QR Code Scams: Quishing and Fake Parking Payments
Avoid QR scams by treating codes in open public spaces as untrusted, using official apps or typed URLs instead, and never entering credentials or card details after scanning a suspicious code.
This guide explains "quishing" (QR-code phishing) with a UK emphasis on fake parking-payment codes and credential-harvesting QR links in emails. It targets drivers, commuters and mobile-first users who commonly scan QR codes in car parks, stations and shops. It provides a fast decision tree for "scan vs don't scan" and what evidence to gather if money is lost.
Quick scan safety checklist
- Inspect the code for stickers or signs of tampering.
- Preview the link before opening if your scanner allows it.
- Prefer official apps (e.g. parking provider app) over scanning when possible.
- Never rush; be suspicious of codes in open spaces or unexpected emails.
What quishing is
QR codes can hide a URL, making it harder to spot lookalike domains or malicious destinations. The NCSC reports that criminals are increasingly using QR codes within phishing emails to drive victims to scam sites—a technique called "quishing." Because many people are cautious of clicking links in emails, QR codes can bypass that awareness. Not all security tools scan images, so malicious QR codes can slip through.
Why car parks and stations are high-risk
Open spaces enable sticker overlays and social engineering. The NCSC notes that much QR-related fraud happens in stations and car parks. Scammers may place fake QR codes over genuine ones, or leave bogus codes on signs. In some cases, criminals pose as bank staff and call victims to continue the deception. Be extra careful with codes in car parks, on street furniture, or in any public place where anyone could have modified the signage.
Quick "scan safety" checklist
- Inspect for stickers: Look for signs the code has been stuck over another. Real signage is often part of the sign; overlays are suspicious.
- Preview the link: Many phone cameras show the URL before you open it. Check it matches the expected domain (e.g. a known parking provider).
- Use official apps: For parking, use the parking provider's app or type the URL manually instead of scanning when you can.
- Don't rush: Pressure to act quickly is a red flag. Take a moment to verify before entering payment or login details.
If you entered card details or passwords
- Contact your bank immediately: Report potential fraud and follow their advice. They may block cards or monitor for unauthorised use.
- Change affected passwords: Use a strong, unique password and a password manager where possible.
- Log out other sessions: On any service where you entered credentials, force log out of other devices and review active sessions.
- Check for malware: If you installed anything from the link, see our malware guide for recovery steps.
Reporting in the UK
Report fraud to Action Fraud (England, Wales and Northern Ireland) or Police Scotland. You can also report suspicious URLs and phishing to the NCSC. Action Fraud has published alerts on quishing—including reports of nearly £3.5 million lost in the year to April 2025 from fraudulent QR codes.
Frequently asked questions
- What is quishing?
- Quishing is phishing delivered through QR codes that redirect you to scam sites.
- Are QR codes always dangerous?
- No, but codes in open public spaces or unexpected emails deserve extra suspicion.
- What should I do if I paid through a QR code and it seems wrong?
- Contact your bank immediately, change affected passwords, and report the incident via UK channels.