There's been a rise in QR code scams at public car parks, prompting a warning for drivers to be extra cautious when paying for parking. The scam, called "quishing," involves fake QR codes that trick people into giving away personal information or making payments to fraudsters. While quishing isn't new, there's been a recent surge in attacks at car parks. Because of this, the RAC is advising drivers to avoid using QR codes and stick to safer payment methods like cash, bank cards, or the official apps provided by parking companies.
Car parks are an easy target for scammers because they can simply stick a fake QR code label over the real payment machine code. When drivers scan the code with their phones, they're often led to a fake website designed to look like the real parking provider’s page. The site then asks them to enter private bank details, which the scammers use to drain their accounts, sometimes costing victims thousands of pounds before they even realise what's happened.
RAC’s head of policy, Simon Williams, pointed out that drivers are especially vulnerable to this kind of fraud because a car park is one of the last places you'd expect to be scammed. "As if this quishing scam isn’t nasty enough, it can also lead to drivers being caught out twice if they don’t realise they haven’t paid for parking and end up getting a hefty fine from the council." Williams said.
His advice? “The safest course of action when paying for parking at a council-owned car park is to avoid using QR codes altogether. Most of these councils don’t even operate a QR code payment system, so if you’re in any doubt, steer well clear and only pay with cash, card or via an official app downloaded from your smartphone’s app store. This advice should also be applied to any mode of transport where you can pay via a QR code, including electric vehicle charge points and private car parks."
If a QR code is your only option, take precautions. Double-check that the code hasn’t been placed over the real payment info, and make sure the website’s URL is secure. But be warned: even secure-looking https:// websites can be used by scammers to appear legitimate.