How to Spot a Fake QR Code on a Parking Meter
A sticker that costs thirty cents to print is now one of the most common payment scams in U.S. cities. If a QR code on a parking meter looks even slightly peeled, crooked, or generic, don't scan it. Pay at the meter or in the city's app instead.
How the sticker scam works
A scammer prints a QR code on cheap sticker stock and slaps it on top of the meter's real instructions. The code routes to a look-alike payment page — sometimes a near-perfect clone of the city's vendor site — that captures your card details and never sends a cent to the city. You drive away thinking you paid. Hours later, a meter maid writes you a ticket. A few days after that, your bank flags a second charge from a merchant you've never heard of.
There's a name for the technique: quishing, short for QR-code phishing. The FTC has warned about it since 2023 and called out parking meters as a target. It works because people trust QR codes the way they trust printed signs. A sticker on a city-owned meter feels official, and most drivers don't pause to question it.
Physical red flags on the meter itself
Look at the sticker for ten seconds before you scan. Most fakes fail this check:
- Peeling or lifted corners. City labels are usually laminated or embedded into the meter housing, not stuck on top. A curling corner means it was added later.
- Air bubbles, wrinkles, or crooked placement. Real labels are applied with a press tool at the factory. Fakes go on by hand, in a hurry, over an existing surface.
- Generic wording. "Pay here" or "Scan to pay" with no zone number, meter number, or operator name is a tell. Legitimate parking systems print a zone code or stall ID — that's how the back-end matches your payment to your spot.
- Slightly off logo. Wrong shade of blue, blurry resolution, or a typeface that doesn't match the rest of the meter. Scammers grab city logos off the web; the colors and crispness rarely match the originals.
- The thumbnail test. Gently lift one corner. If it peels cleanly, it's a stick-on. Walk away.
URL red flags after you scan
If the sticker passes the physical check, the URL is your second filter. Most phone cameras now show the destination URL on a preview banner before the page opens. Pause and read it before tapping.
Look-alike domains are the giveaway. In Los Angeles, the scam URL was poi2park.com — one transposed letter from the legitimate pay2park.com. Other patterns to watch for: unfamiliar TLDs like .xyz, .top, or .info; long strings of dashes; injected words like "fast" or "secure" (secure-parking-pay.com); or a raw IP address instead of a domain name.
A legitimate URL points to one of two places:
- The city's own domain —
austintexas.gov,portland.gov,sfgov.org, etc. - A named third-party vendor: PayByPhone, ParkMobile, Park ATX, Passport Parking. If the preview banner shows anything else, close it.
The page should also be HTTPS and load on the city's branded skin. A blank generic checkout form is a red flag.
Where it's happening
This isn't a one-off prank. It's an organized, multi-city pattern that recurs every few months.
- Austin, TX: Austin police confirmed fraudulent QR stickers on 29 city meters, all redirecting to non-official payment sites.
- San Antonio, TX: Over 100 pay stations were stickered in the same coordinated campaign.
- Houston, TX: Houston parking enforcement reminded residents that the city has never used QR codes for parking payment. Every QR sticker on a Houston meter is fraudulent by definition.
- Los Angeles, CA: The
poi2park.comlook-alike domain captured card details across multiple neighborhoods.
If your city is on this list, treat any QR code on a meter as a fake until proven otherwise.
What to do if you already scanned and paid
Three steps, in order:
- Call your card issuer and dispute the charge. The merchant name on your statement won't match the city. Card networks routinely reverse these once you flag them, and most issuers will reissue the card on request.
- Contest the parking ticket if you got one for the same time slot. Cities have voided these in bulk for confirmed sticker-scam victims — bring the bank statement and the photo of the sticker if you took one.
- Report it. File at ReportFraud.ftc.gov. The FTC tracks the campaign at a national level, and the FBI's quishing alert covers the same scam family across parking, packages, and email.
If the fake page asked for more than card details — a phone number, an email password, a wallet seed phrase — change those credentials right away and turn on two-factor authentication wherever you haven't already.
Frequently Asked Questions
Do real cities ever use QR codes for parking?
A few do, but most U.S. cities — Houston, for example — explicitly do not. Even cities that allow QR payment route it through a city-branded app or a printed, laminated sign with a zone number, not a sticker slapped over the meter face. If you see a code on a sticker with no zone number or city branding, treat it as suspicious.
What URL should I expect to see when I scan a real parking meter QR code?
Either the city's official domain (something like portland.gov or austintexas.gov) or the city's named parking vendor (PayByPhone, ParkMobile, Park ATX, Passport Parking). Look-alike domains with extra words or transposed letters — pay-park-fast.com, poi2park.com — are a giveaway. Read the URL preview banner your phone shows before tapping.
I already scanned and paid. What should I do?
Call your card issuer right away and dispute the charge — the merchant on the statement won't match the city. If you got a parking ticket for the same time slot, contest it; most municipalities have voided tickets for sticker-scam victims. Then report the fraud at ReportFraud.ftc.gov so the FTC can track the campaign.
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "Do real cities ever use QR codes for parking?", "acceptedAnswer": { "@type": "Answer", "text": "A few do, but most U.S. cities — Houston, for example — explicitly do not. Even cities that allow QR payment route it through a city-branded app or a printed, laminated sign with a zone number, not a sticker slapped over the meter face. If you see a code on a sticker with no zone number or city branding, treat it as suspicious." } }, { "@type": "Question", "name": "What URL should I expect to see when I scan a real parking meter QR code?", "acceptedAnswer": { "@type": "Answer", "text": "Either the city's official domain (something like portland.gov or austintexas.gov) or the city's named parking vendor (PayByPhone, ParkMobile, Park ATX, Passport Parking). Look-alike domains with extra words or transposed letters — pay-park-fast.com, poi2park.com — are a giveaway. Read the URL preview banner your phone shows before tapping." } }, { "@type": "Question", "name": "I already scanned and paid. What should I do?", "acceptedAnswer": { "@type": "Answer", "text": "Call your card issuer right away and dispute the charge — the merchant on the statement won't match the city. If you got a parking ticket for the same time slot, contest it; most municipalities have voided tickets for sticker-scam victims. Then report the fraud at ReportFraud.ftc.gov so the FTC can track the campaign." } } ] } </script>The takeaway
The sticker tells, the URL tells, and the simple fact that most U.S. cities don't use QR codes for parking at all are enough to catch nearly every fake. The whole inspection takes under a minute: ten seconds on the sticker, ten on the URL preview, and a quick check that the domain matches either the city or a named vendor.
If anything looks off, pay at the meter directly or open the city's app. And if you want a second opinion on a URL before you tap, QRDock's scanner runs a best-effort safety check on every code it reads. It won't catch every fake, but it flags the obvious look-alikes. For the broader question of whether QR codes are safe in general, see our is it actually safe to scan a QR code explainer.