Scams & fraud

QR code scams ('quishing'): parking meters, menus and fake fines

By Iulian · Published 5 June 2026

Some links on this page may be affiliate links. If you buy through them we may earn a small commission, at no extra cost to you. We only recommend tools we believe are genuinely worth it. Learn more.

QR codes are everywhere now — on parking machines, restaurant tables, posters and parcels — and scammers have noticed. “Quishing” (QR-code phishing) means tricking you into scanning a code that sends you to a fake website, usually to harvest your card details. It’s growing fast because a QR code hides its destination until it’s too late to think twice.

How the scam works

  • Parking meters. A scammer sticks their own QR code over the real one on a council parking machine. You scan it, land on a convincing payment page, and hand your card straight to them.
  • Fake fines and letters. A printed “parking charge” or “unpaid toll” notice arrives with a QR code to pay quickly. The whole thing is fake.
  • Emails and posts. A message includes a QR code to “verify your account” or “claim a refund” — moving the dodgy link into an image so spam filters miss it.

Why QR codes are so sneaky

With a normal link you can at least read the web address and spot something off. A QR code is just a pattern of squares — you can’t read it with your eyes. Most phones show a preview of the link before opening it, but it’s small and easy to tap straight past.

How to stay safe

  • Look for tampering. On parking machines, check the QR code isn’t a sticker stuck over another one. If in doubt, don’t use it.
  • Pay the official way. Use the parking firm’s own app, or the phone number printed on the machine, rather than a code. Type known web addresses yourself.
  • Read the preview. When your phone shows the link, actually check it looks like the real organisation before opening — the same skill as checking if a website is legit.
  • Be suspicious of urgency. “Pay now to avoid a bigger fine” is pressure, and pressure is the oldest trick in the book.

Councils, Royal Mail, the DVLA and your bank do not ask for card details through a random QR code in a text, email or unexpected letter. If a code wants your card, treat it as a scam until you've checked through official channels.

If you’ve already scanned and paid

Don’t beat yourself up — these are designed to catch careful people in a hurry. Contact your bank straight away to stop the card, and follow what to do if you’ve been scammed. It’s the same playbook as the fake delivery texts doing the rounds. More in our scams and fraud section.