The Parking Meter Sticker Scam: Spot a Fake QR Code in 5 Seconds

The Parking Meter Sticker Scam: Spot a Fake QR Code in 5 Seconds

You find a spot, you're running late, and there's a QR code right on the front of the parking kiosk. You scan it, the payment page loads, you tap in your card, done. Total time: forty-five seconds.

Except the sticker wasn't from the city. It was printed by scammers and placed directly over the real code. Your card information went straight to them.

Police in Toronto, Kelowna, and cities across Southern California have confirmed this is happening right now — and the technique is spreading. This is the parking meter sticker scam, and it's effective specifically because there's nothing digital to second-guess before you scan.

How the Sticker Scam Actually Works

The setup is brutally simple. A scammer prints a high-quality QR code sticker — vinyl, weather-resistant, sized to match — and places it over the legitimate QR code on a parking kiosk or meter. Sometimes it's a straight overlay. Sometimes they peel the corner of the original sticker back and layer theirs on top so it looks flush and factory-installed.

When you scan it, you get redirected to a fake payment page. These pages are convincing. They look like ParkMobile, PayByPhone, or your city's official parking portal: right fonts, right colors, right logo. You enter your card number, you get a confirmation number, and everything seems normal.

It isn't. Your card number is now with whoever built that site. The parking confirmation was invented. Your actual car is probably getting a ticket.

Toronto police confirmed receiving reports in April 2026, with drivers redirected to malicious websites after scanning what appeared to be official parking meter codes. In Kelowna, British Columbia, RCMP investigators found fraudulent QR codes had been placed on 75 parking meters across the city. Southern California police issued warnings through KTLA after the same technique appeared on meters in that region. Asheville, North Carolina issued a local alert. This pattern isn't contained — it's been reported in American and Canadian cities simultaneously, which means whoever is running this isn't operating locally.

Why This One Is Harder to Spot Than a Phishing Text

If you get a text claiming your package is on hold and you need to pay $3.99 to release it, there are signals: the sender is a number you don't recognize, the link has a weird domain, the urgency is overdone. You have things to evaluate before you do anything.

A QR code sticker on a parking kiosk gives you nothing before you scan. Every QR code looks identical — black squares on white background. There's no way to tell by looking at it where it goes.

The physical environment also works against you. You're in a parking lot, probably in a hurry, possibly on a busy street with a meter running. The kiosk is at waist level and you have about thirty seconds of tolerance for this transaction. You scan and you move.

Digital quishing attacks — the type sent by text or email — still require you to trust a message you received. The parking meter version removes that step entirely. The code is physically attached to the device you're supposed to use. That's a meaningfully different kind of attack, which is why the standard "check the sender" advice doesn't help you here.

The Five-Second Physical Check Before You Scan

Here's the good news: the fake sticker almost always has tells. You just have to know what you're looking for.

Run your fingernail along the edge of the QR code. A legitimate QR code on a city kiosk is printed directly on the equipment, set into the housing, or installed as a flat embedded graphic. A fake sticker placed on top will have a raised edge — a tiny border you can catch with your nail. If the edge lifts at all, don't scan.

Look for a layer of paper under plastic. Some scammers use a paper sticker covered with clear tape or self-laminate to protect it from weather. That combination looks slightly duller than the surrounding kiosk material and has a different surface texture. Run your thumb across it and compare to the kiosk body.

Check the sticker for alignment. The real QR code on a kiosk is typically printed or installed as part of a labeled instruction panel — aligned with surrounding text, flush with the surface. A sticker placed by hand often sits at a slight angle or has a small gap between the sticker edge and the panel border.

Look for the destination URL before you pay. Once you've scanned, your phone will show you a preview of the destination or take you directly there. Before you enter anything, look at the address bar. ParkMobile is parkmobile.io. PayByPhone is paybyphone.com. Your city's portal will be on a city or government domain. If you see something unfamiliar — a string of random characters, a brand name you don't recognize, or a domain that doesn't match the branding on the page — close the tab.

