With many UK car parks requiring customers to use digital third-party services such as JustPark and Ringo to pay for parking, scammers have begun using this as an opportunity to exploit unsuspecting drivers.
The scam involves placing fake QR codes on parking machines in the hope that visitors will scan them when paying for parking over the phone.
This form of phishing, sometimes referred to as ‘quishing’, involves the customer being directed to a phony website, where they enter their card details for the scammer to see.
Before scanning a QR code on a parking meter, it is essential to ensure it has not been tampered with. Signs of tampering may include peeling edges, unusual bumps in the material, or anything that appears suspicious. If the corners of the code are peeling, revealing another code underneath, this could indicate that a fake code has been placed over the original one.
If the QR code is printed on paper, is unusually large, and covers all or part of the text on the parking meter, this is telltale sign that it isn’t legitimate. Scammers will often inflate the size of the QR code to make it more visually obvious, to encourage customers to scan it.
When a QR code is scanned, the phone provides a preview of the website’s link before accessing the site. Users should use their judgment to evaluate the URL and ensure it aligns with the official website of the parking company.
Some scammers will set up a copycat website using a domain name that looks similar but is slightly different from the real thing. For example, the imposter URL could be ‘https://www.justpark.net’ while the genuine website is ‘https://www.justpark.com’.
It is important to ensure that the website being visited on a mobile browser has a padlock symbol next to the URL and begins with ‘https://’ rather than ‘http://’. This indicates that the site is encrypted with a Secure Sockets Layer (SSL) certificate.
Some phishing websites now also use SSL protection in an attempt to trick visitors, so this is a risk that should be taken into consideration when visiting the site.
If a user clicks through to a parking service website using a QR code and the webpage content appears unusual or things seem out of place, it could be a sign that they are not booking parking through the legitimate site.
Some phishing websites can look quite sophisticated but there are some signs you can watch out for. These include spelling mistakes, lack of correct capitalisation, text being misaligned, and logos and graphics appearing pixelated or out of date.
When paying online, parking services typically require the vehicle registration, an email address to confirm the booking, a card number, its expiry date, and the last three digits on the back of the card (CVV/CVC). If the site requests additional details, such as a home address, phone number, or the card’s PIN, it may indicate the site is not legitimate.
Popular parking services such as JustPark, Ringo and PayByPhone have their own dedicated app, which can be download directly from the Apple or Google Play store.
Once the app is downloaded, scanning the QR code should redirect the user to the app to begin booking. If it doesn’t, and instead redirects to a browser, it may indicate a phishing attempt. The car park should also provide a location code, which can be entered directly into the app if the QR code’s authenticity is in doubt.
If bank details are entered and a QR code scam is suspected, it’s important to check the account for unauthorized transactions and immediately notify the bank to freeze the card and potentially issue a refund. Typically, if a debit or credit card was used, a refund can be requested through a Chargeback with the provider.
Any QR code scams should be reported to Citizens Advice and Action Fraud to help prevent further incidents.
Marc Porcar, CEO of QR Code Generator adds: “According to National Trading Standards, around 73% of UK adults have been targeted by scams, and 35% of people have fallen victim to the offence. With scams becoming ever more convincing, even the most technologically savvy among us remain at risk.
“QR code phishing scams are the most recent trend we are seeing among car parks across the UK. Drivers must remain aware of this type of scam and the technique’s scammers are likely to employ.”
