their self-authentication capability, for the self-authentication to work, the application reading the codes does require the infrastructure,” he says. “If you’re using your smartphone, we really need the people who control the camera, or an organization like the state Department of Education, to step up and provide it.”

Until that occurs, applications such as Microsoft Defender for Office 365 and KnowBe4’s Egress Defend can help admins investigate and address possible QR code-related issues. Tools such as Yubico’s YubiKey physical security token could enhance schools’ multifactor authentication protection, according to Grimes.

Educating users, however, is the No. 1 way to defend against quishing.

“You should absolutely be performing simulated QR code phishing,” Grimes said. “And if [employees] fail, they get more training and tests until they get better at it. We know this works.”

UP NEXT: Incident response strategies save schools from headaches.

da-kuk/Getty Images
Close

New AI Research From CDW

See how IT leaders are tackling AI opportunities and challenges.