The QR code problem nobody talks about, and how we're fixing it

Why QR codes became the new phishing weapon

The irony is sharp. QR codes were meant to be safe. No typing, no typos, no risk of misreading a URL. You just point your camera and go. But that safety is also what makes them dangerous.

A URL is visible before you tap it. You can read the domain, spot a typo (amaz0n.com instead of amazon.com), pause if something feels off. A QR code is a black square. You have no idea where it leads until after you've scanned it. And by then, if it's malicious, you're already compromised.

Over the past two years, phishing campaigns have shifted hard toward QR codes. They're in emails, text messages, on printed materials, even carved into restaurant tables alongside 'contactless menu' signs. Criminals love them because users trust them more than they trust typed URLs. And detection is harder. Traditional URL scanners don't help if the QR code itself is the attack vector.

We started seeing this pattern in support tickets. Users were asking: 'Is this QR safe to scan?' We didn't have an answer then. Now we do.

Building a scanner that works before the tap

The challenge wasn't technical so much as it was practical. We needed to let users scan a QR code safely, see where it goes, and decide whether to follow it, all without requiring them to complete the scan first.

Here's how it works: when you open the phishing scanner in ARK's Shield tier, you point your camera at a QR code or paste a URL directly. The app decodes the QR code (if that's what you're scanning) and extracts the underlying link. Then it sends that link through our phishing detection database to check against known malicious domains and phishing infrastructure.

The whole thing takes about two seconds. You see a result: green if the link is clean, red if it's flagged as phishing. The link itself is displayed in full so you can read it. No surprises. No blind trusts.

One thing we were careful about: this all happens on your device first, when possible. We're not uploading your scan history. We're not building a profile. The link gets checked against our database, but we don't log what you scanned or when. Privacy-first isn't a slogan here; it's how we built the product.

The difference between a URL and a QR that matters

A QR code can hide a lot. It can look like it's linking to your bank's website but actually route you to a lookalike domain. It can encode a URL shortener that chains through five redirects before landing you on a phishing page. It can use special characters and Unicode tricks that make the decoded URL look legitimate even when it isn't.

That's why the scanner doesn't just decode the QR. It actually follows the chain. If the QR points to a shortened URL, we resolve what that shortener really points to. If there are redirects, we trace them. You see the final destination, not the mask.

We tested it against a few hundred malicious QR codes that security researchers had captured from real phishing campaigns. The scanner caught them all. We also tested it against legitimate QR codes from restaurants, event ticketing, payment services. No false positives.

What surprised us most was how many people said they'd never have checked a URL, but they would check a QR code with this scanner. It lowered the friction enough that they actually paused before scanning.

Why this matters more than you might think

Phishing isn't new. But the vector has changed. Five years ago, the risk was mostly email links. Now it's everywhere. QR codes on train platforms. SMS messages. Instagram DMs. A café receipt. Your child's school newsletter with a 'parent survey' link encoded as a QR.

We've built ARK to give you a security score across the whole device. The phishing scanner is one piece of that. But it's a piece that matters right now, today, for most people. You don't need to understand stalkerware or DNS leaks to understand that a QR code could be dangerous. You just need a way to check before you tap.

The scanner sits in Shield tier (£2.99 a month or £29.99 a year), alongside dark-web monitoring, Wi-Fi analysis, password health checks, and breach detection. It's built for people who want to stay ahead of the current threat landscape, not just the obvious ones.

What happens after the scan

Let's say the scanner flags a link as phishing. What then? You don't just get a warning and a dead end. ARK shows you the flagged link, explains why it's risky, and gives you the option to report it if you think it's a false positive. We feed that back into our detection system.

If the link is clean, you see a green result and you can choose to follow it from there. Your choice, informed.

One thing we built in that I'm proud of: the scanner works with both URLs you paste directly and QR codes you photograph. If someone sends you a link via email or messaging app, you can paste it into ARK without leaving the app. If someone hands you a printed QR code, you can photograph it directly. It's the same protection either way.

Why we're still learning

Phishing techniques evolve monthly. A trick that works in August doesn't work in October because users have wised up. Our database gets updated constantly. But we also rely on customer reports and security researchers to catch new tactics before they scale.

That customer who emailed us last September ended up helping us test the scanner months before launch. She sent us examples of QR codes from phishing campaigns she'd encountered. Without her, we might have missed some of the encoding tricks that made malicious QR codes hard to detect.

That's the reality of mobile security. It's not a problem you solve once. It's a problem you solve with every update, every new tactic, every message from someone who spotted something we hadn't seen yet.