Quishing is a variation of phishing - and here is how the scam can be avoided

Scottish police have warned motorists to be wary of “quishing” - a scam that sees legitimate QR payment codes on parking ticket machines replaced with fraudulent ones.

Police Scotland Tayside said council areas across the UK had seen a rise in the practice, which can take users to scam webpages where they can be tricked out of paying money to fraudsters - or inadvertently sign up to a pricey subscription that is difficult to cancel.

What is quishing?

It is a variation of phishing - when criminals try to scam people into handing over money, often through unsolicited emails. The emails can often appear as if they are from a legitimate organisation.

In the case of quishing, QR codes on parking meters are replaced with stickers displaying codes which take a customer to a website where they can be scammed.

Police Scotland Tayside said: “Quishing attacks have recently been found in Scotland where QR codes lead members of the public to an online payment site. The use of malicious QR codes is attractive to fraudsters because they are simple to use and difficult to distinguish from legitimate ones.

“Some campaigns take victims directly to a seemingly legitimate parking payment page to capture financial information or a direct payment, whereas another tactic is to use the details provided to enrol the victim to a costly subscription that is complicated to cancel.”

How can you spot a fraudulent QR code?

Police say potential indicators that a QR code might be fraudulent include peeling edges and poor quality, and the URL the QR codes directs to may not relate to the expected parking company or council.

Police Scotland Tayside said: “As with any type of phishing, the best defence against quishing attacks is to be aware of the threat. If you become aware of these QR codes, please contact the parking operator and let them know.”

Police offered the following tips to avoid being scammed through quishing:

• Review the preview of the QR code's URL before opening it to see if it appears legitimate. You can do this by opening your mobile device camera and pointing this at the QR code. This will identify the webpage link and provide the site address the code will take you to;

• Make sure the website uses HTTPS rather than HTTP, doesn't have obvious misspellings and has a trusted domain;

• Don't click on unfamiliar or shortened links. Be extremely wary if a QR code takes you to a site that asks for personal information, login credentials or payment.

Previous warnings have been issued about the practice in other parts of the country, including in Aberdeen earlier this year.

Constable Richard Russell, from the North East Crime Reduction Team, previously said: "If the QR code is on a poster in a public area, always check whether it appears to have been stuck over the original. If the sign or notice is laminated and the QR code is under the lamination or part of the original print, chances are it’s more likely to be genuine.

"If in doubt, download the app from the official Google or Apple store or search the website on your phone’s internet browser, rather than scanning a QR code to take you there.”