Why You Should Never Scan A QR Code To Pay For Parking

It's generally best to avoid scanning a QR code of unknown origin, and caution is becoming more important as threats proliferate. Anybody can make a QR code in a matter of seconds using free online tools, leading anywhere the creator wants. Those black-and-white squares can direct a device to a webpage, trigger a file download or app install, or even initiate a payment, to name just a few examples. However, since most people are unlikely to scan random QR codes without good reason, scammers are finding creative ways to chum the digital waters. Their latest innovation? Malicious QR codes disguised as parking payment processors.

In the past, we've seen crafty criminals cram creepy codes in common contexts, hoping to con consumers. There's the predictable menu scam, which leverages the trend of digital restaurant menus brought on by the COVID-19 pandemic to entrap hungry diners. The FBI recently warned of another caper that involves scammers affixing QR codes to unsolicited packages which arrive without a return address  — a perplexed recipient who scans them will be taken to a financial phishing page. Other QR code scams have forced companies to introduce countermeasures, which is why a screenshot of your concert ticket doesn't work anymore.

The latest QR-enabled heist involves parking payments, and has been spotted in major cities from Los Angeles to Denver. With digital parking solutions more common than ever and drivers already in a hurry, the codes function as the perfect bait for scammers. So, here's why you should never scan a QR code to pay for parking.

The latest QR code scam, spotted last year around Los Angeles and now becoming a headache for Denver officials, criminals are putting stickers with malicious QR codes on city parking meters. Scan one, and you'll be taken to a fake payment page that steals your personal and financial info. Parking meters are an admittedly clever vector for this kind of attack. City driving is frequently unpleasant, and parking all the more so. After circling in search of an open space and squeezing your car into one, you're looking to pay the meter quickly and move on with your day. Instead of fumbling with loose coins or a credit card reader, you might jump at the chance to pay for parking with a few taps on your phone.

Near Los Angeles, the scannable scam stickers were found pasted over real ones, highlighting the risks a city opens its residents up to when implementing QR codes for payments. A single criminal can blanket whole neighborhoods with fake QR codes. In at least one case, people saw fraudulent credit card charges within minutes of falling for a fraudulent QR code on a parking meter. Things are more clear-cut in Denver, where the Department of Transportation and Infrastructure told 9News that the city does not place QR codes on parking meters, and never uses them for payment. It says city-sanctioned codes instead direct Denverites to download the PayByPhone app. This is a slightly better approach, but experts still caution against downloading an app from a QR code.

Not all QR codes are dangerous, of course. Whether used to access menus at restaurants, log into apps, connect to Wi-Fi networks, or even to access legitimate payment portals, QR codes are as easy to make as they are to use. But that ease of use is precisely what makes them an increasingly common vector for scam attacks. Many people are still unaware of the potential dangers. The increasing prevalence of QR codes in everyday life has compounded the risk by training people to scan them reflexively. So, how can you tell whether a QR code is kosher?

The best advice is always to avoid scanning any QR code that could have been tampered with before examining it. For instance, you can ask for a real menu at restaurants, or visit their webpage to find one. If those options aren't available, examine the QR code. Is it placed under glass or otherwise made inaccessible to you? If so, it's less likely to be fake.

Should you have no other option but to scan a QR code, take advantage of your smartphone's preview feature. Whether scanning QR codes on iPhone or Android, the native camera app surfaces a small preview of any QR code it sees. Tapping the preview activates the code, but there's also a smaller button that shows you more information about what it does. If the preview doesn't line up with your expectations, do not activate the QR code.