Tonbridge and Malling Borough Council has issued an urgent public safety alert following the discovery of fake QR codes on parking machines across the borough. These codes were specifically designed with the clear intent of stealing banking details from unsuspecting drivers.
Drivers must now exercise extreme caution when paying for parking. The sophisticated stickers direct users straight to fraudulent websites, a process which could quickly expose their personal and financial information to criminals. The council confirmed the fake codes were found on several pay and display machines, including one at the busy Angel Car Park in Tonbridge town centre.
How the ‘Quishing’ Scam Works
Action Fraud refers to this fraudulent practice as ‘quishing’ – a blend of QR code and phishing – and it has quickly become a major concern for authorities. The scam works when criminals place bogus stickers, featuring a QR code, directly onto official parking machines. These stickers successfully mimic legitimate digital payment options.
When a driver scans the code with their smartphone, they are instantly redirected. The link takes them to a bogus website that looks exactly like a genuine payment portal for a local authority or parking provider.
Motorists enter their payment details, including card numbers and security codes, assuming they are paying for their parking session. Crucially, the transaction does not register. Consequently, the motorist is left vulnerable to both financial fraud and a potential parking fine.
Tonbridge and Malling Borough Council stressed that these stickers are easily identified as fraudulent. This is because the council does not currently use QR codes as a payment method in any of its car parks.
Speaking forcefully, a council spokesperson issued a clear warning to the public: “We don’t display QR codes on any of our parking machines – so if you see one in a council-run car park, you can be certain it’s a fake.”
Council Takes Swift Action
In response to the discovery, staff at TMBC have undertaken a thorough inspection and sweep. They are checking all payment machines across their car parks, aiming to find and remove any malicious stickers immediately.
The council is strongly urging all users to rely only on established payment methods. These include cash, chip and PIN card payments, or using the official RingGo application. Drivers should always ensure they download any necessary apps directly from their phone’s official app store.
Widespread National Threat
While this particular alert focuses on Kent, ‘quishing’ is unfortunately establishing itself as a rapidly growing national problem. Indeed, councils across the entire UK have recently discovered similar large-scale deployments of fake codes.
Reports confirm these incidents. They are affecting areas from Perth and Kinross in Scotland to Sunderland and Dorset in England.
Because of this trend, the RAC previously advised UK motorists to be “very vigilant.” They noted that QR codes are popular and easy to use; unfortunately, this convenience has created a new, easily exploited vulnerability for drivers.
Tips for Spotting a Fake Payment Code
Motorists should adopt a “stop and check” approach before scanning any code on a public machine. Fraud prevention experts and local authorities have issued clear guidelines to help drivers identify when a QR code has been tampered with.
Inspect the Physical Code
- Check for Tampering: Genuine codes are usually printed directly onto the machine or embedded securely within the signage.
- Look for Flaws: If you see a code that appears to be a sticker placed over the original text, or if it is peeling at the corners, you should treat it as highly suspicious.
- Find Errors: Fraudulent stickers sometimes obscure important payment instructions, or they may feature noticeably poor quality printing.
Verify the Digital Destination
- Examine the URL: Once scanned, your phone screen will display a preview of the destination website’s address.
- Look for Mistakes: Check the URL for subtle spelling errors. Also, look for domain names that do not match the local authority or a known, trusted parking provider.
- Ensure Security: A legitimate payment page must always start with “https://” (this indicates a secure connection). Look for a small padlock icon next to the address bar; its absence is a clear red flag.
- Avoid Personal Questions: Legitimate parking payments only require a vehicle registration and card details. If the site suddenly asks for excessive personal data, such as a home address or card PIN, navigate away immediately.
What to Do If You Are Affected
Anyone who suspects they may have scanned a fake QR code and entered their payment details must take immediate steps to lessen the potential financial loss. Contact your bank or card provider straight away. Report the transaction as fraudulent and request a card cancellation.
Following this, all incidents must be reported. Contact the national reporting centre for fraud and cyber crime, Action Fraud. You can do this via their website or by calling their reporting line. Reporting incidents helps law enforcement track the criminal networks operating these serious scams.
