Major National Alert as 'Quishing' Scam Hits Parking Machines-£Thousands at Risk

A growing scam involving fake QR codes pasted on parking machines is sweeping across the UK – with the public urged to act fast or risk losing money and personal information.

According to the Bureau of Investigative Journalism (TBIJ), nearly one in every three local authorities that responded to an inquiry have reported their car parks being targeted by “quishing” fraud – where QR codes direct users to fake websites that harvest card details.

Here in Leicester, the Leicester City Council warned that fraudsters were placing counterfeit QR code stickers on pay-and-display machines across the city. Motorists were being urged to only pay by cash, card or official parking apps. (Leicester Live)

The council spokesperson stated:

“Fraudsters have again been placing QR codes on parking machines in Leicester – something that appears to be becoming a national issue.”

Nationwide scope of the scam

The issue is not limited to Leicester. For example:

In Dorset (West Bay area) the Dorset Council issued a public warning about fake QR stickers on parking machines. They highlighted that none of the payment machines operated by the council used QR codes, making any code present suspicious.

In Sunderland, the Sunderland City Council confirmed that fake QR code stickers had been placed on car-park payment machines, with one reported victim losing around £170 after scanning.

Northern Ireland’s Police Service of Northern Ireland (PSNI) have also issued warnings about fake QR code scams targeting parking users, advising drivers to use only official apps or payment methods.

This strongly suggests that either one well-organised gang or multiple criminal groups have recognised a weak point in everyday parking payment systems and are exploiting it.

How the scam works

1. A criminal places a sticker with a fake QR code on or over a legitimate parking machine or sign.

2. The user scans the code thinking they are paying for parking, but are redirected to a convincing fake website (often mimicking a trusted payment provider or the parking operator).

3. The victim enters their card details, vehicle registration, etc. The initial small transaction may go unnoticed; afterwards, larger or recurring payments can commence, or their card data is used for other fraud.

4. Meanwhile the genuine parking fee is not registered – drivers may still receive a penalty charge notice for non-payment.

Why it matters

The UK has seen nearly £3.5 million in losses reported via QR-code (“quishing”) fraud between April 2024 and April 2025.

Most parking machines and car-park signs have little routine protection or oversight for this kind of sticker tampering.

Drivers may believe they have paid, so they are unaware they are being targeted until much later.

Advice to the public: How to protect yourself

To avoid becoming a victim of this scam (and similar ones), please follow these practical steps:

Inspect the QR code: Before scanning, check if the sticker looks out of place (for example, if it appears layered over an existing code or sign). If it appears tampered with, do not scan it.

Use official apps or websites: Instead of scanning a QR code, go directly to the parking operator’s app or website—download it from the official App Store or Google Play.

Check the URL when you scan a code: If you do scan, verify that the website address opens with “https://”, uses the correct domain (not a variation with odd spelling), and shows the padlock icon. Be wary of odd characters, spelling mistakes, or long-unfamiliar domains.

Prefer paying by cash or card at machine: If available and safer, use the machine’s built-in payment methods rather than mobile/QR options.

Monitor your bank account: After parking payments, check your transaction list to ensure only the expected charge appears. If you see anything suspicious, contact your bank immediately.

Report suspicious QR codes: If you spot a QR code at a parking machine or car park that looks modified or unusual, alert the local council, parking operator or via platforms like Action Fraud (in the UK) so it can be removed before more people are exposed.

Similar scam types to watch out for

Fake parking fines or Penalty Charge Notices (PCNs) delivered by text message, email or hanging on wind-screens, often with links or QR codes inviting payment.

QR codes in emails, on websites or in public places leading to malicious websites (quishing) where malware is deployed or credentials are harvested.

Skimming or card reader tampering at parking pay-machines.

Fake parking apps that mimic genuine ones and prompt payment via non-official platforms.

What to do if you believe you’ve been scammed

Immediately contact your bank or card issuer and explain you may have entered your payment details via a fraudulent QR code.

Report the incident to Action Fraud (or the relevant police fraud unit).

Inform the local council or parking operator so they can inspect and remove any fake QR codes and warn others.

If you still need to pay for parking, do so via the official methods and keep evidence (photo of machine, sticker, transaction, etc.) in case you are later wrongly fined.

In summary

This is a serious and growing threat across the UK. The scam involving fake QR codes on parking machines is not just a local oddity in Leicester – it is part of a country-wide pattern. Drivers must remain vigilant. Using official payment methods and avoiding scanning random QR codes in car parks can save you from unexpected financial loss or fraud.