QR codes, they’re everywhere. In your workplace, at your local coffee shop and all over the internet. It’s no surprise that their surge was catalyzed by the pandemic. In an attempt to cut down on possible transmission, restaurants replaced physical menus available to all customers with online accessible variants on their mobile devices. By scanning the little square composed of several dozen other squares, you’re able to see exactly what the house special of the day is.

Of course, by QR codes making it easy for consumers to be forwarded to an external website, cybercriminals quickly took note of this convenience. Creating their malicious QR codes designed to dupe unsuspecting consumers into handing over personal information.

“Anytime new technology comes out, cybercriminals try to find a way to exploit it,” said Angel Grant, vice president of security at F5, an app security company. That’s especially true with tech like QR codes, which people know how to use but might not know how they work, she says. “It’s easier to manipulate people if they don’t understand it.”

QR codes, the abbreviation for “Quick response” were invented in Japan in the 90s. First used by the automotive industry to manage production, but have spread everywhere. Countless websites and apps allow you to design your own as well. As a result, they’re being exploited by cybercriminals in a spin on an email phishing scam. While scanning these false codes won’t immediately compromise your device and personal information, it can and will take you to scam websites designed to get your bank account, credit card or other personal information.

Knowing to avoid phishing scams via links or suspicious attachments in emails that purport to be from a bank is something that most people do nowadays. Thinking twice about scanning a QR code with your smartphone is not second nature for most people, however.

So, how does one identify a phishing QR code from a legitimate one? Here are some steps that one can take to avoid getting scammed.

Thinking before you scan. This goes without saying, if you’re weary of your information being forwarded and exploited by an anonymous third party, consider what you’re doing before you’re prompted to forward otherwise sensitive information. Codes in public places can often be distinguished as real or fake depending on what they’re placed on. Is it a sticker or part of a larger sign or display? If the code looks unnatural or out of place, consider that the code may be phishing bait.

Codes embedded in emails are almost always a bad idea. Like codes in unsolicited paper junk mail, assume that this is the same for emails. If the sender goes through the effort of embedding the QR code in the email directly, there’s a good chance that what comes after you scan it is exactly what they want from you.

Preview the code’s URL. Many smartphone cameras running the latest software can preview a code’s URL as you scan it. They won’t take you to the URL, they will simply display a portion of the link if not the full link itself. Consider if the URL looks unnatural or off. Additionally, there are also QR code scanning apps specifically designed to identify malicious links before your mobile opens them.

Use a password manager. While not exactly common knowledge, password managers are designed to not autofill information to false websites(or those that you have not previously visited and submitted information.) A password manager can distinguish between sites you have submitted information to and those you haven’t. If you happen upon a site asking for your information, but your password manager is not immediately prompted to fill in information that’s prevalent to that site, chances are it’s a phishing site.