FBI Warns iPhone And Android Users—Do Not Use These Codes
You have been warned — do not scan here.
NurPhoto via Getty Images
An “impossible” to detect smartphone threat is now surging, with a new warning that more than 4 million attacks were observed “in the first half of 2025 alone.” It’s no surprise the FBI has a new warning for iPhone and Android users.
We’re talking QR codes, which Proofpoint warns “burst on the scene in 2023” and are now being quickly “adopted by threat actors as a way to remove the victim from the enterprise detection pipeline and bypass traditional URL scanning and filters.”
The FBI has now issued a warning to all smartphone users that the latest such attack is taking hold, a change in tactics given all the headlines around unpaid toll, DMV motoring offenses and even the original favorite undelivered package texts.
“Criminals are sending unsolicited packages containing a QR code,” the bureau says, “and once scanned, victims provide personal and financial information while unknowingly downloading malicious software that steals data from their phone.”
Proofpoint warns “it is impossible to tell if a QR code is a threat just by looking at it.” That makes “these threats particularly dangerous,” with users now used to “scanning QR codes with their phone cameras for everything from instructions to menus.”
Just as with the FBI’s latest advisory, these attacks are “socially engineered to convince you to scan the code.” Once you do, you’re “redirected to a fraudulent website designed to steal sensitive data, such as login credentials, credit card numbers or personal data.”
The FBI’s advice is clear: “Do not scan QR codes from unknown origins.” And while that includes this latest “brushing” scam, with unsolicited packages delivered to your home with no sender details, it’s more likely you’ll be caught by a QR code in an email attachment or on a parking meter or even on a poster by the side of the street.
The FBI says “QR code scam has evolved much like all other scams,” and “if you happen to scan a scammer’s bad code, you could end up giving them access to your device.”
Do that, the bureau says, and those attackers “can access your contacts, download malware, or send you to a fake payment portal. Once there, you can inadvertently give them access to your banking and credit card accounts. If you make a payment through a bad QR code, it’s difficult if not impossible to get those funds back.”
Proofpoint says “attacks that target people are all about hacking human nature,” and that’s certainly the case with QR codes. In a world where your phone helpfully offers a link whenever it sees a code, without any of the link protection or warnings in other apps, it’s easy to see why these attacks are surging.
You have been warned.