Stop QR Phishing
Before It Scans
QR codes are everywhere — menus, parking meters, events, marketing materials. Attackers swap legitimate codes with ones pointing to cloned sites on lookalike domains. Users scan, trust, and enter their credentials without a second thought.
DefendDomain detects the lookalike domains and cloned sites that malicious QR codes redirect to — catching the threat even when the physical code is beyond your control.
See How We Protect You
Real threats targeting your domainExpert consultation, not a sales pitchNo obligation
QR phishing has surged 587% — and 71% of users can't distinguish a legitimate QR code from a malicious one. Once a fake sticker is placed over a real code, every person who scans it becomes a victim.
We detect the phishing destination before anyone scans.
DefendDomain monitors for the lookalike domains and cloned sites that malicious QR codes redirect to. Whether the fake code is on a restaurant table, a parking meter, or an event badge — we catch the infrastructure behind it.
Understanding the threat
What is QR Phishing (Quishing)?
QR phishing — also called quishing — is a cyber attack where adversaries create QR codes that link to malicious websites on lookalike domains. The attack bridges the physical and digital worlds: attackers place fake QR stickers over legitimate ones in public spaces, exploiting the fact that users cannot preview where a QR code will take them.
Physical QR Replacement
Attackers print sticker QR codes and place them over legitimate codes at restaurants, parking meters, EV chargers, and public transport. Victims unknowingly scan the fake code and land on a phishing page.
Requires physical site inspections to catch
Digital QR in Emails
Phishing emails embed QR codes instead of clickable links to bypass email gateway URL scanning. Users scan on their personal phones, outside corporate security controls.
Partially blocked by advanced email gateways
Lookalike Domain Destinations
Every malicious QR code needs a destination — and that's always a lookalike domain with a cloned site. Whether the QR is physical or digital, DefendDomain detects the phishing infrastructure it points to.
We detect the destination domain, cloned site, and SSL certificate
Real-World QR Phishing Threats We Detect
These are the attacks happening right now. DefendDomain catches the infrastructure behind each one.
Phishing, FraudBusiness Email Compromise (BEC) & CEO Fraud
Attackers impersonate a senior executive to transfer funds to their account.
Why Different Teams Choose DefendDomain
From the boardroom to the operations floor, every team has a different reason to monitor for QR phishing threats.
CISOs & Security Leaders
Close the QR phishing gap before it becomes a breach
QR attacks bypass every email and network control. DefendDomain detects the lookalike domains that malicious QR codes redirect to — extending your security perimeter into the physical world.
Marketing & Brand Teams
Protect customers who scan your branded QR codes
If your organisation uses QR codes in marketing, packaging, or events, attackers can overlay them with malicious versions. Monitor for domains impersonating your QR code destinations.
Physical Operations & Facilities
Detect when QR codes at your locations are compromised
Restaurants, retailers, transport operators, and event venues are prime targets. DefendDomain alerts you when lookalike domains appear that match your payment or information pages.
Risk & Compliance
Demonstrate proactive QR threat monitoring
As QR phishing triggers data protection obligations, continuous monitoring with full audit trails demonstrates regulatory compliance and proactive external threat management.
Why Your Current Controls Leave Gaps
QR phishing exploits the gap between physical and digital security. Here's what we hear most often — and why it matters.
"We verify our QR codes regularly"
Physical verification of QR codes is important but doesn't scale. A single restaurant may have 50+ QR codes across tables, menus, and receipts. An attacker needs just one unnoticed sticker. DefendDomain catches the lookalike domain the fake QR redirects to — regardless of where the physical code is placed.
Why physical checks alone fall short"We use dynamic QR codes we can update"
Dynamic QR codes let you change the destination URL, but they can still be replaced with a sticker pointing to a different QR code entirely. The attacker isn't modifying your QR — they're replacing it with their own that points to a lookalike domain.
Why dynamic QR codes still leave gaps"We have URL preview enabled in our app"
URL previews show users where a QR code leads, but most users don't check — they tap through immediately. And if the preview shows 'your-brand-pay.com' (a lookalike), it actually looks more legitimate, not less. Detection needs to happen at the domain infrastructure level.
Why URL previews aren’t enough"Our payment processor handles security"
Payment processors secure the transaction flow, but QR phishing intercepts users before they reach your real payment page. The fake site harvests card details or credentials and never touches your legitimate processor. You need to catch the impersonating domain first.
Why processor security misses the threatFour layers of protection
How DefendDomain Stops QR Phishing
Every malicious QR code redirects to a domain — a lookalike with an SSL certificate and a cloned page. We detect each component the moment it appears.
Layer 1
Domain Monitoring
Proactively monitors for lookalike domains that could be used to impersonate your brand. Our AI generates thousands of domain variations including typos, homoglyphs, and keyword combinations, then continuously scans for registrations.
- Detects typosquatting and phishing domains
- Monitors domain registrations in real-time
- AI-powered threat scoring and prioritization
- Automated evidence collection for takedowns
See it in action
When We Detect a Threat, You Get Everything
Not just an alert — a full evidence package with screenshots, WHOIS data, DNS records, risk scores, and a clear workflow to resolve it.
Unified Threat Dashboard
All four protection layers feed into a single dashboard. Intelligent deduplication prevents alert fatigue, while threat lifecycle management tracks every incident from detection to resolution with a full audit trail.
One Pane of Glass
Filter by detection type, severity, and status across all four layers
Intelligent Deduplication
Prevents repeated alerts with exponential backoff and smart grouping
Rich Evidence
Screenshots, WHOIS, DNS records, hosting info, and risk scoring — automatically compiled
Full Lifecycle Tracking
Six statuses from detection to resolution, with notes and a complete audit trail
Fits Into Your Existing Workflow
Alerts arrive wherever your team works. No new dashboard to monitor — threats flow directly into your existing tools.
Slack
Teams
Webhooks
SMS
Splunk HEC
Sentinel
Wazuh
RBAC & Team Collaboration
Role-based access control with System Admin, Threat Manager, and Security Observer roles.
Compliance Reports
ISO-ready reports, Certificate of Protection PDFs, and complete audit trails for regulators.
RESTful API
Programmatic access for custom integrations, automation, and extending your security workflows.
Industry Recognition
Our approach to proactive domain security has been recognized by leading industry bodies and cybersecurity experts.
Frequently Asked Questions
Common questions from security and operations leaders evaluating QR phishing protection.
See DefendDomain in Action
Request a personalised demo and we'll show you how QR phishing attacks target brands like yours. See how we detect the lookalike domains behind malicious QR codes before your customers are affected.
Speak with our team
We'll walk you through the platform and answer any questions about protecting your organisation.
Request Your Free Demo
Real threats targeting your domainExpert consultation, not a sales pitchNo obligation