The QR Scanner Hidden in Ṣọ Mobile (Most Users Don't Know About It)
The Feature Most Users Never Tap
There's a free QR Code Safety Scanner inside the Ṣọ Mobile app. It's been there for months. Most users have never opened it.
This post walks through what it does, why it exists, and how to actually use it. If you have Ṣọ Mobile installed (iOS or Android), the scanner is already on your phone. If you don't, the Free tier covers it.
Why a QR Scanner Exists Inside an Email Security App
Two reasons.
The first is that QR codes are now an email threat. Attackers embed QR codes in phishing emails specifically because they bypass desktop email security. Most email security tools scan links, attachments, and senders. They don't scan QR images for what's behind them. The QR code becomes a covert channel that routes from your inbox to your phone, where verification is harder. Ṣọ already scans QR codes embedded in emails through the desktop extension. The mobile scanner extends that capability to physical-world QR codes you encounter outside email.
The second is that mobile is where most phishing succeeds. When a parking meter has a QR sticker, you're not on a desktop with hover-to-preview. You're on your phone, where the URL is hidden behind the QR code until you've already opened it. The mobile scanner exists for the moment of decision: "this QR code looks legitimate, but should I scan it?"
QR-based phishing attacks (called "quishing") tripled between 2023 and 2024 according to multiple email security vendors. The defense for mobile users has been thin. The Ṣọ scanner is part of fixing that.
How to Use It
Open the Ṣọ Mobile app. Tap the QR scanner icon. Two options.
Scan with camera. Point your phone camera at the QR code. The scanner decodes the embedded URL (or text, vCard, Wi-Fi credentials, payment QR, app deep link) and analyzes it. You see the verdict before you see the URL itself.
Upload an image. If you have a screenshot of a QR code, or a photo someone sent you, upload it to the scanner. Same analysis, same verdict.
The verdict comes back in seconds with one of four outcomes:
- Safe : destination passed all checks
- Suspicious : at least one signal triggered, proceed with caution
- Dangerous : destination matches known phishing or malicious patterns
- Unknown : destination couldn't be classified with confidence
Each verdict includes a "why we flagged this" explanation. You see the specific signals that contributed, not just a single yes/no.
What the Scanner Checks
The scanner runs the same checks as Ṣọ's email scanner does on QR codes embedded in emails, plus mobile-specific checks for camera-scanned codes.
URL pattern analysis. Is the destination a lookalike domain? A recently registered domain? A known phishing infrastructure host? The system cross-references multiple threat intelligence feeds before returning a verdict.
Domain reputation. Has the destination been reported as malicious across Google Safe Browsing, PhishTank, OpenPhish, and other community-maintained reputation databases?
Redirect chain inspection. Many phishing QR codes use URL shorteners (bit.ly, tinyurl, dynamic QR services like flowcode.com) to obscure the final destination. The scanner follows the chain and reports the final URL plus any intermediate hops.
Subdomain tricks. The scanner detects patterns like "login.microsoft.com.attacker.com" where the real domain (attacker.com) is hidden behind a long subdomain that mimics a legitimate brand.
Typosquatting and homoglyphs. The scanner catches lookalike domains using character substitution. "rn" mimicking "m". "0" instead of "o". Cyrillic characters that visually match Latin ones. These are common in QR phishing because users don't see the URL before scanning.
File download flags. If the destination is a direct file download (.apk, .exe, .zip, .pdf, .html), the scanner explicitly flags it. "This is a file download, not a webpage" appears in the verdict. Catches a common QR scam pattern where the user expects a website but gets a malware payload.
Multi-format support. Beyond URLs, the scanner handles vCard contact files, Wi-Fi connection codes, app deep links, and payment QR codes (Venmo, CashApp, mobile banking). Different formats have different scam patterns. The scanner adapts.
How It Works Architecturally
When you scan a QR code, the decoded URL or content goes to Ṣọ servers via HTTPS/TLS. The system runs the analysis and returns a verdict. The submission is then deleted. No copy of the QR content, the URL, or the analysis output is retained.
Same architecture as Ṣọ Mail. Encrypted in transit. Processed in seconds. Deleted immediately. No logs of submitted QR codes. No human access. No training of detection models on user submissions.
