Police in several US cities are warning residents not to pay for their parking using QR codes stuck to parking meters. That’s because these codes have been placed there by scammers, who are using them to direct people to fraudulent sites that capture their payment details.
Warnings have been issued by law enforcement in Austin and San Antonio over the holiday period (we spotted the story via The Overspill newsletter). Police say they discovered a number of stickers with illicit codes appearing on parking meters, while a report by local news site Click2Houston shows how one of the fraudulent codes directed people to a site promising “quick pay parking.” (The site now appears to be offline.)
Police are advising anyone who inadvertently enters their credit card details into one of these sites to file a police report and contact their card vendor to reverse any payments.
Scam Alert— Austin Police Department (@Austin_Police) January 3, 2022
APD Financial Crimes detectives are investigating after fraudulent QR code stickers were discovered on City of Austin public parking meters. People attempting to pay for parking using those QR codes may have been directed to a fraudulent website and made a payment. pic.twitter.com/Gb8gytCYn7
Although once derided as an outdated technology, QR codes have become increasingly visible in the West over the past few years. These two-dimensional barcodes are able to store snippets of data but are commonly used to direct people to URLs. They’ve been a staple of digital payments in Asia for many years, but have been embraced in the West during the pandemic, used to link people to restaurant menus, report vaccination status, and check in to locations.
The convenience of QR codes (QR stands for “quick response”) is balanced by their lack of security. Although the code itself cannot be comprised, it can be used to direct people to fraudulent or dangerous sites, as with the parking meter scam. There’s no way for a human to “read” a QR code, and preview URLs created by mobile devices are often ambiguous at best. That makes them ripe targets for surprise or malicious redirects.
The advice for avoiding these scams is the same as for any phishing fraud: check the URL of the website you’ve been sent to for misspellings or less-than-professional design (not always a useful tell when it comes to local government sites). And in the case of parking fees, look for official apps which are commonly used in US cities to make such payments.