Quishing: fake QR codes in public spaces
QR codes stuck on parking meters, charging stations and fines redirect to fake payment pages. A quick glance is not enough.
Quishing, a blend of QR code and phishing, is gaining ground. The idea is simple: a fake QR code is stuck over the real one, on a parking meter, a charging station, a poster, or slipped into a fake parking ticket. Once scanned, it opens a payment page that mimics an official service.
Why it works
A QR code cannot be read by the naked eye. There is no way to know which address it points to before opening it. The target believes they are on a parking or fine payment service and enters their card with confidence. The fraudsters polish the destination page so that it looks like an official public site.
How to spot the scam
- After scanning, look at the address shown by your phone before going any further. An unknown, misspelled domain or one with an unusual extension should make you back out.
- Be wary of a sticker that looks added on, peeling off or placed crookedly on a public device.
- A parking payment or a fine goes through known official channels, not an anonymous QR code.
What to do
- Do not pay through a QR code you come across in a public space. Use the app or official site you already know.
- If you have paid, contact your bank to block your card.
- Report the fake QR code to the site's operator and on the appropriate reporting platform.
Before approving a payment after scanning a QR code, copy the address and analyse it to detect a fake page.