Police in several US cities are warning residents not to pay for their parking space using QR codes taped to parking meters. That’s because these codes have been placed there by scammers, who use them to lead people to fraudulent sites that record their payment information.
Warnings have been issued by law enforcement officers in Austin and San Antonio during the holiday season (we saw the story via the overflow newsletter). Police say they have found a number of stickers with illegal codes on parking meters, while a report from the local news site Click2Houston shows how one of the fraudulent codes led people to a site that promised “fast parking”. (The site appears to be offline now.)
Police advise anyone who accidentally enters their credit card information on one of these sites to report it to the police and contact their card seller to reverse any payments.
APD Financial Crimes detectives investigate the discovery of fraudulent QR code stickers on the city of Austin’s public parking meters. People who tried to pay for parking using those QR codes may have been taken to a fraudulent website and made a payment. pic.twitter.com/Gb8gytCYn7
— Austin Police Department (@Austin_Police) January 3, 2022
While QR codes were once ridiculed as an outdated technology, they have become increasingly visible in the West in recent years. These two-dimensional barcodes can store fragments of data, but are often used to direct people to URLs. They have been a staple of digital payments in Asia for many years, but have been embraced in the West during the pandemic, used to match people to restaurant menus, report vaccination status and check in at venues.
The convenience of QR codes (QR stands for “quick response”) is offset by their lack of security. While the code itself cannot be composed, it can be used to direct people to fraudulent or dangerous sites, such as the parking meter scam. There is no way a human can “read” a QR code, and sample URLs created by mobile devices are often ambiguous at best. That makes them ripe targets for surprises or malicious redirects.
The advice to avoid these scams is the same as for phishing scams: check the URL of the website you’ve been redirected to for spelling mistakes or unprofessional design (not always useful when it comes to local government sites). And in the case of parking fees, look for official apps commonly used in US cities to make such payments.