QR codes have become more common in and beyond education. Teachers use these instead of printed handouts and many are regularly placed on fliers advertising university or school events. So it shouldn’t be a surprise that hackers have begun looking for ways to exploit QR codes.
One way they do this is by hanging fraudulent QR code links in real life or by including malicious QR codes in gifs or as part of fliers sent in emails. Since spam blockers have more trouble recognizing images, and because it's common for school announcements to include QR codes, this is a particular concern for education.
Over the past year, Microsoft Defender for Office 365 blocked more than 15,000 emails per day targeting the educator sector with malicious QR codes. Microsoft highlighted the threat of malicious QR codes in its latest cyber threat intelligence brief, Cyber Signals.
Jay James, the Security Operations Center (SOC) Director at Auburn University, and Corey Lee, Security Chief and Technology Officer at Microsoft, both share tips for ways in which classroom educators, administrators, and students can help limit the threat posed by malicious QR codes.
1. Avoiding Malicious QR Codes: Slow Down
Lee says one important step to avoiding unintentionally opening a malicious link through a QR code is just taking a moment to examine the source of the QR code.
“It sounds cliché, but really slowing down to speed up is one consideration,” he says, adding that he knows it's challenging with everything that is going on for educators during the day, but it’s important to remember. “We think most QR codes are scanned and clicked because things are just so fast-paced.”
2. Apply Lessons From Other Cybersecurity Training
Required cybersecurity training in many educational settings have taught us to recognize potential phishing attacks. James says these same lessons apply to potentially recognizing a malicious QR code.
After you’ve slowed down to assess the source of the QR code, start looking for the same warning signs that might make you suspicious of a link. You might ask yourself, “Is this something I’m supposed to receive?” James says. If the school president or principal doesn’t usually email you, maybe that’s your first sign something is suspect.
You should also ask, “Is this something that I'm getting from a sense of urgency?” James says, since a requirement that the user act quickly is often part of phishing attempts.
3. Report Things You’re Unsure About
As with standard phishing emails, when it comes to QR codes sometimes educators may be unsure of the source. Legitimate emails often seem strange and phishing attempts may look pretty good.
“If you are an educator, faculty, or staff, feel free to report things to your cybersecurity team or your technology team because they would love to hear about it even if it's a false-positive," James says. "We'd rather get more reports than less and clear up any questions that you may have."
4. Evolve Your Cybersecurity Training To Include QR Codes
Lee says some organizations have been using the same cybersecurity training for some time. These trainings need to evolve to focus on the latest threats and/or the latest vectors bad guys use to trick users, including malicious QR codes, which also will continue to evolve.
In addition to updating these trainings, Lee recommends institutions run phishing simulations and provide targeted training. The idea is to test your school community using similar tactics that a bad actor might use. “Then, based on how the user did, we're going to provide them targeted training,” Lee says.
5. Get Students Involved
Awareness training around the potential for malicious QR code use and other cybersecurity lessons should be extended to students as well, both Lee and James say. They also say students can help combat bad actors.
James employs students in his SOC. The students get real-world job experience of the type they might obtain in an internship and James is able to tap into a rich talent pool. He says getting students evolved was "a game changer."
He adds, “Don't underestimate the talent that they can bring to the table to help secure our organizations.”
