QR codes can be another phishing link

A new type of cyber-attack targeting small legal practices in Australia has emerged over the past few weeks. It is a variation of a standard phishing attack using a QR code rather than a link sent via email. 

Examples seen so far start with an email telling you that a software subscription is about to expire but you can renew it for free by scanning the code appearing in the email.

Other variants may not offer a free extension, but may state that you need to “secure” or “confirm” your account to keep using it.

Upon scanning the QR code, recipients land on a fraudulent page asking for log-in credentials and a multifactor code. Another variation does not even require you to supply credentials, but will download hostile software which quietly harvests your log in details later.1

With the provided access, available data is copied and a ransom demand sent. 

Remember: QR codes are simply links, and the same rules apply: don’t access them if they have been sent unprompted, and check the destination carefully. QR codes also allow phishing links to evade many email scanning systems which would otherwise detect them.


With the advent of AI tools such as Chat GPT, criminals can also rewrite and repackage attack emails very quickly. 

Keep in mind that the “renew software” attack this week may be a “redirect your Amazon package” attack next week. 

To protect against such threats, legal practitioners can take several steps: 

  1. Validate requests: Exercise caution with software renewal requests, particularly those involving QR codes or any other remotely supplied link. Contact your software provider or IT support directly to verify such requests.
  2. Educate staff: Conduct regular training to update your team about new cybersecurity threats and how to handle them. This includes all staff, not just solicitors.
  3. Basic hygiene: Phishing is so common it should be assumed attackers will breach the first security layer periodically. Basic steps such as regular software and web-browser updates, using anti-malware suites and multifactor authentication can add additional security layers over critical data. 
  4. Limit account access: Each network user account should only be able to access the information the owner needs to do their job. The more an account can access or do on the network, the greater the damage when control of that account is lost. 
  5. Enforce two-step verification: Although some of the examples cited would allow an attacker to penetrate a second-step verification, Multifactor Authentication remains one of the cheapest and best anti-phishing defences. (See the QLS Guide to Multifactor Authentication).  

For queries, contact David Bowles at the QLS Ethics & Practice Centre on 3842 5843. 

1 Anecdotally, variants of a similar attack have been undertaken by putting a sticker over the “order from the table” QR codes in cafes or restaurants, banks and government customer service centres. See here for an FBI warning:  

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by keyword