Can we stop making new -ishing words for scams? This weird lingo is part of what turns the less savvy users off from paying much attention to their personal security. Just say a [type of] scam such as "a QR code scam" or "text message scams," etc.
We do not need to coin a new term for each one of these things and nobody is winning any prizes for adding more layers of abstraction to fight through when trying to communicate security concepts to the people who really need to listen to it.
It's got to be pure marketing - the British media certainly loves a buzzword, but I suspect that's more to do with their clickbait strategy. ("What is blishing? Have I fallen for it?"). Perhaps it helps some people compartmentalise, but I couldn't find any research that looks into any increased cognitive load.
Our workplace cybersecurity training introduces at least 1 new word each year. This year's was "vishing" which apparently is just social engineering/credential extraction that takes place over the phone. Of course, it's presented to non-technical users as a well-adopted term that is very important to know (for the checkbox quiz in 3 slides time).
I am in full agreement. However, it seems to be human nature to make portmanteau words, acronyms, abbreviations and slang. All of my attempts to outlaw these things and impose fines have fallen on deaf ears. I must also confess that I have used these terrible words...
As someone who regularly has to digest relevant security information and deliver it to teams that generally do not know a lot about or do not enjoy using computers, I can tell you that no, it is not useful.
The parking garage one can be really insidious. The parking apps where I live in Canada have a terrible design; you absolute cannot start parking session without an account that requires you to input name, address, phone number, and then the app itself has other technical glitches that genuinely made me wonder if I had been scammed.
What makes it doubly so is that the parking companies have been removing the parking machine terminals in some locations. The Royal BC Museum in Victoria BC comes to mind last time I was there. I'd be surprised if someone hasn't at least tried a QR code scam on it by now.
I never pay parking if a machine isn't there. I've never been caught. And if I'm ever fined I'm taking that all the way to court. One must have extreme disdain for such things.
Having lived in China for five years and seeing how it is done there (literally everywhere), I see this as a payment problem. There is no sensible, low cost payment infrastructure to support this safely. Instead most of the west has a fractured app ecosystem where each app ‘does payment’ rather than via a set of trusted payment apps that do the security up front and then passes to the provider.
For example, in the article the photos show an anonymous QR code you’d scan with your camera, rather than in China where you’d use Alipay or WeChat, whose app you’d use to scan the QR.
When I returned from China, it took a while to readjust to the heightened (and often expensive) friction of payments.
Not saying scams don’t exist in China, just that the payment provider gives some guarantees on the veracity of the claim made by the QR code
This is a cost saving play by the car parks operators.
Here in the UK we had car payment stations: You enter your car registration number, you pay by card or contactless. Done. Safe. It works.
BUT, this is more expensive for the operator to install and maintain than just sticking a notice to tell you to install an app and to use it to pay.
That being said, usually the QR code is not required it is just to make it "easier" as the notice explicitely says which app to install and provides the unique reference of the car park, too. You may also be able to pay over the phone rather than using the app. This is all shown on the article's first picture.
So, really they could just remove those scam-prone QR codes. I suspect that they don't care, though, and even profit from those scams since they can fine you for not having actually paid.
Yes, so worst case you paid a little bit of money to the wrong account. This is much worse - usually the QR code leads you to an app that then authenticates with your bank and can transfer and arbitrary amount of money out.
The problem I think is with the bank. They don't give you a way to authorize a single payment or authenticate yourself without just giving away total access to your funds.
It should be like cryptocurrency where there is a separation of the public and private key. Or even better, something like chaumian e-cash. I feel like that would pretty much shut down the majority of financial crime.
Since it's all tied to real IDs, wouldn't that involve heavy risks from the scammer's side? I know it's possible, but still a bit less risk if your Scam HQ operates overseas.
The government saw the basic problem in 2019 - a fragmented market with over 30 different parking apps - and funded a pilot to create a single unified parking payment platform. Unfortunately, the new government isn't interested in supporting the project further.
I far prefer using an app for parking - despite the frustration of having to have five or six different apps for this in my phone. I, like a lot of people don't carry small change (or even cash) and the apps offer considerable utility beyond simply paying for the parking - being able to extend your parking slot remotely, for example. It also means that you don't have to hunt around for the parking meter for a particular location - most of the time you can search by the street name, or an ID code, and it will automatically locate you to the correct zone.
It also makes it far easier for parking monitoring - with a description of each vehicle and the registration plate, a traffic warden can easily look at the cars parked in a particular area, discount the ones that have an active parking session, and focus their attention on the vehicles that have exceeded the allowed booking, or have bought a paper ticket from the machine.
It also means that you can do an approximation of real-time capacity in parking areas, without having to go to the expense of installing sensors in parking bays etc.
