October marks National Cybersecurity Awareness Month, a nationwide effort to raise awareness about cyber threats and empower all of us to take action in safeguarding our information.
This year’s theme, “Building a Cyber Strong America,” highlights how organizations and individuals across every level of society play a role in protecting critical infrastructure and data systems.
At Boise State, we take that mission seriously. Our roles as students, faculty, and staff play an important part in keeping our systems and personal data security. One threat in particular that we want you to watch out for is QR code phishing, sometimes called “quishing.”
What is “quishing,” and why should you care?
We have recently seen a marked rise in people falling for QR code phishing attempts.
Phishing scams are a familiar danger: malicious actors attempt to trick you into clicking links, entering credentials, or downloading malware.
“Quishing” is a newer twist on that old trick; attackers embed malicious links or payloads in QR codes. When you scan the codes with your phone, you may be redirected to fraudulent websites or prompted to give personal information. Attackers may harvest your login credentials, request personal or financial data, or initiate malware installs.
Because QR codes are visual and machine-readable rather than human-readable, they can slip past traditional email filters or security tools:
- An attacker may insert a QR code directly into the body of an email or embed itself inside a PDF document.
- On a shared poster or sign, a fraudulent QR code might be placed over a legitimate one (or alongside it) to misdirect users.
- Because most people expect QR codes to lead to useful content (especially after the explosion of QR codes as a result of the COVID pandemic), they may scan codes without the same suspicion they would otherwise give to a suspicious email link.
How to recognize and avoid quishing
Here are sensible, practical steps you can take to avoid quishing attempts:
- Pause before you scan. If you receive a QR code from someone you don’t fully trust, treat it with caution.
- Check for context and authenticity. What is the purpose of the QR code in the context of an email or web page? Does it align with what you expect (e.g. an official university event, known department, or printed handout)?
- Preview the link, if possible. Some QR scanner apps and phone cameras show you the web address before you visit it; carefully inspect the address.
- Don’t enter credentials or sensitive data unless you’re certain. If a QR-linked page asks you to “log in” or “verify your account” unexpectedly, that’s a red flag.
- When in doubt, verify via alternative channels. If the QR code claims to be from the Office of Information Technology, a club, campus program, or an department, check the official website or contact them directly (not via the suspicious code).
- Keep your device up to date. Vulnerabilities on your device can magnify the harm of any attack.
- Report suspicious QR codes or messages. Don’t ignore them. Contact the Help Desk at helpdesk@boisestate.edu, call (208) 426-4357, or go to one of our Zone locations in the Interactive Learning Center or Student Union Building. Having a trusted support analyst look at the QR code helps protect you and others.
Building strong cybersecurity habits together
Cybersecurity isn’t just a technical challenge, it’s a shared culture. During Cybersecurity Awareness Month, think of one small step you can take each week: review your passwords, use multi-factor authentication if it’s available, or test your ability to spot a suspicious email or scam.
Each time a member of our community behaves with care online, we make our university stronger and safer. Commit to being alert, curious, and supportive of one another in this ongoing effort.
If you ever have doubts about a link, QR code, or message you receive, don’t hesitate to contact the Help Desk at (208) 426-4357 or email helpdesk@boisetate.edu for guidance.