October marks National Cybersecurity Awareness Month, a nationwide effort to raise awareness about cyber threats and empower users to take action in safeguarding their information.
This year’s theme, “Building a Cyber Strong America,” highlights how organizations and individuals across every level of society play a role in protecting critical infrastructure and data systems.
Boise State takes that mission seriously. All students, faculty and staff play an important part in ensuring their personal data, and the university’s systems are secure. One threat in particular that the Office of Information Technology asks members of the campus community to watch out for is QR code phishing, sometimes called “quishing.”
The university has recently seen a marked rise in people falling for QR code phishing attempts.
Phishing scams are a familiar danger: malicious actors attempt to trick users into clicking links, entering credentials or downloading malware.
“Quishing” is a newer twist on that old trick; attackers embed malicious links or payloads in QR codes. When someone scans the codes with their phone, they may be redirected to fraudulent websites or prompted to give personal information. Attackers may harvest login credentials, request personal or financial data, or initiate malware installs.
Because QR codes are visual and machine-readable rather than human-readable, they can slip past traditional email filters or security tools:
- An attacker may insert a QR code directly into the body of an email or embed itself inside a PDF document.
- On a shared poster or sign, a fraudulent QR code might be placed over a legitimate one (or alongside it) to misdirect users.
- Because most people expect QR codes to lead to useful content (especially after the explosion of QR codes as a result of the COVID pandemic), they may scan codes without the same suspicion they would otherwise give to a suspicious email link.
Here are sensible, practical steps you can take to avoid quishing attempts:
- Pause before scanning. If a QR code is received from someone you not fully trusted, treat it with caution.
- Check for context and authenticity. What is the purpose of the QR code in the context of an email or web page? Does it align with expectations (e.g. an official university event, known department, or printed handout)?
- Preview the link, if possible. Some QR scanner apps and phone cameras show you the web address before visiting it; carefully inspect the address.
- Don’t enter credentials or sensitive data unless you’re certain. If a QR-linked page asks for a “log in” or to “verify your account” unexpectedly, that’s a red flag.
- When in doubt, verify via alternative channels. If the QR code claims to be from the Office of Information Technology, a club, campus program, or an department, check the official website or contact them directly (not via the suspicious code).
- Keep devices up to date. Vulnerabilities on devices can magnify the harm of any attack.
- Report suspicious QR codes or messages. Don’t ignore them. Contact the Help Desk at helpdesk@boisestate.edu, call (208) 426-4357, or go to one of the Zone locations in the Interactive Learning Center or Student Union Building. Having a trusted support analyst look at the QR code helps protect the user and others.
Cybersecurity isn’t just a technical challenge, it’s a shared culture. During Cybersecurity Awareness Month, think of one small step to take each week: review passwords, use multi-factor authentication if it’s available, or test the ability to spot a suspicious email or scam.
Each time a member of our community behaves with care online, we make our university stronger and safer. Commit to being alert, curious and supportive of one another in this ongoing effort.
Don’t hesitate to contact the Help Desk at (208) 426-4357 or email helpdesk@boisetate.edu for guidance on any suspicious links, QR codes or messages received.