We're not claiming "on-device" processing. The scanner uses Ṣọ's threat intelligence infrastructure, which lives on our servers. The privacy property we offer is zero retention, not local analysis. We're explicit about this because the architectural framing matters more than the marketing.
Who's Missing This Feature
If you have Ṣọ Mobile installed and have only used it for inbox protection, you're missing one of the higher-leverage capabilities in the app. Three audiences specifically benefit from opening the QR scanner regularly.
Anyone who pays at parking meters or scans menus at restaurants. Public QR codes are the highest-volume quishing surface today. Parking meter QR scams are documented in multiple cities. Restaurant menu QR scams are emerging. The verification habit costs you 5 seconds.
Anyone who handles invoices, payments, or vendor relationships. Vendor QR codes appear in invoices, payment portals, and procurement documents. A fraudulent QR code that redirects payment to an attacker-controlled account is one of the highest-loss attack patterns for small businesses. Scan before paying.
Anyone helping older relatives or non-technical colleagues. If you handle email or technology questions for parents, grandparents, or coworkers, the scanner is the best 5-second response to "is this QR code real?" Forward them a screenshot, scan it, send back the verdict.
Most users only think about the scanner when something feels off. The recommendation is the opposite: scan before you trust, especially in physical environments where you can't hover to preview the URL.
What's Different from Other QR Scanners
Two important distinctions.
Most QR scanner apps are decoders, not safety checkers. They tell you the URL the QR code points to, but they don't analyze whether the destination is safe. A separate step. Most users skip it. Ṣọ's scanner does both in one tap.
Most "safety" QR scanners check a single blocklist. Usually Google Safe Browsing. That catches widely known phishing sites but misses fresh campaigns that haven't been added yet. Ṣọ's scanner combines multiple threat intelligence feeds with pattern detection (lookalike domains, typosquatting, redirect chains, file download flags) so fresh campaigns get caught even before they're publicly listed.
The scanner runs on the same engine as Ṣọ Mail. New attack patterns the email engine learns get extended to QR detection automatically. One engine, two surfaces.
How to Open It Right Now
iOS: Open the Ṣọ Mobile app. The QR scanner is on the main menu. Tap the icon. Allow camera access if you haven't already.
Android: Same flow. The QR scanner icon is on the main menu. Tap to open.
Don't have Ṣọ Mobile yet? The Free tier covers QR scanning, dark web breach monitoring, and email threat detection. No credit card required. Signup takes 60 seconds.
iOS: apps.apple.com/us/app/so-mail/id6756896070 Android: play.google.com/store/apps/details?id=com.app.somail
Frequently Asked Questions
Does the scanner work offline?
No. The scanner submits the decoded URL to Ṣọ servers for analysis against current threat intelligence. Without internet, the scanner can decode the QR code but can't verify whether the destination is safe.
Does Ṣọ keep my QR code data?
No. The same zero-retention architecture as the email scanner. Submitted content is processed in seconds and deleted. No logs of what you've scanned, no internal tools to look up past submissions, no training of models on user submissions.
Will the scanner catch a brand new QR phishing campaign?
The scanner runs multiple checks beyond static blocklists. Lookalike domain detection, typosquatting analysis, redirect chain inspection, and pattern-based flagging catch campaigns that haven't been added to public blocklists. False negatives still happen. If something feels off after a "safe" verdict, trust your instinct and don't proceed.
Can I report a QR code as a scam?
Yes. Each scan result includes a "Report as scam" option. The submission goes to Ṣọ's threat intelligence pipeline and helps catch the same QR code for other users.
Is the scanner available on desktop?
Not yet. The mobile scanner is the standalone QR analysis surface. The Ṣọ desktop extension scans QR codes embedded in emails automatically, but doesn't have a manual QR scanner UI today.
Is the scanner accurate?
Independent testing measured Ṣọ's overall detection accuracy at 90.70 percent. The QR scanner uses the same engine. False positives are kept low by combining multiple weak signals into a single verdict, rather than flagging based on any single signal.
Try It Today
Open Ṣọ Mobile. Tap the QR scanner. Point your phone at any QR code in your environment, or upload an image of one you've received. See what comes back.
The most useful feature in your email security app might be the one you've never tapped.
Encrypted in transit. Processed in seconds. Deleted immediately.
iOS: apps.apple.com/us/app/so-mail/id6756896070 Android: play.google.com/store/apps/details?id=com.app.somail