Illustration by Amelia Holowaty Krales / The Verge

The Federal Trade Commission (FTC) warned the public against scanning any old QR code in a consumer alerts blog last week. Naturally, the warning comes down to security and privacy — bad actors can put QR codes in inconspicuous places or send them via text or email, then just sit back and wait for a payday in the form of money, logins, or other sensitive information.

The New York Times reported that John Fokker, who heads threat intelligence at cybersecurity company Trellix, says Trellix found over “60,000 samples of QR code attacks” in the third quarter this year alone. The Times wrote that the most popular scams involved payroll and HR personnel impersonators and postal scams, among others. Early last year, police in several Texas cities said they’d found fraudulent QR codes placed on parking meters, directing people to a false payment site.

To avoid being victimized by a bad code, the FTC suggests ignoring unexpected emails or other messages you weren’t expecting that come with some sort of urgent request. It’s also good to check the URL that shows up on your screen when scanning to make sure it’s a site you trust. Then again, even a legitimate QR code can show you a garbled and meaningless shortened web address, so if you know what site you want to visit, it’s best to go there directly.

The Commission also recommends the old standby of updating your devices and ensuring you have good, strong passwords and multi-factor authentication in place for sensitive accounts. If you’re unsure how to do that second part, check out our two-factor authentication guide, which has instructions for several of the most popular sites and services.

Beyond the FTC’s recommendation, there are other things you can do. Don’t download a QR code scanning app, for one — built-in camera apps for Android and iOS already do that, and apps can sometimes be made for nefarious purposes themselves. The FBI also has a list of recommendations in a similar blog it published in September, but in general, if you aren’t sure about a code, don’t scan it.

Illustration by Amelia Holowaty Krales / The Verge

The Federal Trade Commission (FTC) warned the public against scanning any old QR code in a consumer alerts blog last week. Naturally, the warning comes down to security and privacy — bad actors can put QR codes in inconspicuous places or send them via text or email, then just sit back and wait for a payday in the form of money, logins, or other sensitive information.

The New York Times reported that John Fokker, who heads threat intelligence at cybersecurity company Trellix, says Trellix found over “60,000 samples of QR code attacks” in the third quarter this year alone. The Times wrote that the most popular scams involved payroll and HR personnel impersonators and postal scams, among others. Early last year, police in several Texas cities said they’d found fraudulent QR codes placed on parking meters, directing people to a false payment site.

To avoid being victimized by a bad code, the FTC suggests ignoring unexpected emails or other messages you weren’t expecting that come with some sort of urgent request. It’s also good to check the URL that shows up on your screen when scanning to make sure it’s a site you trust. Then again, even a legitimate QR code can show you a garbled and meaningless shortened web address, so if you know what site you want to visit, it’s best to go there directly.

The Commission also recommends the old standby of updating your devices and ensuring you have good, strong passwords and multi-factor authentication in place for sensitive accounts. If you’re unsure how to do that second part, check out our two-factor authentication guide, which has instructions for several of the most popular sites and services.

Beyond the FTC’s recommendation, there are other things you can do. Don’t download a QR code scanning app, for one — built-in camera apps for Android and iOS already do that, and apps can sometimes be made for nefarious purposes themselves. The FBI also has a list of recommendations in a similar blog it published in September, but in general, if you aren’t sure about a code, don’t scan it.