Fake QR codes used to scam unsuspecting drivers

Drivers are being warned about fake QR codes being stuck on payment machines at car parks across the UK.

Called ‘quishing’, there has been a big spike in false QR codes on parking machines, with incidents reported in Barking and Dagenham, Northumberland, Northamptonshire, South Tyneside and Pembrokeshire.

All appear to use the PayByPhone app to collect parking payments.

The RAC says it is also aware that a car park in Lytham St Annes, which uses the MI Permit app for payment, was targeted.

The false codes are leading people to enter their card details into fraudulent websites set up to steal payment information, which criminals then use to spend money from their bank accounts.

RAC head of policy Simon Williams said: “A car park is one of the last places where you’d expect to be caught out by online fraud.

“Unfortunately, the increasing popularity and ease of using QR codes appears to have made drivers more vulnerable to malicious scammers.

“For some, this sadly means a quick response (QR) code could in fact be a quick route to losing money.

“As if this quishing scam isn’t nasty enough, it can also lead to drivers being caught out twice if they don’t realise they haven’t paid for parking and end up getting a hefty fine from the council.”

The safest course of action when paying for parking at a council-owned car park is to avoid using QR codes altogether, says the RAC.

“Most of these councils don’t even operate a QR code payment system, so if you’re in any doubt, steer well clear and only pay with cash, card or via an official app downloaded from your smartphone’s app store,” added Williams.

“This advice should also be applied to any mode of transport where you can pay via a QR code, including electric vehicle charge points and private car parks.”

Adrianus Warmenhoven, a cybersecurity expert at Nord VPN, says scammers are exploiting confusion over changing payment methods as an opportunity to prey on motorists. 

“Conventional scams such as fake parking fines and unofficial clamping are already on people’s radars, but criminals are now turning to modern technology to find ways to con drivers out of money,” he said.

“Our research shows that three-quarters of Brits do not check QR codes before scanning, and only one in six drivers are aware that QR scams are even possible.” 

Nord VPN found that nearly a quarter of people have scanned QR codes on stickers in public places like car parks.

“It is welcome news to see the RAC raising awareness of the issue, but we need to see car park companies taking decisive action to monitor and clamp down on these scams,” added Warmenhoven.   

“Before scanning a QR code at a car park, ensure it originates from a reputable source and verify with the venue that it belongs to them.

“Look for a padlock symbol in the URL box on your smartphone’s web browser that will indicate the system is using a secure server.”

For added security, Warmenhoven suggests ditching your camera app and consider using a dedicated QR code scanning app instead, as these can often detect malicious sites or software.

“If a QR code redirects you to an unrelated or suspicious website, refrain from providing personal information and exit the page immediately,” he warned. 

“You could also try calling the car park company to double-check if you are unsure.

“Paying by credit card is another sensible precaution, as credit card companies are obliged to refund you unless they can prove that you are trying to defraud them.”

The RAC argues that the issue strengthens the argument for a National Parking Platform, which will allow everyone to use one app of their choice to pay for parking.

“As people are faced with a plethora of different payment apps depending on where they are in the country, it’s no wonder many resort to the convenience of using the QR codes they see on payment machines,” said Williams.

“Our research with drivers shows that many still prefer to pay with cash. Unfortunately, this option – along with payment machines – are being phased out by lots of councils, which a majority of drivers think is a bad idea.

“We believe there should always be at least two different means of paying for parking in the event technology fails or the car park is located somewhere with intermittent phone signal.”