So lots of advantages, I think, over cash. The obvious downside is when the app doesn't work (I've had this happen on occasion) and for drivers who don't have smart phones (a small number, I think, but still worth considering) or technically less adept users - some of these apps have truly awful UX, which I've struggled with on occasion, so for people who struggle with technology, and particularly perhaps older people, they may be exclusionary. However, in most areas, you can still pay via the machine.
Pay machines that only accept cash are long gone. In fact pay machines that accept cash at all are on the way out as it is getting card/contactless only. Monitoring is already done by ANPR and so pay machines do require entering car registration numbers (which can also be printed on ticket for visual checks).
I think contactless is as easy and convenient as it gets. Enter registration number, tap, done.
If the government wanted to madate something useful for consumers it should mandate pay machines instead of app/phone only as some car parks now are.
The only reason these apps are becoming ubiquitous is that they are cheaper for the operators than installing and maintaining pay machines. That is it.
I've encountered pay machines that only accept cash twice in the past couple of years in rural areas and was surprised. Like you, I thought they were long gone, but I guess there are still some out there. Those ones did have stickers on them (fortunately!) directing me to one of the fleet of pay for parking apps out there, which I used. Not being familiar with the area though, I had no idea if the app I was being sent to was legit. I didn't even think about it, I just thought "oh, yet another parking app I need to download" and went ahead.
Contactless is easy - but there's a far higher cost (each machine needs to have connectivity etc). Plus it doesn't let you extend remotely, which is something I use very regularly. I guess from a user perspective that's a benefit, but from an operator perspective it's a potential downside - would I pre-pay for more parking if I couldn't extend? Probably. But would I potentially park elsewhere, for a car park where you pay on exit, thus removing that revenue from them entirely? Possibly. I guess it would depend on lots of factors, and my one-person study is perhaps not the most reliable data!
I agree that they are becoming ubiquitous because they are cheaper for operators, but I don't think that this is the only reason: I do think that they genuinely offer greater utility than a pay at machine with contactless option.
Interested to know what you mean "monitoring is already done by ANPR" because this is not my experience where I am based. Do you mean street based parking, or in car parks?
For the street based parking where I am the traffic wardens have a tablet that shows them the make, model, registration number of the vehicles parked in a particular area, and generally make their patrols on foot, so I'm not sure there's any ANPR being used. I guess there could be CCTV cameras cover exit and entry points to particular locations, but in European countries and the UK I'm pretty sure that there need to be notification signs that your registration plate is being captured in that situation.
There are indeed pay machines, and removing them is only a profit-squeezing play by the operators.
You also never need the QR code. It's only provided as a "convenience". And in fact they usually also provide a way to pay by phone (see illustrative picture in article).
So these are all issues created by bad engineering and operators trying to squeeze as much as they can without consideration for the users.
> You don't need an app to accept online payments.
Right, but does it matter if it’s an app or a website?
> There are indeed pay machines, and removing them is only a profit-squeezing play by the operators.
Yes, and?
> You also never need the QR code. It's only provided as a "convenience". And in fact they usually also provide a way to pay by phone (see illustrative picture in article).
Of course you don’t need a QR code specifically, but you probably need some kind of URL (which can then be imitated by the scammer) so everyone can pay.
> So these are all issues created by bad engineering and operators trying to squeeze as much as they can without consideration for the users.
I wouldn’t call it bad engineering, it’s a tradeoff. Either expensive machines for every parking space or a simple sign with a QR code.
If enough people do it, they'll find a way to solve the problem (e.g. a subdomain of the official city site, putting back regular parking meters/machines, ...)
I mean in this case I would recommend using a search engine to cross-reference, and any other phishing countermeasures you might normally use.
I think the situation is dire when it comes to non-technical users, but I don't think QR codes are the problems here, someone could equally well paste a sticker over the entire board with all the URLs replaced or with details of a completely different (fake) parking company (but I agree replacing QR codes probably makes it harder for an employee to spot).
My actual IRL solution would be to look up the parking company and their domain based on the lot's Google/other map data. It might also be fake but that seems less likely.
If there's no machine to pay directly, no attendant, not a city owned lot, and no verifiable payment site online... I'd be inclined to do what someone else suggested and just not pay and see what happens.
The real solution seems like it should be a physical payment machine that accepts credit cards/cash. Those could also be fake, but much much harder to pull off successfully. (easier to track fraudulent credit cards processors, and no chance of leaking CC credentials with EMV contactless)
Yeah, we need authenticated QR codes and web of trust (only half-joking.)
My experience is that Easypark works in most of Europe and is great because of that. I trust them, and that's all I need. I really avoid QR codes, and I don't want to install your little local app.
