QR codes in the parking sector: The unfortunate rise of ‘quishing’ and how to spot it

Parking

QR codes in the parking sector: The unfortunate rise of ‘quishing’ and how to spot it

Over the last few months there have been numerous stories in the media about motorists being scammed by fake QR (Quick Response) codes on parking machines. Despite the growing awareness campaigns, it seems that more and more drivers are being caught out by what looks like a bona fide new way of paying for their parking session.

We all use QR codes in our every day lives – TV programmes often offer ‘exclusive content’ through on-screen codes, and access to early-bird concert tickets is often hidden in a link behind the monochromatic pattern.

We adapted our behaviour significantly during the early days of the COVID-19 pandemic, eschewing coins and notes for using apps and innovative touch-free methods to pay to leave our vehicle in a seemingly secure environment, so the sudden appearance of QR codes on the sides of parking payment machines just feels like another step towards the dream of seamless mobility

However, recent headlines such as “Motorists warned of fake parking QR codes being used in ‘quishing’ scams,” and “Councils warn misleading QR codes may lead drivers to fraudulent websites where personal data is stolen” have only served to add to the overwhelming feeling that someone, somewhere is perpetually on the verge of infiltrating your details.

In the UK the RAC warned that drivers should be “very vigilant” and continue to pay for their parking with coins, notes, cards or apps, rather than using a QR code that takes them to a website and running the risk that the code had just been stuck there by in an act of parking skulduggery. Quishing is the new term for such an act – a neat portmanteau of “quick” and “phishing”.

However, recent headlines have only served to add to the overwhelming feeling that someone, somewhere is perpetually on the verge of infiltrating your details

Simon Williams, the RAC’s Head of Policy, told the press that: “The increasing popularity and ease of using QR codes appears to have made drivers more vulnerable to malicious scammers. For some, this sadly means a Quick Response code could in fact be a ‘quick route’ to losing money.”

MR PARKING ON THE CASE

Globally respected parking consultant and expert, Manny Rasores (popularly known as Mr Parking), a member of the European Parking Association’s Policy and Strategy Committee, has been keeping track of what is in danger of becoming an epidemic of its own.

“QR codes began to be adopted from a parking point of view when we were all warned off using coins, because they could be a carrier of the COVID virus,” he says. “It’s important to mention though that there is quite a significant difference between the UK and most of Europe in the use of QR codes. The markets are very different, yeah, and it's worth possibly explaining that in the UK, QR codes were developed primarily as an alternative to card payments, because many of the payment machines that are managed by local authorities don't accept card payments and they are under pressure to accept forms of payment other than coins. Some have adopted Pay By Phone with an app, and in some cases, they have adopted the QR code. Because the rest of Europe tends to invest more in parking technology the equipment that is purchased is capable of accepting coins and credit and debit cards.”

QR codes were developed primarily as an alternative to card payments, because many of the machines that are managed by local authorities don't accept card payments and they are under pressure to accept forms of payment other than coins

 

Keeping with the UK as an example, local authorities are notoriously short of funding and so tend to look for other alternatives instead of upgrading the existing machines.

“This is why it's more prevalent here,” suggests Rasores, a UK-based Spaniard, “and the problems have been greater here in the UK than across most of Europe where barrier-controlled car parks are far more prevalent. That was what the Guardian newspaper article said – ‘councils warn of misleading codes may lead drivers to fraudulent websites’. I’m involved with the British Parking Association and we set up a group to discuss this several months ago and to look for ideas and alternatives to keep our members informed of what they need to do to be on top of this,” he explains.

SAFETY IN NUMBERS

Local authorities are also creating WhatsApp groups so they can keep an eye on any nefarious activities in their car parks and share information. 

Adds Rasores: “They've been trained what to look for, and if they see any QR code stuck over an existing sign, they can remove it and notify the group. Local authorities are getting together to combat this because they’ve got people attending the site on a daily basis, often multiple times.”

The local authorities have been trained what to look for, and if they see any QR code stuck over an existing sign they can remove it and notify the group

The situation is exacerbated, however, in the world of private parking. In this sector the car parks are more often than not operated remotely with ANPR, where the camera is your ticket, with payment by app or card or by pre-registration. The convenience of touch-free parking is countered by the fact that there is far less, and in some cases no need for operators to visit and inspect the site. Because the sites are so irregularly inspected, says Rasores, also prominent member of the British Parking Association’s Technology, Innovation & Research Board, the scammers can stick on a fake QR code that might stay there for several weeks until it’s noticed.

“And when will they notice?” he asks, rhetorically. “They will notice when they receive a penalty charge notice (PCN) three weeks later, because although they think that they have paid for their parking session they actually haven’t as they just given £8 and their card details to a scam website.”

 

POTENTIAL SOLUTIONS

For every measure there’s a countermeasure. For every countermeasure there’s a counter-countermeasure. In the parking industry as fast as potential solutions to fake payment portals are created new ways of scamming the unwitting general public appear. Rasores insists that there are several potential countermeasures at parking’s disposal.

People will notice when they receive a penalty charge notice three weeks later, because although they think they have paid for their parking session they have just given £8 and their card details to a scam website

“Printing the QR code on the ticket is one,” he maintains. “So when you issue a ticket on entry, for those who want another payment option they can use the QR code on the ticket itself. There’s no need to go to a pay machine and queue when you return to the car park, or make a phone call or use an app, from the comfort of your vehicle, or even when you get home, you can just activate the QR code and it takes you on to the operator's website to complete the payment. That cannot be subject to any fraud or scam because that code has actually been printed by the machine itself when it issues your ticket.”

Another solution is the introduction of the smart QR code that isn’t even printed but appears on the display screen of the parking machine. Press the button and a QR code appears on the screen for the driver to photograph.

It's good that the media is picking up on this, because we need to make the general public aware that they need to be more vigilant

“Again, this is something that can’t be subject to fraud as the machine is generating it,” Rasores points out. “It's good that the media is picking up on this, because we need to make the general public aware that they need to be more vigilant.” 

Fraudulent QR codes are not just affecting the parking industry - EV charging has also been adversely affected. As more EV chargers are installed, this presents an increasing opportunity for QR code scams.

“The number of EV chargers have been growing significantly, and because of government legislation, many of these AC charges work by way of a subscription. So to see a QR code there is quite normal which means it’s open to abuse.

“We're definitely working hard to try to overcome it,” Rasores concludes, “but it depends how many of these scammers are active and whether they move to something else.”