The Rise of QR Code Phishing (Quishing) at Parking Meters

Public parking is frustrating enough without having to worry about scammers stealing your credit card information. However, a new wave of fraud known as “quishing” is turning city parking meters into traps. Scammers are slapping fake QR code stickers onto payment kiosks to empty your wallet.

What Is Quishing?

Quishing is a combination of the words “QR code” and “phishing.” In a traditional phishing attack, a scammer sends you a deceptive email or text message hoping you will click a malicious link. Quishing brings this digital threat into the physical world.

QR codes are simply square barcodes that your smartphone camera translates into a web link. The main danger of a QR code is that human eyes cannot read it. You have no way of knowing where the code will send you until you scan it. Scammers take advantage of this blind trust by generating their own QR codes, printing them on adhesive labels, and placing them over legitimate codes in public spaces.

How the Parking Meter Scam Works

The parking meter scam is highly effective because it targets drivers when they are rushed. Here is the exact process scammers use to steal your payment credentials:

  1. The Setup: Criminals print high-quality, weather-resistant stickers featuring their malicious QR codes. They walk through city streets and stick these fake codes directly over the real payment codes on parking meters and signs.
  2. The Scan: A driver parks their car, walks up to the meter, and scans the fake QR code with their iPhone or Android camera.
  3. The Deception: The phone screen displays a link to tap. Instead of taking the driver to the official parking service, the link opens a fake website in the phone’s web browser. The scammers design this website to look exactly like popular parking portals. They often steal the official logos and color schemes to make the fake site look authentic.
  4. The Theft: The fake website asks the driver to enter their license plate number, email address, and credit card details to pay for the parking session. Once the driver clicks submit, the scammers capture the data instantly.

Cities Hit Hard by the Scam

This is not a localized problem. Authorities across the United States and the United Kingdom have issued urgent warnings about these fake parking stickers over the last few years.

Police in San Antonio and Austin, Texas, reported dozens of fake stickers on city meters starting in late 2021. The problem quickly spread. In 2023 and 2024, cities like Atlanta, Georgia, and Redondo Beach, California, had to issue public alerts after residents found fake codes on local parking kiosks.

The scammers frequently target the branding of the most popular municipal parking apps. ParkMobile, PayByPhone, and Passport Parking are the most commonly spoofed services. In the United Kingdom, local councils in the Isle of Wight and Wyre discovered scammers placing fake QR codes over signs designated for the official PayByPhone app.

The Double Threat: Stolen Data and Parking Fines

When you fall for a parking meter quishing scam, you actually lose money in two different ways.

First, the scammers have your credit card information. They might charge you a fake parking fee of $5 or $10 immediately so you do not suspect anything is wrong. Later, they will use your card to make large fraudulent purchases. In some cases, the fake website secretly signs the victim up for a recurring monthly subscription to an unrelated service, which can cost $39.99 or more per month.

Second, because you paid the scammer instead of the city, your actual parking session remains unpaid. You will likely return to your vehicle only to find a legitimate parking citation tucked under your windshield wiper. These fines often range from $40 to $75 depending on the city.

How to Spot a Fake QR Code

You can protect yourself by taking a few extra seconds to inspect the parking meter before you reach for your phone. Look for these warning signs:

  • Overlapping Stickers: Run your finger over the QR code. If the code is a sticker placed on top of a metal or hard plastic sign, it is likely a fake. City authorities usually print their QR codes directly onto the signage or the machine itself.
  • Peeling Edges: Scammers act fast to avoid getting caught. Because of this, they often place the stickers sloppily. Look for crooked placement, air bubbles under the sticker, or edges that are peeling away from the machine.
  • Suspicious URLs: When you scan a QR code, your phone camera app will display the destination URL before you tap it. Look closely at the web address. If the official app is ParkMobile, the link should be “parkmobile.io”. A scammer might use a deceptive link like “park-mobile-pay.com” or “parkmobile-us.net”. If the URL looks overly complicated, do not tap it.

Safe Ways to Pay for Public Parking

The safest way to pay for public parking is to avoid scanning QR codes altogether. Instead, rely on these secure methods:

  • Download Official Apps Directly: Go directly to the Apple App Store or Google Play Store on your phone. Search for the city’s official parking app (such as ParkMobile or Passport) and download it there. Once you open the official app, you can manually type in the parking zone number printed on the street sign.
  • Pay at the Machine: Most modern parking kiosks still accept physical credit cards. Inserting or tapping your card directly at the machine is much safer than visiting a random website.
  • Always Use a Credit Card: Never use a debit card linked to your checking account to pay for public parking. Always use a credit card. Issuers like Visa, Mastercard, and American Express offer robust fraud protection. If a scammer steals your credit card number, you can dispute the charges and get your money back without losing the actual cash in your bank account.

What to Do If You Fall Victim

If you realize you have scanned a fake QR code and submitted your payment information, you need to act quickly.

Open your banking app (like the Chase, Bank of America, or Capital One app) and immediately lock or freeze your credit card. Call the customer service number on the back of your card to report the fraud and request a replacement card.

Next, call the local parking authority or the non-emergency police line to report the specific location of the tampered meter. This allows city workers to scrape the sticker off before someone else gets scammed. Finally, you can report the incident to the Federal Trade Commission at ReportFraud.ftc.gov to help federal authorities track the scam.

Frequently Asked Questions

Can my phone get a virus just by scanning a QR code? Simply aiming your camera at a QR code usually will not download a virus. The danger happens when you tap the link on your screen and visit the malicious website. However, you should still avoid scanning suspicious codes, as some sophisticated fake websites can attempt to trigger silent malware downloads if your phone operating system is out of date.

Will the city dismiss my parking ticket if I was scammed? This depends heavily on the local municipality. Some cities will dismiss the citation if you can provide a police report or a bank statement proving you were a victim of a fake QR code at that specific meter. Other cities maintain a strict policy that the driver is responsible for ensuring valid payment, meaning you will still have to pay the fine.

Is it safe to use Apple Pay or Google Pay on a parking website? Using Apple Pay or Google Pay is generally safer than typing your raw credit card number into a website because these services tokenize your payment data. However, if you are on a fake scammer website, approving an Apple Pay transaction still authorizes a payment to the criminal. Always verify you are on the official app before authorizing any digital wallet payments.