You walk up to a parking meter, spot a QR code on the housing, and scan it. The page that loads looks like a city payment portal. It asks for your credit card number, expiration date, and CVV. You type everything in, pocket your phone, and head to lunch. The meter never registers a payment. Your card details, meanwhile, are already in someone else’s hands.
That is not a hypothetical. It has happened in New York City, Asheville, Orlando, and a growing number of municipalities across the country. As of June 2026, transportation agencies, the Federal Trade Commission, and the U.S. Postal Inspection Service are all warning that fraudulent QR-code stickers on public parking meters have become one of the most common street-level financial scams targeting American drivers.
Where the scam has been confirmed
New York City’s Department of Transportation confirmed that at least one fraudulent QR-code sticker was placed on a ParkNYC meter. The sticker directed users to a third-party page requesting credit card information, according to the agency’s scam advisory. “Do not scan any QR codes on parking meters,” the agency warned in its public notice, adding that the only legitimate payment channels are the ParkNYC app and the meter’s built-in card reader. Anyone who spots a suspicious sticker should call 311.
In Asheville, North Carolina, city parking staff found and removed stickers from multiple downtown meters. Those codes led to malicious software or fake parking sites built to harvest credit card data, the city said in a public notice. Asheville does not use QR codes on its meters at all, which means any code stuck to one is a scam, no judgment call required.
Orlando has reported the same pattern, with fake QR codes discovered on downtown meters. The incidents were reported by Orlando-area television station WKMG, though no direct link to the station’s coverage is available for independent verification. Beyond these three confirmed cases, similar warnings have surfaced in local news coverage from Texas, California, and other states, though specific police department sources and official advisories for most of those locations have not been independently verified in public records. The pattern, however, is clearly national. Federal agencies are treating it that way.
The U.S. Postal Inspection Service calls the tactic “quishing,” a blend of QR code and phishing. The agency’s consumer guidance explains that scammers post physical QR codes in high-traffic locations to funnel victims to spoofed sites that capture card numbers. The same technique has shown up on restaurant tables, parking receipts, and printed flyers. The FTC has flagged QR code scams in its own consumer alerts, warning that the codes can lead to phishing pages or trigger malware downloads.
Why parking meters are perfect targets
The setup is almost insultingly simple. A scammer prints adhesive stickers that mimic official branding, sticks them onto meters in busy commercial districts, and walks away. Drivers in a rush scan without questioning the source. The fake page asks for a card number, expiration date, and CVV. Because paying for parking feels routine and low-stakes, many people enter their details before noticing that nothing has changed on the meter display or in the official parking app.
The boom in app-based parking payment has made the scam more believable. Millions of drivers in U.S. cities now expect to interact with digital payment systems at the curb. A QR code on a meter does not look suspicious in that context. It looks like a shortcut.
Detection is painfully slow. Parking enforcement officers typically inspect meters for mechanical issues and expired tags, not for counterfeit payment stickers. A well-placed sticker could sit on a meter for days or weeks before anyone flags it, especially on a less-trafficked block. None of the municipal advisories issued so far have said whether routine inspections now include systematic checks for fraudulent codes.
What remains unclear
No city or federal agency has released a count of how many drivers have actually lost money to parking meter quishing. NYC DOT confirmed at least one sticker but did not say whether more were found across the city’s broader meter network. Asheville confirmed “multiple” meters were affected without specifying a number or disclosing whether residents reported financial losses.
The dollar scale of the fraud is essentially unknown. The Postal Inspection Service’s quishing guidance describes the mechanics but does not cite victim counts or losses specific to parking meters. Without centralized reporting, each city treats its cases as isolated incidents, which makes it hard to tell whether these scams are opportunistic copycats or pieces of a more organized operation.
There are also unanswered questions about the infrastructure behind the fraud. City statements focus on the physical stickers and the need to avoid them but do not detail whether the malicious domains were tied to a single operator or to multiple groups copying the playbook. No arrests connected to parking meter quishing have been publicly announced as of June 2026. No publicly available victim statements or law enforcement interviews specific to parking meter quishing have surfaced in official records, which limits the ability to convey the personal impact of these scams beyond the documented agency warnings.
How to protect yourself at the meter
The best defense is a simple habit change. If a city says it does not use QR codes on its meters, any code you see is fraudulent, period. Even in cities where QR codes are part of the official system, typing a known URL directly into your browser or opening a trusted parking app is safer than scanning an unfamiliar code taped to a meter.
Before scanning any QR code in a public space, look for physical signs of tampering: stickers placed over existing labels, slightly misaligned branding, or URLs that do not match the city’s official domain. If the page that loads asks for information the official app would never request, close it immediately. Using the meter’s built-in card reader or contactless tap-to-pay terminal, where available, sidesteps the QR risk entirely.
If you think you already scanned a fraudulent code and entered payment information, move fast:
- Call your bank or credit card issuer to dispute any unauthorized charges and request a replacement card. Most major issuers will reverse fraudulent charges if reported promptly.
- Watch your statements closely for unfamiliar transactions over the following weeks.
- File a report with the FTC at reportfraud.ftc.gov and with your local police department.
- If the meter belongs to a city system, call the city’s non-emergency line (311 in many municipalities) so parking staff can locate and remove the sticker before it catches the next driver.
A two-dollar transaction, a drained account
The scam works precisely because the dollar amount feels trivial. Nobody second-guesses a parking payment the way they would a wire transfer or a suspicious email from a “bank.” Scammers are exploiting that instinct, and the physical world gives them an advantage that email phishing does not: a QR code stuck to a city-owned meter carries an implied authority that a random link in your inbox never could.
Five seconds of verification before you type in your card number is the cheapest insurance you will find at the curb. Check the app. Check the URL. And if something looks off, trust that instinct over the convenience of a quick scan.