Another commenter in this thread says parking works well in China, because WeChat is the trusted middle man.
Sadly, as always, winner takes it all has its benefits in terms of ease of knowing what to trust.
Was wondering why such scams are not a thing in India (yet?), and realized there is always a person next to the QR to verify the payment. So such QR quishing scams are much harder to pull off.
[Not saying there are no scams in India. Just that QRs for payments are very popular here as well, and scammers are smart and active, so was wondering why not]
Even seeing the domain name doesn't solve the fundamental trust problem. A malicious actor could post a fake QR code or fake short URL leading to "city-parking-secure.com" or similar legitimate-looking domain.
The real solution is establishing a trusted channel - citizens need to know they should only pay for municipal parking through their city's official domain (e.g., sf.gov/parking). But this isn't possible when it's some random parking company. I don't see a great solution.
That could help, as `.gov` can only be registered by the US government. But... a lot of the millennial and gen X generation have misguided beliefs about the trustworthiness of TLDs. Such as thinking `.com` is more trustworthy than `.net` under the assumption that it can only be registered by a real company.
I'm convinced the only responsible solutions are chip-only payment processors and conventional coin machines, as pricey as they are.
How about we have people give small bits of paper to other people to pay for things? Or maybe even wave small cards of plastic in front of things that can read them? Maybe how about not using my fucking phone for every goddamn thing?
These are all too insecure in 2025. Everyone knows that phones are impenetrable fortresses which only one person can ever access, and nobody has ever been mugged into transferring money to someone else using their phone.
The divisibility of cash is fiddly and handling and counting it is not free. Both customers and businesses like switching to card.
The sweet spot is probably around contactless, but eventually more countries will get things like Vipps or WeChat pay and it will become a unified experience.
Stealing my wallet is generally worth less than stealing my phone even before you take into account the value of the data and the grief and expense of replacing my phone.
The fact that parking systems won't install wireless credit card readers and instead will foist the externality onto me of 1) having a phone, 2) that is currently charged, 3) has a relatively high resolution camera, and 4) capable of high bandwidth internet access is the kind of thing that ticks me off.
Can we stop making new -ishing words for scams? This weird lingo is part of what turns the less savvy users off from paying much attention to their personal security. Just say a [type of] scam such as "a QR code scam" or "text message scams," etc.
We do not need to coin a new term for each one of these things and nobody is winning any prizes for adding more layers of abstraction to fight through when trying to communicate security concepts to the people who really need to listen to it.
It's got to be pure marketing - the British media certainly loves a buzzword, but I suspect that's more to do with their clickbait strategy. ("What is blishing? Have I fallen for it?"). Perhaps it helps some people compartmentalise, but I couldn't find any research that looks into any increased cognitive load.
Our workplace cybersecurity training introduces at least 1 new word each year. This year's was "vishing" which apparently is just social engineering/credential extraction that takes place over the phone. Of course, it's presented to non-technical users as a well-adopted term that is very important to know (for the checkbox quiz in 3 slides time).
I am in full agreement. However, it seems to be human nature to make portmanteau words, acronyms, abbreviations and slang. All of my attempts to outlaw these things and impose fines have fallen on deaf ears. I must also confess that I have used these terrible words...
The delineation is useful for broad audiences.
As someone who regularly has to digest relevant security information and deliver it to teams that generally do not know a lot about or do not enjoy using computers, I can tell you that no, it is not useful.
The parking garage one can be really insidious. The parking apps where I live in Canada have a terrible design; you absolute cannot start parking session without an account that requires you to input name, address, phone number, and then the app itself has other technical glitches that genuinely made me wonder if I had been scammed.
What makes it doubly so is that the parking companies have been removing the parking machine terminals in some locations. The Royal BC Museum in Victoria BC comes to mind last time I was there. I'd be surprised if someone hasn't at least tried a QR code scam on it by now.
That's just all parking apps in my experience.
The websites (if they exist) are usually about as bad.
Car parks make more money if they can fine you, so there's no incentive to make payment easy or make it work reliably.
Car parks in Australia just have credit card NFC terminals which are provided by the banks.
Oh damn I never realised that. There is a class of services where they want to make payment difficult to collect penalties.
Citymove in Prague works really well and has great design ;)
I never pay parking if a machine isn't there. I've never been caught. And if I'm ever fined I'm taking that all the way to court. One must have extreme disdain for such things.
