ForwardToSafety
Back to Examples
PHISHINGRisk Level: 9/10

Sophisticated QR code phishing (quishing) attack using fake HR compensation notice to bypass traditional link scanning.

HIGH ConfidenceQuishing (QR Code Phishing)

Email Details

From
user@company.com (anonymized)
Subject
HR Notice: 2026 Compensation Adjustment Assessment for Rth mechanical contractors inc
Date
January 15, 2026

Key Findings

  • QR code directing to malicious domain fleetopticsinc.cyou with VirusTotal detection of 6 malicious and 5 suspicious flags (risk score 55/100)

  • Complete authentication failure with SPF permerror, no DKIM, and no DMARC protection indicating potential email spoofing

  • Suspicious sender domain mismatch between From address (rthmechanical.com) and authentication domain (rthmechanicalcontractors.com)

Detailed Analysis

This email exhibits multiple high-risk indicators consistent with a QR code phishing (quishing) attack. The primary threat vector is a QR code embedded in the email that directs recipients to fleetopticsinc.cyou, a domain flagged by 6 security vendors as malicious and 5 as suspicious. This represents a sophisticated attempt to bypass traditional link scanning by using QR codes, which are harder for security systems to analyze automatically.

The email's authentication status raises significant red flags with SPF returning a "permerror" status and complete absence of DKIM and DMARC validation. This authentication failure, combined with a domain mismatch between the From address (rthmechanical.com) and the authenticating domain (rthmechanicalcontractors.com), strongly suggests email spoofing.

The social engineering approach uses a legitimate-seeming HR compensation notice to create urgency and trust, encouraging recipients to scan the QR code. This technique is particularly effective as it appears to come from the recipient's own company and addresses a topic employees would naturally be interested in - compensation adjustments for 2026.

Why QR Code Phishing Works

QR codes bypass traditional email security because the malicious URL is encoded in an image. Users scan with their phones, which often have weaker security than corporate networks. By the time the link opens, the user has bypassed multiple security layers.

Recommended Actions

  • Do not scan the QR code under any circumstances and warn other employees about this specific threat

  • Block the malicious domain fleetopticsinc.cyou at the network level and report it to security teams

  • Implement enhanced QR code scanning policies and consider deploying security solutions that can analyze QR codes in emails

  • Review and strengthen email authentication policies (SPF, DKIM, DMARC) for company domains to prevent spoofing

Get This Level of Protection for Every Email

ForwardToSafety automatically scans QR codes and detects quishing attacks that bypass traditional security.

View Pricing
View All Examples