‘Quishing’: new QR code scam sweeps UK car parks
Nearly a third of UK local authorities hit by new form of online fraud
Nearly a third of all local authorities and over a dozen hospitals in the UK have had their car parks targeted by so-called “quishing” scammers, the Bureau of Investigative Journalism (TBIJ) can reveal.
A growing type of digital scam, “quishing” uses fake QR codes to trick people into visiting malicious websites or revealing sensitive information such as card details.
Car parks have become a common target, with stickers bearing fake QR codes plastered on ticket machines or street signs. The codes often lead to a website that mimics the actual parking payment site. In many cases, victims are also signed up to bogus subscriptions that repeatedly take money from their accounts.
In a major investigation published today, TBIJ traced a “quishing” scam in Leamington Spa back to a global fraud operation that stretched to Dubai, Cyprus and the Philippines.
While less common than some other scams, “quishing” is growing. Action Fraud received nearly 800 reports of QR fraud in the 12 months up to April 2025, with victims losing a total of £3.5m.
Joe Powell, Labour MP for Kensington & Bayswater, told TBIJ: “This investigation lays bare how global fraud networks are exploiting regulatory gaps in the UK’s company formation system to operate with impunity.”
“That these scams can thrive using everyday tools like QR codes in car parks shows just how embedded online fraud has become in daily life. Fraud now accounts for 40% of all crime in the UK, yet only 1% of policing resources are being used to fight it. The response must match the scale of the threat.”
TBIJ sent freedom of information requests to every council and hospital trust in the UK to gauge the prevalence of the issue. Of the 373 local authorities that responded, 123 said they had received reports of their car parks being targeted in the past year.
Sheffield council reported that every single one of its 370 parking ticket machines had been targeted. Other councils including Bournemouth, Christchurch and Poole (BCP), Sandwell, Bradford, Lichfield and Cheltenham have all had more than a dozen car parks hit.
On top of that, scammers also targeted over 20 hospitals up and down the country, including Ipswich, Kent & Canterbury, Royal Victoria and Queen Elizabeth hospitals.
Through the FOI requests, TBIJ obtained the names of around 400 car parks affected by the scams. However the true number is likely higher still, as council staff often remove the fake QR codes without recording the location.
Evidence supplied by the councils in response to TBIJ’s requests also show how some members of the public have lost considerable sums of money to these types of scams.
In one case, a woman who parked her car in Cirencester claimed to have had £406 stolen from her account after a QR code duped her into giving her bank details by mimicking the website of parking app giant PayByPhone.
Similar cases occurred in Blackpool, BCP and Sunderland, where victims lost over £100 each to the scams.
A recurring theme from the reports was of an initial small sum being taken from the victim’s account – supposedly for the parking ticket – which would then be followed by larger withdrawals for online subscriptions they had never signed up to.
The scams often rely on victims failing to check their bank statements frequently or to notice the withdrawal of smaller sums.
“These findings are deeply worrying,” said Kevin Hollinrake, the shadow minister of housing, communities and local government.
“Councils need to act urgently and be supported by the government to bolster cybersecurity and protect the public from increasingly sophisticated scams like quishing.”
Reporter: Simon Lock
Additional reporting: Lucy Nash
Enablers editor: Eleanor Rose
Deputy editor: Katie Mark
Editor: Franz Wild
Production editor: Alex Hess
Fact checker: Alex Hess
Illustration: Daniel Stolle
TBIJ has a number of funders, a full list of which can be found here. None of our funders have any influence over editorial decisions or output.