Check what information the page asks for. A legitimate parking payment needs your card number, expiration date, CVV, and a billing zip code. If the page asks for your full address, your Social Security number, or your bank login credentials, it's not a parking site.

Use the physical card reader instead. Most modern parking kiosks still accept tap-to-pay and chip cards directly on the machine. The card reader is built into the hardware — it can't be replaced with a sticker. If the kiosk has a card reader, use that instead of scanning anything.

If You Already Scanned and Entered Your Card

Don't wait for a charge to appear. Call your card issuer now and report the number as potentially compromised. Most issuers can cancel and reissue your card immediately, and acting before a fraudulent charge posts gives you more recovery options.

If a charge already showed up, dispute it as fraud. Document what you can: take a photo of the meter if you can safely return, note the URL you were redirected to, save the fake confirmation number if you received one.

Also report the sticker to your city's parking enforcement. They can inspect the meter, remove the fake code, and warn other drivers. A quick search for "[your city] parking enforcement report" will find the right contact. In the US, report the fraud at ReportFraud.ftc.gov{:target="_blank"}. If you're in Canada, report to the Canadian Anti-Fraud Centre.

For a full recovery checklist, see the guide on what to do after clicking a scam link.

How to Pay for Parking Without Scanning Anything

The simplest defense is to avoid scanning entirely when you have another option.

Use an app you already have installed. If your city uses ParkMobile, PayByPhone, or a city-specific app, download it once from the official app store and use it from then on. You don't need to scan a QR code to use these apps — you enter the zone number printed on the kiosk sign, which scammers can't swap out with a sticker.

Use the card reader on the kiosk. Tap-to-pay or chip card, directly on the machine.

Check if the kiosk has a zone number. Even if you're using a parking app for the first time at that location, the zone number on the physical sign is genuine. Scammers can't replace the engraved or bolted-on zone identifier as easily as a sticker.

If the only available payment option is a QR code and you have doubts, it's worth finding a different meter or a parking garage. That's inconvenient, but fake payment pages are designed to look legitimate right up to the moment they're not — and at that point the damage is done.

Scammers are counting on the fact that you're in a hurry and the code looks exactly like it should. Take five seconds. Check the edge.

FAQs About Parking Meter QR Code Sticker Scams

How do I tell if a QR code on a parking meter was placed there by scammers?

Run your fingernail along the edge. A real QR code is part of the kiosk's printed or embedded panel. A fake sticker sits on top of that surface and usually has a raised edge or a corner that lifts. If anything peels away from the surface, don't scan it.

What should I do if I think I found a fake QR sticker on a parking meter?

Don't scan it. Note the location (street address and meter number if visible), photograph the meter, and report it to your city's parking enforcement and local police. In the US, also report to the FTC at ReportFraud.ftc.gov.

I scanned the code but didn't enter any payment information. Am I still at risk?

The main risk in these parking meter scams is entering payment credentials. If you scanned and saw a suspicious-looking site but entered nothing, your immediate risk is low. Still, note the URL, close the tab, and don't go back to it.

Can this scam steal information from my phone just by scanning the code?

Most of these parking meter scams are after payment credentials, not device access. That said, some malicious QR codes redirect to pages that attempt to install apps or run scripts. Never install an app prompted by a QR code on a parking kiosk.

There's a small unfamiliar charge from what I thought was a parking payment. Is that the scam?

Possibly. Scammers sometimes run a small test charge first to confirm the card is valid before making larger unauthorized transactions. Dispute any unfamiliar charge as fraud with your card issuer, even if the amount seems minor.

Are there other places besides parking meters where this technique is used?

The same sticker-overlay approach has been reported at EV charging stations and, less frequently, at tables with payment QR codes at restaurants. Any physical QR code at a payment terminal is worth a quick visual and tactile check before you scan.

---

Sources: Toronto Police Service via CP24 (April 30, 2026); RCMP Kelowna via Global News; KTLA Southern California; ABC7 Los Angeles; FTC ReportFraud