Parking Garage QR Code Scam: What It Is and What to Do
You pulled into a garage, scanned the QR code on the kiosk or pay-by-phone sign, and the page that opened looked a little off. Here's how scammers target parking garage customers — and exactly what to do if you already entered your card details.
How the parking garage QR code scam works
Parking garages are ideal targets for QR code fraud. Kiosks and payment pillars are often unattended for hours, lighting is poor, and drivers are in a hurry and distracted. Those conditions give an attacker everything they need: thirty seconds and a sticker QR code is enough to compromise a terminal that hundreds of people will use before anyone notices.
In the most common variant, attackers place a small sticker QR code directly over the one printed or affixed to the pay station. When you scan it, you land on a phishing page designed to look like a parking payment portal — it may display a fake session timer, a plausible total, and a card-entry form. You enter your card number, expiration date, and CVV, and the attacker captures the data in real time.
A second variant targets garages that advertise "pay by phone." Scammers post their own signage — often printed on adhesive paper and stuck over or near the real sign — with a QR code pointing to a fake payment portal. The sign looks official because it uses the garage's name and color scheme, copied from a quick photo of the real signage.
A third, less common variant arrives after you've already parked. A scammer sends an email or text claiming to be from the garage's management company, saying a balance is outstanding or your session is about to expire, and includes a QR code to "pay now." The sense of urgency — combined with the fact that you did just park there — makes this convincing.
The mechanics are closely related to the fake street parking meter QR code scam and the gas station pump QR code scam: all exploit unattended outdoor or semi-outdoor payment points where a sticker is easy to place and rarely inspected.
Real parking payment page vs. phishing page: how to tell them apart
The single most reliable check is the URL. Pause before you tap in any payment details and look at the domain in your browser's address bar.
Signs of a legitimate parking payment page:
- The domain matches a recognized parking operator (e.g., parkmobile.io, spplus.com, lazcitypark.com) or the city's own .gov domain
- The page shows the garage name, your entry time, and the specific location — it knows where you are
- Payment is processed through a branded checkout with a clear summary before any charge
- The branding matches what you see on the physical kiosk or signage
Red flags on a phishing page:
- A generic or lookalike domain that doesn't match the operator's name on the kiosk
- A bare card form — number, expiration, CVV — on the first screen, with no session or location summary
- No mention of which garage, level, or spot you're paying for
- Slightly off branding: compressed logo, wrong font, unfamiliar color
- An unsolicited text or email containing the QR code (legitimate garages don't chase you for payment via random messages)
The safest habit: if the QR takes you to a domain you don't recognize, close the browser and pay at the physical card reader on the kiosk, or call the number printed on the parking receipt or signage to verify the correct payment URL.
What to do right now
Your response depends on how far you got before you noticed something was wrong.
If you only scanned and didn't enter any payment information: Your risk is low. Close the browser tab and don't return to the page. Pay at the physical terminal, use the operator's official app, or call the number on the kiosk.
If you entered your credit or debit card details, act immediately:
- Call your card issuer now. Use the number on the back of your card — not any number from the page you visited. Report the card as potentially compromised and ask them to freeze it and send a replacement.
- Watch for small test charges. Attackers typically run a $0–$1 authorization to verify the card is active before selling the data or making larger purchases. Dispute any charge you don't recognize, however small.
- Alert the garage operator. Contact the management office or the number on the kiosk and describe what happened — what the page looked like and which kiosk or sign you scanned. They can inspect the terminal for sticker QR codes and remove them before the next driver is affected.
- File a report with the FTC at reportfraud.ftc.gov. Your report helps the agency track fraud patterns and supports enforcement actions.
For a full recovery walkthrough after any suspicious QR scan, see what to do if you scanned a suspicious QR code. For detailed guidance on card compromise, see QR code credit card scam: what happens and what to do.
Frequently asked questions
How does a parking garage QR code scam work?
Attackers place a sticker QR code over the legitimate one on a pay-station kiosk or pillar. Scanning it opens a phishing payment page that collects your card details instead of connecting to the real parking system. A second variant uses fake "pay by phone" signs with fraudulent QR codes. A third sends an urgent email or text after you park, claiming a balance is due and including a QR code to a fake payment portal.
How can I tell a legitimate parking payment page from a phishing page?
A real payment page uses the parking operator's official domain, shows the garage name and your session details, and processes payment through a branded checkout. A phishing page lands on a generic or lookalike domain, presents a bare card form with no session summary, and may have slightly off branding. If the URL doesn't match what's printed on the kiosk, close the browser and pay at the physical card reader instead.
I entered my card info at a parking garage QR code — what should I do?
Call your card issuer immediately using the number on the back of your card, report it as potentially compromised, and request a replacement. Watch for small test charges and dispute anything unfamiliar. Alert the garage operator so they can inspect and remove any fraudulent sticker QR codes, and file a fraud report with the FTC at reportfraud.ftc.gov.
Check a parking garage QR code before you pay
QRsafer scans any QR code and shows you the destination URL with a Safe, Risky, or Dangerous verdict before your browser opens it. Free on iOS and Android — takes two seconds at the kiosk.