Cybercriminals are targeting Quick Response codes in an effort to steal financial and other personal information from unsuspecting victims, the FBI said this week as it issued a warning over the scam.

QR codes are a convenient way for customers to make payments, download applications, and navigate websites at restaurants and businesses via a cellphone camera. They became more popular during the COVID-19 pandemic as people sought ways to diminish contact with objects that pass between others.

Now, some cybercriminals are tampering with QR codes by redirecting the scans to “malicious sites” where they can steal your data or embed malware on your smartphone, according to an FBI bulletin. Malware allows the criminals to gain access to the victim’s device, while personal information can be used to thieve money from their bank account.

Because it can be difficult to differentiate a legitimate QR code from a malicious one, the FBI is urging people to exercise caution with them, especially when making a payment through one.

The federal law enforcement agency provided the following tips for people to avoid becoming a victim of the scam:

  • After scanning any QR code, double check that the URL looks authentic and is the intended website. Fraudulent ones look similar but generally contain a typo or a misplaced letter.
  • Always be cautious when entering login, personal or bank information to any website accessed through a QR code.
  • Make sure someone hasn’t meddled with the code. One indicator, for instance, is if a sticker has been placed on top of it.
  • If a QR code prompts you to download an app, don’t; instead, get it through your phone’s app store.
  • Beware of QR code scanner apps, which the FBI says raises your risk of downloading malware. Your cellphone likely has a built-in scanner already through the device’s camera.
  • Make payments only through a known and trusted URL, rather than one you’re sent to through a QR code.
  • If you get an email from a business you purchased something from recently, but they say it can only be completed via a QR code, verify that with the company first. However, you should obtain the number from a trusted website and not the email.
  • Finally, should you get a QR code that appears to be from someone you know, reach out to them first to ensure it’s legitimate.

Anyone who believes they lost money due to a fraudulent QR code should report it to your local FBI field office, which can be found here. You can also file a report online through the FBI’s Internet Crime Complaint Center.