Skip to main content

QR Code Hijacking

What is a Quick Response (QR) Code?

A quick response or QR code is a square matrix barcode that can be scanned using a smartphone. Scanning the code directs the user to a specific website or app. Entering a lengthy URL is no longer necessary.

QR codes are customized for many different purposes. They have replaced paper menus in restaurants, airline boarding passes, and concert or sporting event tickets. By simply scanning a code, you can learn about any product, share information, get rewards and discounts, make a payment, and so much more.

QR Code to Michigan AG Office

QR Codes and Fraud

QR codes are convenient, easy to create, and the cost is minimal. This makes them appealing to cybercriminals, who create their own codes for malicious purposes. These QR code scams are also known as “quishing.” Often quishing scams are perpetrated alongside another scam called “brushing.” In brushing scams, you receive a package from an unexpected or unknown sender. The package information encourages you to scan the code to learn the identity of the gift-giver or to register your new product to activate your warranty or to receive a “free” gift or other offers.

The FBI issued a warning that criminals are hijacking QR codes by placing stickers with codes they have created over the top of real QR virus codes. When scanned, these malicious codes direct victims to phishing websites where the scammers can steal personal or financial information.

QR Codes from a trustworthy source can be helpful, but consumers should watch out for codes that may have been tampered with or those coming from unknown sources, which can be used to access sensitive information or commit fraud. Malicious codes can:

  • Take you to a “phishing website.” Scammers create sites that look convincing and ask for personal information. Any information you provide on this site goes to the scammer.
  • Be used to download malicious software such as malware, ransomware, and trojans. These viruses can spy on you, steal sensitive information or files (like photos or videos), or even encrypt your device until you pay a ransom.
  • Be programmed to open apps on your device. It could open financial apps, social media accounts, and email accounts. It can compose and send messages to your contacts using your email or social media accounts.
  • Be used in phishing emails. QR codes are not detected by security software, unlike attachments and links.

Protect Yourself

A QR code in a public place or location can easily be tampered with.

  • Do not scan a code if it is on a sticker, looks like it has been replaced, or is covered up.
  • If you receive an unexpected package that contains a QR code, do not scan it.
  • After scanning the code, see if the URL is secure. Does it start with https where the “s” stands for secure?
  • Download a QR Code Scanner app that can help recognize a suspicious code.
  • Rather than scanning a code that will take you to a specific website, just type in the URL for that website.
  • Consider using antivirus software that offers QR readers with added security.
  • Update your phone’s operating system to protect it from hackers.
  • Use strong passwords and muti-factor authentication.

Disconnect if:

  • the website you are taken to shows signs of being a phishing site;
  • the site branding is off;
  • the URL is suspicious or not secure;
  • the page contains bad grammar;
  • the site requires too much information to sign up;
  • the page encourages you to provide personal or financial information; or
  • the site uses fear tactics or time constraints.

QR codes can make life easier. But be aware of the potential risks and always be on the lookout for malicious codes. If you believe you have been a victim of QR code fraud, report the fraud to your local FBI field office and to the FBI Internet Crime Complaint Center.

Contact the Attorney General's Office

If you have a consumer complaint, or believe you've been the victim of a scam, please file a complaint with the Attorney General's Consumer Protection Team:

Consumer Protection Team
P.O. Box 30213
Lansing, MI 48909
517-335-7599
Fax: 517-241-3771
Toll-free: 877-765-8388
Online complaint form