Quishing: Physical Payment Point QR Code Scams

Quishing at physical payment points is a specific form of QR code fraud that targets everyday transactional contexts: parking meters, restaurant table codes, bike and scooter hire stands, electric vehicle charging points, and public information kiosks. A fraudulent QR code sticker is placed precisely over the legitimate code at the point where a genuine payment or interaction would be expected, making it extraordinarily difficult to identify without close inspection.

This form of fraud exploits the combination of a familiar action (scanning a QR code to pay or access information), a genuine transactional context (you are actually trying to pay for parking or access a menu), and the trust people place in physical infrastructure. Unlike phishing emails, which carry some learned suspicion, a QR code on what appears to be a fixed physical fixture carries an assumed legitimacy.

The fake payment page the victim is directed to is designed to match the expected service exactly: a parking payment interface, a café's ordering system, or a delivery fee collection page. Payment card details entered on this page are captured by the fraudster rather than processed for any legitimate service. In some cases the victim also does not realise the underlying service was not activated — they leave their car unticketed thinking they have paid, or wait for a food order that was never placed.

The harm includes both the direct financial loss from card details captured and, in the parking context, the potential fine for a vehicle that was never actually registered as paid.

The attacker places a sticker printed with a QR code over the legitimate QR code on a parking machine, table tent, or other fixture. The sticker is sized and printed to match the surrounding materials, and the legitimate code beneath is covered entirely.

When a user scans the code, the page that opens is a convincing fake of the expected service. It asks for the same information a genuine service would: bay number and registration, table number, or similar. When card details are entered and submitted, they are captured by the attacker and the page may show a confirmation to avoid immediate suspicion.

The attacker can place these stickers rapidly across many locations in a short time, making the operation scalable. Revenue from multiple victims at each location accumulates. Victims typically only realise something was wrong when they receive an unexpected card charge or notice the underlying service was not fulfilled.

In the restaurant context, orders placed through the fake code are never received by the kitchen. In the parking context, a vehicle registered as paid on the fake page has not been registered with the actual parking system.

Physical QR codes carry high implicit trust. They are associated with established infrastructure rather than potentially suspicious digital communications. The scanning of a physical code to pay for something is now a very common, routine behaviour in many contexts.

The contextual fit of the fake page — which matches exactly what the user expected to find when they scanned the code — removes the primary signal that would identify a phishing attack: mismatched expectations. Everything about the interaction feels right.

[Parking logo-style page] Enter your vehicle registration and bay number to pay. Card details required below.

[Restaurant ordering page] Welcome to [restaurant name]. Select your table and enter your order. Payment card details below.

[Delivery notice page] Your parcel could not be delivered. Scan to pay the [amount] redelivery fee: [card entry form]

Before scanning any QR code at a payment point, inspect the code closely. Look for signs that a sticker has been placed over the original: different paper texture, slightly raised edges, imperfect alignment with surrounding design elements. If the code appears to have a sticker on top of it, use the machine's alternative payment method instead.

After scanning, check the URL that opens in your browser before entering any payment details. The domain should match the known service — for example, a parking provider's known domain. If the URL is an unfamiliar domain, do not proceed and report the code to the relevant authority.

For parking, always use the alternative payment method (a phone number or the machine's card reader) if you have any doubt about the QR code.

Many legitimate parking and payment QR codes now display the destination URL below the code on the fixture — compare this with what your phone shows after scanning.