In a brazen cybercrime scheme, scammers have placed fake QR codes on pay-and-display parking machines in several UK towns, leaving motorists at risk of fraud.
The scam, which uses counterfeit QR codes to direct payments to fraudulent websites, has already impacted unsuspecting drivers in Leicester and Reading.
The UK parking scam: how the fake QR codes work
The swindle involves criminals attaching counterfeit QR codes to parking machines in various locations. The fake codes prompt users to scan and pay through what appears to be an official parking payment portal. However, this portal is a phishing site designed to capture payment details and, in some cases, personal information.
Motorists who attempt to pay via these codes are unwittingly handing over their bank details to scammers. The sites reportedly mimic legitimate parking payment platforms, making it incredibly difficult for users to notice any discrepancies until it’s too late.
Reading Borough Council said the fake QR codes were first spotted by enforcement officers during routine patrols on Monday. In a post on Facebook, the council urged drivers not to use the QR codes to pay for their parking.
According to a report by The Mirror, the fraudulent website address was bought this month using a Russian domain name.
A growing trend in “quishing” scams
The QR code scam, dubbed “quishing” (QR phishing), is part of a growing trend where fraudsters exploit people’s increasing reliance on digital payment systems. Unlike traditional phishing emails, QR codes don’t show any initial signs of malicious intent – there’s no URL preview to scrutinize or a poorly spelled email addressing you by name.
Simon Williams, Head of Policy at RAC said: “Unfortunately, the increasing popularity and ease of using QR codes appears to have made drivers more vulnerable to malicious scammers. For some, this sadly means a Quick Response code could in fact be a ‘quick route’ to losing money.”
“As if this quishing scam isn’t nasty enough, it can also lead to drivers being caught out twice if they don’t realise they haven’t paid for parking and end up getting a hefty fine from the council.”
How to protect yourself from quishing scams
- Use official apps: Always opt to use official parking apps or websites for payments rather than scanning a QR code.
- Check the pay-and-display machine: Look for signs of tampering or stickers that look out of place. Legitimate machines often have embossed, printed details rather than stickers that can be easily stuck on.
- Manually enter the website: If a machine directs you to a website via a QR code, it’s safer to manually enter the URL rather than scan it.
- Keep an eye on your bank statements: If you’ve recently used a QR code to pay for parking, monitor your bank statements for any suspicious activity.
The reliance on mobile payments is growing across Europe, and while convenience is a big factor, it also opens new avenues for fraud. Many European cities, including major hubs like Berlin and Madrid, have begun rolling out similar pay-by-phone parking systems, which means the quishing scam could potentially spread beyond the UK’s borders.
“Quishing” might sound like an unusual cybercrime, but as we move towards a more cashless society, it’s a threat that could easily grow.
