That QR Code on the Parking Meter Could Be a Scam: How to Spot a Fake

A QR code is convenient because you don't have to type anything — you point your phone, it opens a website, done. But that's also the whole problem: you can't read a QR code with your eyes, so you have no idea where it's about to send you until you're already there. Scammers have figured this out, and they've turned it into a fast-growing con with its own name — "quishing," short for QR-code phishing. The version hitting Southern California hardest right now is brutally simple: a fake QR sticker slapped on a parking meter.

This one is worth understanding even if you're comfortable with technology, because there's nothing to "catch" — no bad spelling, no obvious glitch, no virus warning. You scan a code in a perfectly normal place, land on a page that looks exactly like a real payment site, type in your card to pay for parking, and the money goes straight to a stranger. Here's how it works, how to tell a fake from the real thing, and what to do if you've already scanned one.

How a fake QR code actually robs you

The mechanics are low-tech and that's what makes them effective. A scammer prints a sticker with their own QR code and presses it right over the legitimate one — or just next to it, where you'd never notice. When you scan it, the code opens a near-perfect copy of a real payment or login page: the right logo, the right colors, a web address that looks close enough at a glance. You enter your card number or your account details to "pay," and those details land directly in the scammer's hands. Some fake codes skip the fake page entirely and instead push your phone toward installing a malicious app.

The reason this beats the usual scam advice is that there's no message to second-guess. With a fake toll text you can stop and think "I don't even have a toll account." With a QR sticker on the exact meter you're standing at, everything feels legitimate — you came here to pay for parking, and here's a code that lets you pay for parking. The trust is in the location, and that's precisely what the sticker hijacks.

It's already happening here in Southern California

This isn't a far-off warning. In Redondo Beach, police found roughly 150 fake QR stickers on parking meters along the Esplanade and the Riviera Village, glued right beside the legitimate ParkMobile and PayByPhone labels so they'd blend in. A driver in San Clemente scanned one of these fakes, entered a card number to pay for parking, and their card company called about unauthorized charges within minutes. The city of San Diego put out its own warning to drivers — and made a useful point in the process: San Diego's meters don't take QR-code payment at all, so a QR sticker stuck on one there is a red flag by itself.

Parking meters are just the most common target. The same trick has turned up on EV charging stations (one couple scanned a code at a charger and got enrolled in a costly monthly subscription), on restaurant table menus, on event flyers, and on payment kiosks. Anywhere a QR code is expected and money changes hands, a sticker is cheap to print and easy to stick.

How to spot a fake before you scan

Start with the sticker itself, because the physical tells are often the clearest. A code stuck on top of another one, peeling or bubbled edges, a label that's slightly crooked or a different finish than the meter's printing, or a sticker that covers up printed text — any of those means stop. On a city meter, a hand-applied sticker that doesn't match the rest of the machine is a giveaway.

Then let your phone help. When you point your camera at a QR code, it shows you the web address before it opens it — read that address instead of tapping straight through. The real ParkMobile site is parkmobile.io; a look-alike like "parkmobile-pay.com," a real name with extra words tacked on, or a random shortened link is the scam. Watch for misspellings and switched letters, which is exactly the advice the FTC gives. And remember you almost always have another way to pay — a posted phone number, an app, or a card slot — so you're never actually forced to trust one sticker.

Scan it the safe way — or skip the code entirely

The safest move at a parking meter is to ignore the sticker completely and pay through the official app you downloaded yourself — ParkMobile or PayByPhone from the App Store or Google Play — or through the phone number printed on the meter. An app you installed goes to the real company every time; a sticker goes wherever someone stuck it. For anything else that asks you to scan and pay, type the company's web address into your browser by hand instead of using the code.

A few habits make the whole category much safer. Never enter a card number, a password, or a login on a site you reached by scanning an unexpected code — treat "scan to pay" with the same suspicion as a link in a text from a stranger. Keep your phone's software up to date so a malicious page has fewer ways in. And turn on two-factor authentication for your bank and email, so that even if a scammer grabs a password, it isn't enough to open the account on its own.

QR codes show up in emails, texts, and "mystery packages" too

Quishing didn't stay on the street. Scammers now drop QR codes into phishing emails and texts on purpose, because a code tucked into an image often slips past the spam filters that would have caught a bad link — so you'll see a fake invoice, a "your package is being held" notice, or a "re-confirm your account" message with a code to scan instead of a link to click. The FBI has even warned about unordered "mystery packages" that arrive with a QR code inside, daring you to scan it to find out who sent it.

The rule here is the same one that beats fake toll texts: don't scan a QR code from a message, email, or package you weren't expecting — especially one that pressures you to act fast. A real company giving you a code to scan is fine; a surprise code that wants your login or your payment is not.

If you already scanned one and entered your details

Move quickly, but don't panic — caught early, this is very recoverable. Call your bank or card issuer right away, using the number on the back of your card, and have the card frozen or replaced; fraudulent charges are far easier to reverse in the first hours than after they've settled. Then change the password on any account you typed into the fake site, plus anywhere you reused that same password, and switch on two-factor authentication while you're there.

If you entered details on a computer, or a scanned code may have nudged an app onto your phone, run a security scan to be safe. Then report it so the next person doesn't get caught: the FTC takes reports at ReportFraud.ftc.gov and the FBI at ic3.gov, and it's worth telling the business whose code was faked — the parking company, the restaurant, the venue — so they can pull the sticker down.

If you're not sure, ask before you scan

QR-code scams work by removing the one thing that usually saves you — a chance to look at where a link goes before you commit. When something feels off, or you've already scanned a code and you're worried, a quick second opinion costs nothing. We'll check the web address with you and tell you whether it's the real company or a copy, and if something already went through, we'll help you lock down the card and accounts, scan the device for anything left behind, and clean up the mess. We're local across Southern California and the Coachella Valley, onsite or by remote support — and because we don't sell anything but honest help, we'll tell you straight whether you're fine or you've got a problem to fix.