This article was originally published in Campus Safety Magazine on 1/3/25 by Charlie Sander.
“Quishing” is phishing using a QR code, and it is slipping through the defenses of companies and K-12 schools alike
Most people are familiar with phishing, which involves scammers sending targeted emails with malicious links to an unsuspecting individual. The average cost a data breach has been rising by 10% worldwide in recent years, and it now stands at $4.9 million in 2024 for one breach. Phishing, in particular, is the second most common attack vector with 15% of all breaches attributed to it.
Now, a newer type of scam is gaining traction, which is born out of phishing. “Quishing” is phishing using a QR code, and it is slipping through the defenses of companies and K-12 schools alike, making customers inadvertently give up their financial information. Some huge banks worldwide, such as HSBC and Santander, have joined forces with the U.S. Federal Trade Commission and National Cyber Security Center to raise concerns about the rise of these attacks.
The issue is that these email scams often involve the QR code being attached to a PDF. Therefore, the PDF appears safe, and the QR codes can get through email security filters much more easily because the software analyzing emails might not scan images or attachments containing QR codes.
For education, which is among the most targeted market segments, quishing is on the rise.
Quishing in Schools: What is the Current Climate?
Schools pass around a lot of QR codes nowadays for a variety of reasons, but they are not always vetted in different ways. The ability to detect danger and respond appropriately is also often more challenging in a school environment, partly because email filters are not as rigorous as in companies with bigger budgets.
In September last year, there was a coordinated quishing attack at Washington University in St. Louis. Students and staff were targeted by QR codes that automatically redirected users to a fake version of the institution’s website. The notice on this spoof website then instructed students and staff to log in; otherwise, they would lose access to their accounts.
This type of attack is becoming relatively common across K-12 and higher education campuses and should represent a warning that QR codes are not completely safe.
The complicated factor here is that QR codes have become commonplace in our lives in the last few years, being used for so many purposes, from restaurant menus to tickets to feedback forms. As a society, we have become accustomed to sharing information with them and have developed an innate trust for them.
