QR codes have become more common in and outside of education. Teachers use them in place of printed brochures, and many of them are regularly placed in brochures advertising college or school events. So it should come as no surprise that hackers have started looking for ways to exploit QR codes.
One way to do this is by posting fraudulent QR code links in real life or including malicious QR codes in gifs or as part of emailed brochures. Given that spam blockers have more trouble recognizing images and that it is common for school advertisements to include QR codes, this is a particular concern for education.
Over the past year, Microsoft Defender for Office 365 blocked more than 15,000 emails per day targeting education with malicious QR codes. Microsoft highlighted the threat of malicious QR codes in its latest cyber threat intelligence report. Cyber signals.
Jay James, director of the Security Operations Center (SOC) at Auburn University, and Corey Lee, chief security officer and chief technology officer at Microsoft, share tips on how educators, administrators, and students can help limit the threat that represent malicious QR codes. codes.
1. Avoid malicious QR codes: reduce speed
Lee says an important step to avoid unintentionally opening a malicious link through a QR code is to simply take a moment to examine the source of the QR code.
“It sounds cliché, but one consideration is slowing down to speed up,” he says, adding that he knows it's a challenge with everything going on for educators during the day, but it's important to remember. “We think most QR codes are scanned and clicked because things move so fast.”
2. Apply lessons from other cybersecurity training
The necessary cybersecurity training in many educational environments has taught us to recognize potential phishing attacks. James says these same lessons apply to the potential recognition of a malicious QR code.
After you've slowed down to evaluate the source of the QR code, start looking for the same warning signs that might make you suspicious of a link. You may be wondering, “Is this something I'm supposed to receive?” James says. If the president or principal of the school doesn't usually email you, that may be the first sign that something is suspicious.
You should also ask, “Is this something I receive out of a sense of urgency?” James says, as the requirement for the user to act quickly is often part of phishing attempts.
3. Report things you are not sure about
As with standard phishing emails, when it comes to QR codes, sometimes educators may not be sure of the source. Legitimate emails often look strange and phishing attempts can look pretty good.
“If you're an educator, teacher, or staff, don't hesitate to report things to your cybersecurity team or your technology team because they would love to know even if it's a false positive,” James says. “We would prefer to receive more reports than less and clarify any questions you may have.”
4. Develop your cybersecurity training to include QR codes
Lee says some organizations have been using the same cybersecurity training for some time. These trainings must evolve to focus on the latest threats and/or vectors that criminals use to trick users, including malicious QR codes, which will also continue to evolve.
In addition to updating these trainings, Lee recommends that institutions conduct phishing simulations and provide specific training. The idea is to test your school community using tactics similar to what a bad actor might use. “Then, based on how the user did, we'll provide specific training,” Lee says.
5. Engage students
Both Lee and James say training on the potential for using malicious QR codes and other cybersecurity lessons should also be extended to students. They also say students can help combat bad actors.
James employs students in his SOC. Students gain real-world work experience of the kind they might get in an internship, and James is able to tap into a rich talent pool. He says getting the students to evolve was “a turning point.”
And he adds: “Do not underestimate the talent you can bring to help protect our organizations.”