QR code 'quishing' scam in car parks and phishing emails
Impersonating: Parking / HMRC
What is this scam?
Criminals are placing stickers printed with fraudulent QR codes over legitimate ones on parking machines and public displays. Scanning the fake code takes drivers to a convincing fake payment site that harvests card details. A separate wave of phishing emails also embeds QR codes instead of text links to bypass email security filters, with HMRC and council services commonly impersonated. Action Fraud estimates UK victims are losing around £10,000 per day to QR code fraud.
Example scam message
Parking machine sticker text: 'Card reader temporarily out of service. Please scan the QR code below to pay for your parking and display your receipt.' [QR links to parking-pay-uk.xyz/pay — a fake card harvesting page]
Red flags to look out for
- The message creates urgency — threatening a fine, missed delivery, or account closure.
- Links lead to unofficial domains that don't match the real company's website.
- You weren't expecting this message and can't verify the event it references.
- It asks you to confirm payment details or personal information via a link.
- The sender's number or email address doesn't match the company's official contact.
What to do if you receive this
- Do not click links or call numbers provided in the message.
- Contact the organisation directly using details from their official GOV.UK page.
- Forward the message to 7726 or email report@phishing.gov.uk.
- Report it to Action Fraud at actionfraud.police.uk.
Received this message?
Forward it to 7726 (free on all UK networks) to report it to your mobile provider.
You can also report it to Action Fraud
or email the NCSC at report@phishing.gov.uk.
Not sure if your message is a scam?
Check it instantly with our free AI-powered detector.
Check a message nowSource: Action Fraud