You park the car and look for somewhere to pay. A large QR code on the machine offers to take you directly to the right website where you put in your card details before going on with your day. Only much later are you hit with the double whammy: money gone from your account, and a fine for not paying the genuine parking company.
The rise in app- and phone-based parking payment has opened a new frontier for fraudsters: quishing – so called because they are phishing attacks that start with a QR code. The fraudsters stick the codes in places where you would expect to see details of how to pay to park. When you scan one, it takes you to a site where you are asked for your payment details – as you would expect when booking parking.
One victim who scanned a code in a station car park told the BBC that the fraudsters tried to take payments then posed as her bank to get more information from her, before running up £13,000 worth of debt in her name.
Last year, the UK’s Action Fraud received 1,386 reports of scams involving QR codes – a small number, but more than double that in the previous year. In just the first three months of 2025 there were 502, suggesting the problem is growing.
Chris Ainsley, the head of fraud risk management at Santander UK, says it is hard to get a full picture of the scale of the fraud. “Unless drivers receive a parking ticket, a lot of people are unaware that their personal or card details were compromised in this way,” he says. “When it comes to reporting the eventual scam, often the fact that it originated through quishing goes undocumented.”
What the scam looks like
A QR code where you might expect to see one – on a parking charge machine, on a post in a car park or sometimes on a public EV charger.
The code will be on a sticker.
What the messages ask for
The website will ask for your payment details. It will also ask for your car details, but that is likely to be just an attempt to convince you it is a legitimate parking website.
You may later get a call from someone pretending to be from your bank who will use the information you have given and tell you that you have been defrauded and need to move your money to a safe account. The safe account is actually in the control of the scammers. Do not do as they ask – your real bank would never request this.
What to do
Be suspicious of any QR code on a parking payment machine or signpost in a car park. Check that it has not been stuck over a legitimate code.
If you have the right parking app already on your phone, use that rather than scanning a code.
Use cash or a card to pay at a machine if those are an option.
Check the URL of the website before you click on it – it should appear on your phone as you scan the code. Do not click on it if it looks suspicious.
When you land on a page through a QR code, check details to make sure it is not a fraudulent version. Giveaways include weird URLs and bad spelling. Check that the URL includes HTTPS, rather than HTTP, before handing over details.
Keep an eye on your bank account and report any suspicious payments to your bank.
Report the scam to the local council, police and car park owner if it is a private company.
