Using the smartphone to pay the parking lot has become a common gesture: quick, comfortable and apparently safe. Some reports, however, indicate that behind this simplicity a potential well -delayed scam could be hidden. In several European cities, including some Italians, it seems that they have appeared Stickers with counterfeit QR code affixed to the parcometers above the authentic QR. By scanning these codes, users are redirected to websites that imitate official payment services – such as EasyPark – But in reality they have only one purpose: to subtract credit cards data. This threat to motorists is an example of the so -called quishinga fusion between “QR” And “Phishing”which represents a sort of “transposition” of online scams from the virtual to the real world.
Regarding the Quishing technique, the State Police explains:
Anyone can create a QR code using the numerous sites available online. In addition, the image format used by the code prevents antivirus from detecting the potential threats contained within it. Frame the QR code with the camera of your smartphone, to access the audio guide of a museum, to view the menu of a restaurant, to pay a parking lot, can lead the user on a false site, created ad hoc by cybercriminals to steal his personal and bank data.
How the QR Code scam works in paid parking lots
Let’s see more closely How the QR Code scam works in paid parking lots. Basically, scammers create visually identical sites to those of the parking systems of the parking lots and generate QR codes which, if scanned, refer precisely to these fraudulent platforms. These QR code, then, are printed and applied to the parking meters: if users who want to pay the parking lot scaning these codes, will arrive on the fraudulent portal created ad hoc by the scammers, where the card data will be requested, including the number, expiry date and CVV. At that point, if these data are provided, they will end up directly in the hands of the IT criminals. The deception works particularly well because it uses a moment of distraction: few expect a scam can be born from a simple adhesive on a pattern. Yet cases like these have already been reported in European cities, such as Hannoverand apparently also in Italy, as a Veronawhere the company Amt3in charge of managing the urban plan plan on behalf of the Municipality of Verona, has publicly denounced the appearance of counterfeit QR code on numerous parking spaces in the center, as shown by the following image, taken up in an article in the local newspaper The arena.
The QR Code scam, however, is not limited to paid parking only. It could be very well replicated in other contexts, such as the charging columns for electric vehiclesthe Showcases of restaurants (with the excuse of inviting to book a place or consult the online menu for example), in museums (maybe to invite you to buy a guidance audio), and so on.
How to defend yourself from Quishing
For defend yourself from quishingfirst of all, keep your eyes well open and carefully observe the sticker on which the QR code is printed that has invited to scan: if it appears superimposed on other stickers below or if Its appearance is not very professionalthis could represent a first alarm bell not to be ignored. Secondly, it is fundamental Check the site address which opens after the scan: strange or similar names of domination or authentic ones, but with unusual extensions (such as “.Live” or “.App”), they should put you on the attention: if the URL does not clearly belong to the official domain of the service, it is better to close the page and do not insert any personal data. To be honest, you shouldn’t never Enter the data of your payment card on an open site via QR code. Much better, however, manually open the site or use the company’s app directly that manages the payment of the parking lot and proceed from there.
Regarding the defense strategies that you can take to protect yourself from fraudulent QR code, in fact, the police also recommend:
To avoid falling into the Quishing scam it is important to use the same good cybersiculia practices that we adopt for phishing and riflete: check the address of the site that opens after scanning the code, warning of abbreviated URLs or different from the official domain.
