It looks innocent enough. A QR code on a parking meter — scan to pay. Except it's not the meter's code. It's a sticker, placed by a scammer, and it leads to a fake payment page.
This is "quishing" — QR code phishing — and it's exploding across the UK.
How It Works
- A scammer prints a fake QR code sticker and places it over a legitimate code on a parking meter, restaurant table tent, EV charger, or even a public notice board.
- You scan the code with your phone — it looks like it should take you to a payment page.
- Instead, you're taken to a convincing fake site that steals your card details, or the code triggers a download of malware onto your phone.
Where It's Being Reported
- Parking meters — Fake codes on PayByPhone machines in London, Manchester, and Birmingham
- Restaurants — QR menu codes replaced with scam links (reported in 12 UK counties)
- EV charging points — Fake payment codes on public chargers
- Council notice boards — Fake "pay your council tax" QR stickers
How to Protect Yourself
- Check the sticker. If it looks like it's been stuck on top of the original, peel it off and report it.
- Check the URL. Before entering any payment details, check the web address. If it's a jumble of letters or a misspelled brand name, close it.
- Use the official app. Instead of scanning the code, open the parking or payment app directly.
- Don't download apps from QR codes. Scammers use codes to push malware disguised as "updated" payment apps.
What to Do If You've Been Scammed
- Contact your bank immediately — they can freeze your card and reverse fraudulent transactions.
- Change your online banking password.
- Report to Action Fraud at actionfraud.police.uk or call 0300 123 2040.
- If you downloaded malware, run a full antivirus scan.
The QR code is convenient. That's why criminals love it. But a moment of caution before you scan can save you thousands. Stay sharp. Stay safe.