The link you trust might be the one that catches you

Why a phishing scanner belongs in a security score app

For years, phishing was the cleaner cousin of cybercrime. Viruses made your device slow. Phishing made you give away the keys. We were building ARK to measure real security exposure across device permissions, network leaks, and breach history, so a gaps was obvious: you could have perfect device hygiene and still land on a malicious link because you trusted the QR code on a poster or the shortened URL in a message.

The problem isn't stupidity. It's friction. A QR code takes two seconds to scan. A URL is already in your clipboard. Who has time to inspect the domain character by character? Most phones won't warn you until you've already triggered the load. By then, phishing pages are already harvesting form data, session tokens, or device information.

We built the phishing scanner into Shield specifically because it sits at the edge of user behaviour. You're about to tap something. You want to know what you're really about to tap.

How it actually works: the mechanics matter

The phishing scanner isn't a magic bullet. It checks the URL against a known phishing database, checks for domain spoofing patterns (common characters swapped out, lookalike TLDs), and flags pages designed to mimic login screens or payment flows. It works on QR codes by extracting the embedded URL and running it through the same checks.

This is where we had to make a choice: do we scan every link you ever see, or do we let you scan on demand? We chose demand. The reason is privacy. On-device scanning of every URL in real-time is battery-hungry and creates local logging that feels invasive, even if the data never leaves your phone. Instead, you point the scanner at a QR code or paste a URL, and it runs the check then. One tap. Result in seconds.

The scanner flags three things: known phishing domains (matches against up-to-date threat intelligence feeds), domain spoofing (the URL is trying to look like something it isn't), and suspicious page patterns (the landing page is a login form or payment gateway you weren't expecting). If it's clean, you get a green light. If it's suspicious, the app shows you exactly what raised the flag and gives you a choice.

The customer who prompted the design

That person at the gym stayed in touch. She told us later that she'd had a near-miss with a phishing site six months before, and it had made her paranoid about links. She'd been checking URLs manually on her laptop before clicking anything on her phone, which meant she wasn't clicking much at all. That's not security. That's just friction.

When we shipped the phishing scanner in Shield, she was one of our first testers. She reported back that the thing she liked most wasn't the detection itself, but the confidence. 'I scan now without thinking about it. The app tells me yes or no. I move on.' That's the design working.

The same logic applies to your security score itself. A 0 to 100 number doesn't mean much unless it's tied to action. The phishing scanner is the same. Detection isn't the goal. Confidence to tap a link is.

What it doesn't do, and why that matters

The phishing scanner doesn't prevent you from being phished if you ignore the warning. It doesn't catch brand new phishing domains that haven't been reported yet. It doesn't know if the link you're about to click is secretly logging your IP or fingerprinting your browser, because that's not phishing in the traditional sense, that's analytics.

We're explicit about those limits because false confidence is worse than no confidence. If we told you every URL you scan is 100 per cent safe, you'd stop thinking. Instead, the scanner raises the bar, catches the obvious stuff, and leaves you in control of the call. That's what Shield tier users pay for: not magic, but better odds and transparency about the gaps.

The shift from detection to daily habits

What surprised us during the Shield beta was that people didn't use the phishing scanner the way we expected. We thought it would be emergency response: someone sends you a dodgy link, you scan it, crisis averted. Instead, people were scanning every QR code. They were checking shortened URLs before clicking. They were building a habit.

That habit is the real point. Security isn't about the tools you have for emergencies. It's about the habits you build for Tuesday afternoon when you're distracted and someone hands you a flyer with a QR code on it. A tool that fits into that moment, that runs in two seconds, that gives you an answer, that's what changes behaviour. That's what belongs in a security score app.