Quick Response codes (QR codes) are two-dimensional barcodes that provide easy access to websites through smartphones or tablets. They are routinely used to pay for things, view restaurant menus, attend events, and board airplanes. It’s estimated that this year alone, about 98 million Americans will scan a QR code with their phone.

The FTC warns that as QR code use increases, so do criminals’ attempts to use them maliciously to steal unsuspecting victims’ personal and financial information. More than 26 million people in the U.S. have been taken to an untrustworthy site, and one in six has had personal data stolen. According to the FBI, there were $150 million in reported losses last year involving fraudulent QR codes.

Fraudsters often place fake QR codes inconspicuously by covering up official QR codes with a QR code of their own on parking meters, menus, social media feeds, emails, and other areas. A scammer’s QR code could trick you into visiting a fraudulent website where they could steal any information you enter, or the QR code could install malware that steals your personal information.

Steps you can take to avoid fraudulent QR codes

  • Only scan QR codes given to you by trusted people or organizations. Do an internet search for the website.
  • If you see a QR code in an unexpected place, inspect the URL before you open it. Look for misspellings, a switched letter, bad grammar, or irregular logo design.
  • Don’t scan a QR code in an unexpected email or text message, especially if it urges you to act immediately. Instead, use a phone number or website you know is real to contact the company.
  • If a QR code looks tampered with, don’t scan it. Never give your information anywhere unless you’re absolutely sure that the website is genuine.
  • Use a QR Code scanner phone application.
  • Use unique passwords. Never use the same password on multiple websites, particularly financial sites and apps.
  • Update your phone’s software. Always install the latest versions of your smartphone operating system. Use multi-factor authentication so only you can access your personal accounts.

If you become a victim of crime, report thefts to the Internet Crime Complaint Center (IC3.gov).