Skip to main content

AG Nessel Shares FBI Warning About Malicious QR Codes

LANSING  Michigan Attorney General Dana Nessel wants to make Michigan residents aware of the FBI’s warning that criminals are hijacking QR (or quick response) codes by placing stickers with codes they create over the top of the real QR code. When scanned, these malicious codes direct victims to phishing websites where their personal or financial information can be stolen.

QR codes are a common convenience used by businesses, airlines, ticket vendors, and others. This square barcode can be scanned by a smartphone’s camera to provide quick access to a website where you can learn about a product, share information, make a payment, prompt an application download, or get rewards and discounts.

The codes themselves are not dangerous. It’s when they are used to steal or commit fraud that they become problematic. Malicious QR codes can:

  • Take you to a “phishing website.” Scammers create sites that look convincing and ask for personal information. Any information you provide on this site goes to the scammer.
  • Be used to download malicious software such as malware, ransomware, and trojans. These viruses can spy on you, steal sensitive information or files (like photos or videos), or even encrypt your device until you pay a ransom.
  • Be programmed to open apps on your device. It could open financial apps, social media accounts, and email accounts. It can compose and send messages to your contacts using your email or social media accounts.
  • Be used in phishing emails. QR codes are not picked up by security software, unlike attachments and links.

QR codes are widely used in so many different ways that it’s not surprising bad actors would develop the means to use them to scam us,” Nessel said. “This is another area where we need to protect our personal and financial information by practicing caution when using these convenient codes.”

The FBI offers several ways QR code users can protect themselves:

  • Do not scan a code if it is on a sticker, looks like it has been replaced, or is covered up.
  • After scanning the code, see if the URL you are taken to is a secure one that begins with https.
  • Download a QR Code Scanner app that can help you recognize a suspicious code.
  • Rather than scanning a code that will take you to a specific website, if possible, just type in the URL for that website.

Anyone who uses QR codes should be aware of the potential risks and always be on the lookout for malicious codes. Typically, victims of such scams do not become aware of the scam until the monetary theft is perpetrated, which can occur a considerable time after the identity theft, at which point it can be difficult to pinpoint how their information was compromised.

If you believe you have been a victim of QR code fraud, report the fraud to your local FBI field office and to the FBI Internet Crime Complaint Center. More information about QR code fraud can be found on the Attorney General's website.

Further, to file a consumer complaint or get additional information, contact the Michigan Department of Attorney General:

Consumer Protection Team
P.O. Box 30213
Lansing, MI 48909
Fax: 517-241-3771
Toll free: 877-765-8388
Online complaint form


Media Contact: