A quick scan of a QR code to pay for parking seems convenient, but cybercriminals are exploiting this convenience to drain your bank account. The Federal Trade Commission (FTC) has issued warnings about a growing scam where fake QR codes are placed on parking meters and payment stations. Here’s what you need to know to stay safe, plus real-examples, red flags, and steps you can take if you’ve been affected.
What’s happening with QR Codes on Parking Pay Stations?
Scammers are creating stickers with malicious QR codes and placing them over legitimate ones on public parking meters and “Pay by Phone” signage. When you scan the fake code, it directs you to a fraudulent website designed to mimic an official payment portal. Instead of paying for your parking spot, you may end up handing your credit card details and personal data directly to criminals. The FTC confirms there are “reports of scammers covering up QR codes on parking meters with a QR code of their own.”
Who’s targeted & why it matters
Who: Anyone using public parking who is tempted by the ease of paying via QR code — especially when in a rush.
Why it matters: Victims face financial loss, potential identity theft, and can still get parking tickets or towing if their payment never reached the real parking authority. That means double trouble: losing money and facing fines. City authorities like Fort Lauderdale have already issued warnings after such scams were found.
How this QR Code Phishing Scam Works
This is a phishing variant, using QR codes as the lure, which is also called “quishing” and here’s how it works:
- A scammer places a sticker with a malicious QR code over the genuine one on a parking meter or on signage.
- You scan the fake code with your smartphone.
- Your phone’s browser opens a convincing yet fake payment website.
- If you enter your credit card number, name, and other personal details, you’re handing them over to the scammer.
- The fraudster may use your info for identity theft, unauthorized purchases, or sell it on the dark web. Meanwhile, your parking remains unpaid.
Real‐World Examples of Quishing and How to Spot it
Here are reported cases and things to watch out for:
- In Redondo Beach, California, about 150 parking meters were found with fake QR stickers. These were glued next to legitimate ParkMobile / PayByPhone labels. The bogus codes redirected users to a site named “poybyphone”, just one letter off the real name. (ABC7 New York)
- Fort Lauderdale discovered fake QR code stickers on parking meters and EV station signs. Stickers sometimes displayed logos of legitimate payment apps to seem authentic. (CBS News)
- The FTC warns about this kind of QR code misuse broadly: covering codes, sending codes by email/text, or using QR codes in unexpected places to trick people. (Consumer Advice)
Red flags & indicators
| Indicator | What to look for |
|---|---|
| Sticker on a sticker | Mismatched edges, air bubbles, different material or thickness over the original QR code or signage. |
| Suspicious URL | Typos, extra words, misspelled brand or city name; generic domains rather than official government or city domains. |
| QR code is the only option | No credit card / coin slot, or no option via known app — just “scan this code.” |
| Poor website quality | Low-res logos, grammar/spelling errors, inconsistent fonts, missing SSL padlock. |
How to Protect Yourself from Quishing
Inspect Before You Scan: Look closely at the QR code: is it part of the meter or sign, or a sticker placed on top? If it looks out of place, don’t scan it.
Use an Official App: Whenever possible download the official parking app for your city or provider (e.g. ParkMobile, PayByPhone) directly from the Apple App Store or Google Play Store. Pay through the app rather than scanning codes on street signs.
Verify the Web Address: If you scan a code, check the URL in the browser before entering anything. Ensure it matches the official site for the parking authority or company.
Prefer Physical Payment Methods: If the meter has a credit card reader, coin slot, or accepts cash, these are usually safer than QR codes posted on signs.
Type the URL Manually (if available): If the meter or sign displays a legitimate URL for payment, consider typing it manually into your phone’s browser to avoid spoofing.
What to do if you Fall for the QR Code Quishing Scam
If you suspect you’ve fallen victim to one of these scams, act quickly:
- Contact Your Bank or Credit Card Company: Report the fraudulent charge, request cancellation of the card if needed, and watch for any further unauthorized transactions.
- Report to the FTC: File a complaint at ReportFraud.ftc.gov. The FTC monitors and investigates scams like these.
- File an IC3 Report: If there is a cybercrime component (e.g. phishing website, identity theft), you can report it to the FBI’s Internet Crime Complaint Center at ic3.gov.
- Monitor Your Accounts: Keep close watch on your bank and credit card statements. Look for small or unusual charges or pattern changes.
- Inform Local Authorities or Parking Provider: Let your city’s parking authority, transportation department, or the company managing the parking know about the fake codes. They may remove them and issue public notices.
Key takeaways
- This growing QR code scam at public parking locations uses fake codes to steal payment information.
- Always inspect QR codes physically for signs of tampering.
- Verify URLs carefully before entering payment details.
- When possible, use official apps, or physical payment methods instead of scanning embedded QR codes in the wild.
- If something goes wrong, act fast: contact your bank, report to the FTC and/or IC3, and monitor your accounts.
- taying aware and cautious can mean the difference between a smooth parking payment and an expensive, risky mistake. When it comes to QR codes in the wild—especially for payments—trust but verify.