Allure Security Navigation Logo

Scammers are having a hard time getting into consumers’ inboxes these days. Consequently, they are adapting and diversifying their methods – employing innovative technology alongside retro tactics like direct postal mail to bypass digital defenses.

How does one bypass email filtering? Email security systems typically scan inbound and outbound emails for malicious links, attachments, and other content. Because of this, delivering phishing URLs via email to unsuspecting victims can get a bit tricky. 

Fraudsters are finding creative ways around email security platforms. A couple examples we’ve seen recently are by embedding QR codes in place of links in the body of an email, and even resorting to branded physical mail (yes, sending letters) instructing readers to visit a link. And before you roll your eyes, consider that if these methods didn’t work, fraudsters probably wouldn’t bother.

How do fraudsters avoid email filters when sending links to fake sites?

Email security solutions will typically flag attachments and links, “reading” the email and investigating the links within for malicious intent. If an email trips the filter’s detection, it is quarantined to protect the recipient.


To circumvent spam filters, scammers have begun inserting QR codes into phishing emails. There’s currently a gap in many e-mail security solutions’ ability to engage with a QR code and inspect the URL to which the code directs. While email filters are valuable in many cases, at this time many of them lack the means to analyze QR codes and as a result, these emails are making it through spam filters and into inboxes.

Being presented with a QR code in a well designed phishing email could be just the right catalyst for some unsuspecting victims to take action. Moreover, people typically use a mobile device to access the information in a QR code. Investigating a URL for signals of illegitimacy on a mobile browser is more difficult than it is on a laptop or desktop computer.


Another tactic we’ve seen recently is – to our surprise – fraudsters using physical mail to distribute phishing links.

A picture of a letter sent via mail that contains a link to a brand impersonation attack recently encountered by Allure Security

While use of physical letters in this way is not exactly prevalent, it is a risk brands should be aware of.

The letter is riddled with spelling errors and hopefully was not taken seriously by the recipient. But, the imagery is quite good and certainly appears legitimate at a glance.

While we have not yet seen a combination of QR codes and physical mail, it is certainly within the realm of possibility. Despite the lack of evidence, one might imagine that a properly branded, grammatically correct letter invoking action that requires interacting with a QR code might make for an effective brand impersonation scam too.

Further Evidence that Email Gateway Security Alone Can Not Combat Online Brand Impersonations

Organizations can’t rely on a single method to protect their brand and customers against phishing. A layered approach is absolutely necessary to achieve satisfactory coverage. Brands need a variety of tools that add up to more than the sum of their parts. 

Email security is a very important aspect of an organization’s security perimeter. However, for the most part this only protects an organization’s staff. What about protecting your customers against online fraud that exploits your brand?

Emails and even direct mail letters are what we at Allure Security call invite vectors. But, brands need to keep the endgame in mind and know where these invite vectors are directing victims to. They need to know when and where they’re being impersonated online and neutralize those threats before any of their customers or employees see them. That requires proactive monitoring of newly registered domains, continual monitoring of suspicious domains, and the ability to add domains to blocklists and perform timely takedowns with the registrar/host. Most companies find that online brand protection experts such as Allure Security can provide these services at a fraction of the cost of them trying to do it themselves.


Post Date