Quishing may not be a word you’ve heard before, but it’s rapidly becoming a big problem. Basically, it’s the name of a new parking scam that’s catching out thousands of drivers in cities across the UK, including right here in the North West. I first had reports of my breakdown recovery customers spotting it in both Manchester and Stockport, and since then it’s popped up in other surrounding areas like Bolton, Altrincham, and Sale (just to name a few). That means if you’re based in the North West yourself, there’s a good chance that cases of it
may pop up relatively close to home.
So that leads us nicely on to the big questions: what exactly is quishing, and how can you avoid getting caught out?
Quishing is basically a new form of phishing attack that uses QR codes to trick people into handing over sensitive information or making payments to fraudsters. (The word itself is a portmanteau of “QR” and “phishing”.) It’s particularly effective because QR codes have become part of everyday life, especially since the pandemic. Most of us are used to scanning them to pay for parking, access menus, or download apps—and that familiarity is exactly what scammers are exploiting.
Here’s how it works: a scammer places a fake QR code over an official one (often with a realistic-looking sticker or flyer) at pay-and-display machines or on signage in public car parks. Unsuspecting drivers scan the code, expecting to pay for parking. Instead, they’re taken to a fraudulent website, or prompted to download a malicious app. From there, it’s easy for scammers to collect personal information or banking credentials or even sign the user up to a fake subscription to extract the maximum amount of revenue from them over a longer period.
A recent BBC investigation found that Action Fraud received 1,386 reports of QR-related scams in 2024 alone, a massive increase compared to just 100 incidents in 2019. What’s even more worrying is that the figures are likely to be a fraction of the true number, as many victims don’t realise they’ve been scammed, or simply never report it. In fact, nearly 3,000 incidents have been recorded over the last five years, with a significant number centred in large urban areas like London, and yes, Manchester.
One victim, Milton Haworth, scanned a QR code at a council car park in Castleford. He thought he was paying 90p to park, but later discovered a £39 charge for a bogus annual subscription. Like many others, he didn’t realise the code was fake until the money had already left his account. And when he deleted the app, the money was not refunded.
The main reason why this is becoming such an issue is because of how incredibly low-effort it is for scammers to carry it out. All it takes is a cheap printed sticker and a busy location. QR code stickers are easy to make, hard to trace, and take seconds to apply—especially when placed over legitimate codes on existing signage or machines. Plus, the con can be repeated across multiple locations, creating a wide net with minimal risk of detection.
Car parks are especially appealing targets. They tend to be places where people are in a hurry, juggling bags, passengers, or errands. In those situations, there
are lots of people who won’t think twice about scanning a code and making a quick payment. Plus, with the rise of contactless, cashless transactions, many
people don’t carry coins anymore. So if the QR code is the only visible method of payment, drivers can feel pressured into using it—without pausing to double-check where it’s taking them.
I also think it’s worth addressing this fact here: let’s be honest, pretty much all of us think that we won’t be the ones to get caught out—but that attitude in itself can end up making us easy targets, as it can be easy to get lulled into a sense of our own infallibility, which can weirdly make us more likely to make mistakes. There’s also the fact that even if only one in a hundred people fall for it, that’s enough to make it profitable—especially if they’re working multiple locations around Manchester, Stockport or Salford.
In brief:
In detail:
Start by treating any QR code with a healthy dose of skepticism, especially in public spaces. If it’s a sticker or it looks like it’s been placed over another sign, don’t scan it. Also, check for anything out of place—misaligned graphics, different branding, or signs of tampering.
I’d also strongly advise making sure that your smartphone and any payment apps are always running the latest software. Most scammers rely on outdated security to exploit weaknesses, so keeping everything updated adds a strong layer of defence. You may want to consider installing mobile antivirus apps too—they often scan websites in real time and can alert you to potential threats before you enter any information. And obviously, be very wary of being railroaded into
downloading unfamiliar apps you’ve never heard of.
Where possible, it’s always best to stick to cash or use card machines directly rather than scanning a QR code. Most legitimate car parks still provide physical payment options (and if they don’t, that’s worth complaining about!). If the machine appears to be QR-only, check for a printed phone number or website address instead—you can always double-check it later.
Finally, if you do accidentally scan a dodgy code and suspect you’ve been targeted, act quickly. Contact your bank, report it to Action Fraud, and monitor your account for unusual activity. Even small, seemingly harmless transactions like £2.99 can be a sign that scammers are testing your details before launching a bigger attack.
Perhaps the most important piece of advice I can give you is this: trust your gut. If something looks off or feels wrong, it probably is. Most legitimate car parks
should give you a decent window of time to pay, often for exactly this sort of reason—so that motorists can do their due diligence. On the other hand, if they are one of the more predatory companies (which sadly do exist) who don’t appear to give you sufficient time… well, to be honest, at that stage it might be simpler all
round to find another place to park.