QR codes – the small black and white squares that direct smartphone users to an external URL – are a common part of modern life. Restaurants use them so patrons can see menus, real estate agents display them on signs to provide virtual tours and all types of businesses encourage shoppers to scan and save.

But what should you do if a box displaying a QR code arrives unsolicited at your doorstep?

Don’t scan it under any circumstances, the FBI warns.

The scam is the latest in a practice known as “brushing.” A typical brushing scam involves someone sending you an unsolicited package and then writing a fake review in your name to bolster their online image and sales. Receiving an unsolicited package is a warning sign that your identity is likely compromised, the FBI said.

The new version of the scam is known as “quishing” and also involves an unsolicited package, but this time, the box includes a QR code. Once scanned, the recipient gets a prompt to provide personal or financial information. In some cases, scanning the QR code unwittingly downloads malicious software to steal data from your phone.

Many times, the packages arrive without sender information, enticing the recipient to scan.

Scanning a bogus QR code can give scammers access to your contacts or send you to a fake payment portal. Once there, the FBI said, you can inadvertently give the criminals access to your banking and credit card accounts.

FBI: Tips to protect yourself

You should always be careful before scanning any QR code, especially when it’s received through unsolicited communications or packages, the FBI said.

Other safety tips include:

– Beware of unsolicited packages containing merchandise you did not order.

– Beware of packages that do not include sender information.

– Be careful before authorising phone permissions and access to websites and applications.

– Do not scan QR codes from unknown origins. – al.com/Tribune News Service