Written by: Charlie Sander, January 3, 2025

Most people are familiar with phishing, which involves scammers sending targeted emails with malicious links to an unsuspecting individual. The average cost a data breach has been rising by 10% worldwide in recent years, and it now stands at $4.9 million in 2024 for one breach. Phishing, in particular, is the second most common attack vector with 15% of all breaches attributed to it.

Now, a newer type of scam is gaining traction, which is born out of phishing. “Quishing” is phishing using a QR code, and it is slipping through the defenses of companies and K-12 schools alike, making customers inadvertently give up their financial information. Some huge banks worldwide, such as HSBC and Santander, have joined forces with the U.S. Federal Trade Commission and National Cyber Security Centre to raise concerns about the rise of these attacks.

The issue is that these email scams often involve the QR code being attached to a PDF. Therefore, the PDF appears safe, and the QR codes can get through email security filters much more easily because the software analyzing emails might not scan images or attachments containing QR codes.

For education, which is among the most targeted market segments, quishing is on the rise.

Quishing in Schools: What is the Current Climate?

Schools pass around a lot of QR codes nowadays for a variety of reasons, but they are not always vetted in different ways. The ability to detect danger and respond appropriately is also often more challenging in a school environment, partly because email filters are not as rigorous as in companies with bigger budgets.

In September last year, there was a coordinated quishing attack at Washington University in St. Louis. Students and staff were targeted by QR codes that automatically redirected users to a fake version of the institution’s website. The notice on this spoof website then instructed students and staff to log in; otherwise, they would lose access to their accounts.

This type of attack is becoming relatively common across K-12 and higher education campuses and should represent a warning that QR codes are not completely safe.

The complicated factor here is that QR codes have become commonplace in our lives in the last few years, being used for so many purposes, from restaurant menus to tickets to feedback forms. As a society, we have become accustomed to sharing information with them and have developed an innate trust for them.

Most people are familiar with phishing, which involves scammers sending targeted emails with malicious links to an unsuspecting individual. The average cost a data breach has been rising by 10% worldwide in recent years, and it now stands at $4.9 million in 2024 for one breach. Phishing, in particular, is the second most common attack vector with 15% of all breaches attributed to it.

Now, a newer type of scam is gaining traction, which is born out of phishing. “Quishing” is phishing using a QR code, and it is slipping through the defenses of companies and K-12 schools alike, making customers inadvertently give up their financial information. Some huge banks worldwide, such as HSBC and Santander, have joined forces with the U.S. Federal Trade Commission and National Cyber Security Centre to raise concerns about the rise of these attacks.

The issue is that these email scams often involve the QR code being attached to a PDF. Therefore, the PDF appears safe, and the QR codes can get through email security filters much more easily because the software analyzing emails might not scan images or attachments containing QR codes.

For education, which is among the most targeted market segments, quishing is on the rise.

Quishing in Schools: What is the Current Climate?

Schools pass around a lot of QR codes nowadays for a variety of reasons, but they are not always vetted in different ways. The ability to detect danger and respond appropriately is also often more challenging in a school environment, partly because email filters are not as rigorous as in companies with bigger budgets.

In September last year, there was a coordinated quishing attack at Washington University in St. Louis. Students and staff were targeted by QR codes that automatically redirected users to a fake version of the institution’s website. The notice on this spoof website then instructed students and staff to log in; otherwise, they would lose access to their accounts.

This type of attack is becoming relatively common across K-12 and higher education campuses and should represent a warning that QR codes are not completely safe.

The complicated factor here is that QR codes have become commonplace in our lives in the last few years, being used for so many purposes, from restaurant menus to tickets to feedback forms. As a society, we have become accustomed to sharing information with them and have developed an innate trust for them.

A Strategy Schools Should Adopt to Fight Quishing

To deal with this developing threat, schools need to adopt a zero-trust cybersecurity approach, whereby all QR codes should be treated as a potential risk.

Awareness is the first proper line of defense in terms of initial steps. Students and staff need to be aware of the potential dangers instead of trusting all QR codes. In terms of spotting suspicious QR codes, it can be tricky because some hackers have cleverly started using big tech company multi-factor sign-in emails, such as from Microsoft or DocuSign, to trick users. Users should be made aware of classic fake QRs, such as those received via text message or social media through unverified numbers or accounts. Encouraging the use of a Secure QR Code Scanner app, at least for staff and perhaps older students, can be helpful as it will verify the embedded URL before a user opens it.

Schools can also use advanced email security systems that leverage the latest technologies in machine learning (ML) and computer vision to identify and neutralize malicious QR codes, even when attackers employ sophisticated obfuscation techniques. ML models can look into patterns in emails that detect hidden messages, while computer vision algorithms decode any content that might be harmful. It is not realistic for all schools to be able to adopt systems like this beyond multi-factor authentication, but they can significantly reduce vulnerabilities to quishing.

The QR Threat Not to Be Taken Lightly

Quishing represents a growing threat to schools that can’t be overlooked. With cybercriminals bypassing traditional and vulnerable systems and the education sector already facing so many attacks weekly, a coordinated effort must be made to stop quishing. A zero-trust approach with QR code scanners via a solid awareness campaign, as well as advanced email monitoring systems, can go a long way to mitigating the quishing threat.

Apart from the obvious immediate security risks, quishing can also disrupt learning environments, and remove trust between educators and students, which could end up diverting potentially very important resources away from initiatives toward cybersecurity recovery.

Overall, by taking action to halt quishing, schools can create a safer learning environment and thrive in the digital learning space.

Charlie Sander is CEO of ManagedMethods, a K-12 cybersecurity company. He has more than three decades of experience in the IT industry, including Seagate Technology and Confio Software.

NOTE: The views expressed by guest bloggers and contributors are those of the authors and do not necessarily represent the views of, and should not be attributed to, Campus Safety.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for the Campus Safety FREE digital newsletters!