The alarm about the new digital fraud from Pesaro. Not only parking lots, but also restaurants, apps, flyers and electric charging stations. Here’s how quishing works and the rules for defending yourself
You get out of the car, take out your smartphone, scan the black and white square on the parking meter and pay. A matter of seconds. But right here lies one of the latest digital scams: quishing: QR Code and phishing. The alarm comes from Pesaro, where Pesaro Parcheggi discovered dozens of pirate stickers glued over the original QR codes of the city’s parking meters. The company removed the bait and filed a complaint, but the phenomenon risks being replicated everywhere and not just on car parks.
The QR Code scam in parking lots: how it works
The mechanism is simple: scammers print a fake QR Code and apply it over the authentic one. Anyone who scans it does not end up on the Municipality portal, but on a clone page, graphically identical to the official one, where they enter their credit card details, the security code and sometimes even personal information to receive the receipt. Data that ends up straight in the hands of cyber criminals. The paradox? You don’t even pay for parking, with the risk of even getting a fine.
How quishing works and why it’s so insidious
A QR Code is an image that almost always contains a link. When you frame it, your smartphone automatically redirects you to a site or app. And this is where the trap comes into play. The strength of quishing lies in visual trust: a QR code seems technological, official, and above all it does not show where it leads before being opened. So you let your guard down and the scammer takes advantage. Fraudulent sites are often perfect copies of the original ones, with apparently regular logos, colors and payment systems. In some cases the code doesn’t just steal credentials: it can download malware that, once installed, gives criminals access to passwords, messages and even bank codes.
All the fields in which the QR Code scam can occur
Quishing doesn’t stop at parking meters. There are restaurants and clubs: a sticker on the table inviting you to “consult the menu” or “book” can open a page that downloads a virus or asks for your card details. Then there are events, fairs, flyers with codes scattered on posters or brochures that can hide malicious links. You can then receive emails and text messages with messages such as “Check your shipment” which, with QR Code, lead to clone sites of banks, couriers or online services. You can fall for fake app downloads too. Here the code downloads a file that looks like an official application but is a Trojan. Once installed, the scammer gains control of your phone. And quishing can also affect electric charging stations, ticket machines and ATMs. Wherever there is a QR to pay, a pirate sticker can be pasted over the legitimate one.
How to defend yourself from quishing: five golden rules
To protect yourself, a few precautions are enough. Touch with your hand: before framing it is always better to pass a finger over the QR Code. If you feel the step of a sticker applied on the surface it is almost certainly a fake. You then need to check the URL carefully after scanning the code. To pay for parking, the safest way is to rely on the official apps directly from the phone store, without going through external links. Then there are the two always valid rules against online scams: never enter sensitive data and keep your smartphone updated so that it more easily recognizes dangerous sites and suspicious files. What if you fear you’ve fallen into a trap? It is advisable to call the bank immediately, block the card, monitor the movements on the account and file a report with the Postal Police.
