← Back to articles

How to Spot a Fake QR Code on a Parking Meter

June 3, 2026

How to Spot a Fake QR Code on a Parking Meter

A sticker that costs thirty cents to print is now one of the most common payment scams in U.S. cities. If a QR code on a parking meter looks even slightly peeled, crooked, or generic, don't scan it. Pay at the meter or in the city's app instead.

How the sticker scam works

A scammer prints a QR code on cheap sticker stock and slaps it on top of the meter's real instructions. The code routes to a look-alike payment page — sometimes a near-perfect clone of the city's vendor site — that captures your card details and never sends a cent to the city. You drive away thinking you paid. Hours later, a meter maid writes you a ticket. A few days after that, your bank flags a second charge from a merchant you've never heard of.

There's a name for the technique: quishing, short for QR-code phishing. The FTC has warned about it since 2023 and called out parking meters as a target. It works because people trust QR codes the way they trust printed signs. A sticker on a city-owned meter feels official, and most drivers don't pause to question it.

Physical red flags on the meter itself

Look at the sticker for ten seconds before you scan. Most fakes fail this check:

URL red flags after you scan

If the sticker passes the physical check, the URL is your second filter. Most phone cameras now show the destination URL on a preview banner before the page opens. Pause and read it before tapping.

Look-alike domains are the giveaway. In Los Angeles, the scam URL was poi2park.com — one transposed letter from the legitimate pay2park.com. Other patterns to watch for: unfamiliar TLDs like .xyz, .top, or .info; long strings of dashes; injected words like "fast" or "secure" (secure-parking-pay.com); or a raw IP address instead of a domain name.

A legitimate URL points to one of two places:

  1. The city's own domain — austintexas.gov, portland.gov, sfgov.org, etc.
  2. A named third-party vendor: PayByPhone, ParkMobile, Park ATX, Passport Parking. If the preview banner shows anything else, close it.

The page should also be HTTPS and load on the city's branded skin. A blank generic checkout form is a red flag.

Where it's happening

This isn't a one-off prank. It's an organized, multi-city pattern that recurs every few months.

If your city is on this list, treat any QR code on a meter as a fake until proven otherwise.

What to do if you already scanned and paid

Three steps, in order:

  1. Call your card issuer and dispute the charge. The merchant name on your statement won't match the city. Card networks routinely reverse these once you flag them, and most issuers will reissue the card on request.
  2. Contest the parking ticket if you got one for the same time slot. Cities have voided these in bulk for confirmed sticker-scam victims — bring the bank statement and the photo of the sticker if you took one.
  3. Report it. File at ReportFraud.ftc.gov. The FTC tracks the campaign at a national level, and the FBI's quishing alert covers the same scam family across parking, packages, and email.

If the fake page asked for more than card details — a phone number, an email password, a wallet seed phrase — change those credentials right away and turn on two-factor authentication wherever you haven't already.

Frequently Asked Questions

Do real cities ever use QR codes for parking?

A few do, but most U.S. cities — Houston, for example — explicitly do not. Even cities that allow QR payment route it through a city-branded app or a printed, laminated sign with a zone number, not a sticker slapped over the meter face. If you see a code on a sticker with no zone number or city branding, treat it as suspicious.

What URL should I expect to see when I scan a real parking meter QR code?

Either the city's official domain (something like portland.gov or austintexas.gov) or the city's named parking vendor (PayByPhone, ParkMobile, Park ATX, Passport Parking). Look-alike domains with extra words or transposed letters — pay-park-fast.com, poi2park.com — are a giveaway. Read the URL preview banner your phone shows before tapping.

I already scanned and paid. What should I do?

Call your card issuer right away and dispute the charge — the merchant on the statement won't match the city. If you got a parking ticket for the same time slot, contest it; most municipalities have voided tickets for sticker-scam victims. Then report the fraud at ReportFraud.ftc.gov so the FTC can track the campaign.

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "Do real cities ever use QR codes for parking?", "acceptedAnswer": { "@type": "Answer", "text": "A few do, but most U.S. cities — Houston, for example — explicitly do not. Even cities that allow QR payment route it through a city-branded app or a printed, laminated sign with a zone number, not a sticker slapped over the meter face. If you see a code on a sticker with no zone number or city branding, treat it as suspicious." } }, { "@type": "Question", "name": "What URL should I expect to see when I scan a real parking meter QR code?", "acceptedAnswer": { "@type": "Answer", "text": "Either the city's official domain (something like portland.gov or austintexas.gov) or the city's named parking vendor (PayByPhone, ParkMobile, Park ATX, Passport Parking). Look-alike domains with extra words or transposed letters — pay-park-fast.com, poi2park.com — are a giveaway. Read the URL preview banner your phone shows before tapping." } }, { "@type": "Question", "name": "I already scanned and paid. What should I do?", "acceptedAnswer": { "@type": "Answer", "text": "Call your card issuer right away and dispute the charge — the merchant on the statement won't match the city. If you got a parking ticket for the same time slot, contest it; most municipalities have voided tickets for sticker-scam victims. Then report the fraud at ReportFraud.ftc.gov so the FTC can track the campaign." } } ] } </script>

The takeaway

The sticker tells, the URL tells, and the simple fact that most U.S. cities don't use QR codes for parking at all are enough to catch nearly every fake. The whole inspection takes under a minute: ten seconds on the sticker, ten on the URL preview, and a quick check that the domain matches either the city or a named vendor.

If anything looks off, pay at the meter directly or open the city's app. And if you want a second opinion on a URL before you tap, QRDock's scanner runs a best-effort safety check on every code it reads. It won't catch every fake, but it flags the obvious look-alikes. For the broader question of whether QR codes are safe in general, see our is it actually safe to scan a QR code explainer.