Phishers on the prowl with fake parking meter QR codes

Phishers on the prowl with fake parking meter QR codes

QR codes come and go as a threat. The last time we wrote about them they were causing problems at gas stations, and by sheer chance this latest outing shares vehicular related subject matter. Law enforcement in the US is sounding the alarm regarding parking meters.

A quick refresher

QR (Quick Response) codes are square barcodes, scanned by your smartphone to perform a variety of tasks. If you use authentication apps on your mobile, you’ve almost certainly had to scan one to set up 2FA for websites you use. Similarly, these codes can be found in the street, covid tests, in businesses, or pretty much anywhere else you can think of.

On this occasion, they’ve been spotted in relation to a parking meter scam looking to snag payment details.

Sound the QR alarm

This particular attack seems to have been happening over a period of at least a few weeks, with multiple law enforcement Twitter accounts referencing it like so: 

The so-called “pay to park” scam involves bogus QR code stickers being placed onto parking meters, urging people to pay using the code. At first, I wasn’t sure if they were placing bogus stickers over genuine payment QR code notices or if it involved fake notices too. However, this article includes a photograph of the scam in action.

It’s a genuine “pay by app parking” notice printed onto something, with the bogus QR code sticker placed on the bottom right hand corner. This is some opportunistic work slotting it into the overall design and making it look like it’s supposed to be there.

From scan to phish

When scanned, potential victims are directed to a fake “quick pay parking” website. From there, payment detail harvesting is but a few clicks and entry forms away. There’s no word as to what level of personal details are taken with the card, but at a bare minimum, we’d expect things like name, address, date of birth. This means anyone who’s fallen for it will need to keep a close eye on other forms of correspondence, as it could easily serve as a launchpad for further phishing or social engineering attempts. If payment details have been handed over, victims will need to cancel those payment details before the scammers can go on any spending sprees.

The site referenced in the article is now down, but we can’t say for sure if other bogus codes all direct to the same site or a variety of phishy links. The City of Houston states that it doesn’t use QR codes for parking payments. However, this isn’t an easy thing to communicate to a large mass of people. Additionally, the pandemic has made this technology one of the “go-to” bits of tech gaining more widespread use. As a result, many folks wouldn’t find a QR code asking for payment to be particularly odd.

The muddled convenience of guesswork

QR codes occupy a weird space in daily life. They’re a genuinely useful way of doing what you need to do in a pandemic with minimal fuss. The downside is you’re utterly reliant on technology to scan the code, with no idea what lurks beneath till you’ve done it.

Scammers here are relying on the convenience of paying by code. If you’re in a hurry to be somewhere, it’s still advisable to slow down and cast some healthy suspicion on QR codes presenting themselves for duty. If in doubt, contact whoever maintains the parking service you’re using and see if that code is indeed genuine. It’ll probably save you a lot of additional time and effort down the line.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.