The QR Code Quishing Scam Exploiting Drivers Financial Security

In a world increasingly driven by digital convenience, an alarming trend is surfacing in car parks across the United Kingdom. Fraudsters are capitalising on the reliance on app- and phone-based payments, with a scam known as “quishing” now targeting unsuspecting drivers. This sophisticated fraud starts with a QR code deceptively placed on parking payment machines, posts, or EV chargers, duping victims into visiting false websites designed to exploit their personal and financial details.

Here is how the scam unfolds. Drivers, intending to pay for parking, scan the QR code, which redirects them to a website that closely mimics legitimate parking portals. Once there, victims willingly input sensitive information such as card details and car registration numbers, believing it to be routine. In some instances, scammers follow up with calls impersonating banks, warning victims about fraudulent activity involving their own accounts. Alarmingly, they persuade victims to transfer money into what they claim to be a “safe account,” which is actually controlled by these criminals.

The scale of the problem is evident in the rising statistics. Reports of QR code scams to Action Fraud doubled last year, with 1,386 incidents documented. During the first three months of 2025 alone, 502 cases were reported, highlighting an urgent need for drivers to exercise caution. Chris Ainsley, head of fraud risk management at Santander UK, suggests that these figures may represent only the tip of the iceberg, as many victims remain unaware of the fraudulent origin of their losses.

Identifying and avoiding this scam requires vigilance. Suspicion should be raised if QR codes on payment machines appear to have been added with stickers. Users are advised to verify the legitimacy of codes by checking that they have not been placed over genuine ones. Opting to use official parking apps or paying by cash or card at the machine also provides an added layer of safety. Before completing any payment, scrutinising the website URL for tell-tale signs like incorrect spelling, odd characters, or the absence of “HTTPS” is essential.

For those who have already fallen victim, immediate action is vital. Affected individuals should monitor bank accounts for suspicious transactions and report unrecognised payments to their respective banks. Fraudulent QR codes should also be reported to local councils, the police, or the car park operator to prevent others from being targeted.

As digital scams evolve, being aware of the risks associated with QR codes and adopting precautionary measures can help protect your finances and personal data. It is clear that preventing such attacks begins with educating individuals about these risks and reducing reliance on displayed QR codes in public spaces.