Skip to main content

QR Code Hijacking

What is a Quick Response (QR) Code

A quick response or QR code is a square matrix barcode that can be scanned using a smartphone. Scanning the code directs the user to a specific website or app. Entering a lengthy URL is no longer necessary.

QR codes are customized for many different purposes. They have replaced paper menus in restaurants, airline boarding passes, and concert or sporting event tickets. By simply scanning a code, you can learn about any product, share information, get rewards and discounts, make a payment, and so much more.

QR Code to Michigan AG Office

QR Codes and Fraud

QR codes are convenient and can be found almost everywhere. They are easy to create, and the cost is minimal. This makes them appealing to cybercriminals, who create their own codes for malicious purposes. 

The FBI issued a warning that criminals are hijacking QR codes, by placing stickers with codes they create over the top of the real QR code. When scanned, these malicious codes direct victims to phishing websites where they can steal personal or financial information.

The codes themselves are not dangerous – it’s how they are used that is the problem. There are different ways that QR codes are used to steal or commit fraud. Malicious codes can:

  • Take you to a “phishing website”. Scammers create sites that look convincing and ask for personal information. Any information you provide on this site goes to the scammer.
  • Be used to download malicious software such as malware, ransomware, and trojans. These viruses can spy on you, steal sensitive information or files (like photos or videos), or even encrypt your device until you pay a ransom.
  • Be programmed to open apps on your device. It could open financial apps, social media accounts, and email accounts. It can compose and send messages to your contacts using your email or social media accounts.
  • Be used in phishing emails. QR codes are not picked up by security software, unlike attachments and links.

Protect Yourself

A QR code in a public place or location can easily be tampered with. 

  • Do not scan a code if it is on a sticker, looks like it has been replaced, or is covered up.
  • After scanning the code, see if the URL is secure. Does it start with https where the ‘s’ stands for secure?
  • Download a QR Code Scanner app that can help recognize a suspicious code.
  • Rather than scanning a code that will take you to a specific website, just type in the URL for that website.

Disconnect if:

  • the website you are taken to shows signs of being a phishing site.
  • the site branding is off.
  • the URL is suspicious or not secure.
  • the page contains bad grammar.
  • the site requires too much information to sign up.
  • the page encourages you to provide personal or financial information.
  • the site uses fear tactics or time constraints.

QR codes are convenient and can make life easier. Be aware of the potential risks and always be on the lookout for malicious codes.

If you believe you have been a victim of QR code fraud, report the fraud to your local FBI field office and to the FBI Internet Crime Complaint Center.

Contact the Attorney General's Office

If you have a consumer complaint, or believe you've been the victim of a scam, please file a complaint with the Attorney General's Consumer Protection Team at:

Consumer Protection Team
P.O. Box 30213
Lansing, MI 48909
Fax: 517-241-3771
Toll free: 877-765-8388
Online complaint form