The scam has a name now. Quishing. It is a blend of QR code and phishing, and it has found its most effective hunting ground in the British car park.
The mechanism is straightforward. A criminal prints a fake QR code sticker, usually designed to look identical to the legitimate one already on the parking meter or payment sign, and places it directly over the original. The driver arrives, scans the code, is directed to a website that looks exactly like PayByPhone or RingGo or whichever parking app the car park uses, and enters their card details. The money goes to the scammer. The parking session is never registered. The driver walks away thinking they have paid, and comes back an hour later to find a penalty notice on the windscreen.
They have been scammed twice. Once by the criminals and once by the car park.
Simon Williams, head of policy at the RAC, described it precisely: "As if this quishing scam isn't nasty enough, it can also lead to drivers being caught out twice if they don't realise they haven't paid for parking and end up getting a hefty fine from the council."
The scale of it
Action Fraud, the national fraud reporting centre, received nearly 800 reports of QR code fraud in the 12 months up to April 2025, with total reported losses of £3.5 million. The Bureau of Investigative Journalism sent freedom of information requests to every council in the UK and found that of the 373 local authorities that responded, 123 said their car parks had been targeted in the past year. That is roughly one in three.
The true scale is almost certainly larger. Naomi Grossman, compliance manager at software firm VinciWorks, told inkl: "Most victims don't realise a QR code was the main cause of the scam, until they receive unexpected charges or when they receive a parking fine."
QR code fraud now accounts for more than 20 percent of all online scams reported in the UK, according to fraud research firm Lynx Tech. Estimates from consumer press suggest the scam costs British drivers around £10,000 per day in total losses.
The crimes are not always small. At Thornaby Station, a 71 year old woman scanned a fake QR code in a car park. Criminals then impersonated her bank, set up online banking in her name, changed her address, and took out a £7,500 loan in her name. She was locked out of her own accounts, dependent on family support, and unable to sleep for weeks.
Like this? Get the app: iOS | Android
Who is behind it
This is not a minor operation. The Bureau of Investigative Journalism traced a quishing scam operating in Leamington Spa to a global fraud network with connections to Dubai, Cyprus and the Philippines. A separate criminal group identified by Netcraft researchers operates across France, Germany, Italy, Switzerland and the UK simultaneously, running what amounts to a professional fraud infrastructure with dozens of fake parking payment websites deployed across multiple countries.
The websites themselves are sophisticated. They mimic genuine parking operators with accurate logos, fonts and payment flows. Many sign victims up to recurring subscription payments without their knowledge, so the initial loss of a parking fee is followed weeks later by unexplained withdrawals that victims may not connect to the original scam at all.
RAC's Williams urged drivers to avoid using QR codes altogether in council car parks, noting that most councils do not use QR codes as a payment method and that any code found on a council parking machine should be treated as suspicious.
What to look for and what to do instead
Legitimate QR codes on parking machines are printed or embedded into the sign itself. Fake ones are stickers placed on top of existing signage, and can sometimes be identified by an edge, an air bubble, or a slightly raised surface. Quentin Wilson of FairCharge noted that EV charging points using Ubitricity lamp posts have green barcodes laminated directly into the sign rather than stuck on. If the code looks like a sticker, treat it with suspicion.
The safest approach at any car park is to download the official parking app directly from the App Store or Google Play, search for it by name, and pay through that rather than through any QR code found on a sign. Action Fraud confirms that car parks are the most common location for quishing attacks, and says the rule is simple: do not scan QR codes in public places when there is any alternative.
If you have already been scammed, report it to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. Contact your bank immediately. If you received a penalty notice for parking that you believed you had paid for, keep all evidence of the fraudulent transaction and challenge the penalty through the appeals process and cite the scam as your reason.
The car park operators and councils who have been slow to remove fake stickers from their machines are not blameless in this. The RAC and Which? have both called on local authorities to take responsibility for monitoring payment equipment regularly. Several councils, including Southend and Aberdeen, have now issued specific warnings and confirmed they do not use QR codes at all. Others have not.
The criminals are disciplined and organised. The response needs to match.
We cover enforcement and accountability stories at GaukMotorBuzz.com/drivers-revenge.
Sources:
- Which? — Quishing scams warning: how to spot and avoid dodgy QR codes
- The Bureau of Investigative Journalism — Quishing: new QR code scam sweeps UK car parks
- inkl via VinciWorks — Beware the QR code: how a new scam is costing consumers £10,000 per day
- GB News — Millions of Britons at risk of parking QR code scam
- Action Fraud via Which? — £3.5 million lost to QR code scams in 2024
- Chartered Trading Standards Institute — Warning to motorists on parking scams
- Action Fraud — Report fraud