Having lived in China for five years and seeing how it is done there (literally everywhere), I see this as a payment problem. There is no sensible, low cost payment infrastructure to support this safely. Instead most of the west has a fractured app ecosystem where each app ‘does payment’ rather than via a set of trusted payment apps that do the security up front and then passes to the provider. For example, in the article the photos show an anonymous QR code you’d scan with your camera, rather than in China where you’d use Alipay or WeChat, whose app you’d use to scan the QR. When I returned from China, it took a while to readjust to the heightened (and often expensive) friction of payments. Not saying scams don’t exist in China, just that the payment provider gives some guarantees on the veracity of the claim made by the QR code
This is a cost saving play by the car parks operators.
Here in the UK we had car payment stations: You enter your car registration number, you pay by card or contactless. Done. Safe. It works.
BUT, this is more expensive for the operator to install and maintain than just sticking a notice to tell you to install an app and to use it to pay.
That being said, usually the QR code is not required it is just to make it "easier" as the notice explicitely says which app to install and provides the unique reference of the car park, too. You may also be able to pay over the phone rather than using the app. This is all shown on the article's first picture.
So, really they could just remove those scam-prone QR codes. I suspect that they don't care, though, and even profit from those scams since they can fine you for not having actually paid.
they could just put a QR code of a different wechat account
Yes, so worst case you paid a little bit of money to the wrong account. This is much worse - usually the QR code leads you to an app that then authenticates with your bank and can transfer and arbitrary amount of money out.
The problem I think is with the bank. They don't give you a way to authorize a single payment or authenticate yourself without just giving away total access to your funds.
It should be like cryptocurrency where there is a separation of the public and private key. Or even better, something like chaumian e-cash. I feel like that would pretty much shut down the majority of financial crime.
Since it's all tied to real IDs, wouldn't that involve heavy risks from the scammer's side? I know it's possible, but still a bit less risk if your Scam HQ operates overseas.
I suppose, but you could say the same about bank transfers in the west
The government saw the basic problem in 2019 - a fragmented market with over 30 different parking apps - and funded a pilot to create a single unified parking payment platform. Unfortunately, the new government isn't interested in supporting the project further.
https://npp.org.uk/
https://www.theguardian.com/money/2025/feb/22/uk-wide-parkin...
Why do we need an app to pay for parking? I think that's the real question.
I far prefer using an app for parking - despite the frustration of having to have five or six different apps for this in my phone. I, like a lot of people don't carry small change (or even cash) and the apps offer considerable utility beyond simply paying for the parking - being able to extend your parking slot remotely, for example. It also means that you don't have to hunt around for the parking meter for a particular location - most of the time you can search by the street name, or an ID code, and it will automatically locate you to the correct zone.
It also makes it far easier for parking monitoring - with a description of each vehicle and the registration plate, a traffic warden can easily look at the cars parked in a particular area, discount the ones that have an active parking session, and focus their attention on the vehicles that have exceeded the allowed booking, or have bought a paper ticket from the machine.
It also means that you can do an approximation of real-time capacity in parking areas, without having to go to the expense of installing sensors in parking bays etc.
So lots of advantages, I think, over cash. The obvious downside is when the app doesn't work (I've had this happen on occasion) and for drivers who don't have smart phones (a small number, I think, but still worth considering) or technically less adept users - some of these apps have truly awful UX, which I've struggled with on occasion, so for people who struggle with technology, and particularly perhaps older people, they may be exclusionary. However, in most areas, you can still pay via the machine.
Pay machines that only accept cash are long gone. In fact pay machines that accept cash at all are on the way out as it is getting card/contactless only. Monitoring is already done by ANPR and so pay machines do require entering car registration numbers (which can also be printed on ticket for visual checks).
I think contactless is as easy and convenient as it gets. Enter registration number, tap, done.
If the government wanted to madate something useful for consumers it should mandate pay machines instead of app/phone only as some car parks now are.
The only reason these apps are becoming ubiquitous is that they are cheaper for the operators than installing and maintaining pay machines. That is it.
I've encountered pay machines that only accept cash twice in the past couple of years in rural areas and was surprised. Like you, I thought they were long gone, but I guess there are still some out there. Those ones did have stickers on them (fortunately!) directing me to one of the fleet of pay for parking apps out there, which I used. Not being familiar with the area though, I had no idea if the app I was being sent to was legit. I didn't even think about it, I just thought "oh, yet another parking app I need to download" and went ahead.
Contactless is easy - but there's a far higher cost (each machine needs to have connectivity etc). Plus it doesn't let you extend remotely, which is something I use very regularly. I guess from a user perspective that's a benefit, but from an operator perspective it's a potential downside - would I pre-pay for more parking if I couldn't extend? Probably. But would I potentially park elsewhere, for a car park where you pay on exit, thus removing that revenue from them entirely? Possibly. I guess it would depend on lots of factors, and my one-person study is perhaps not the most reliable data!
I agree that they are becoming ubiquitous because they are cheaper for operators, but I don't think that this is the only reason: I do think that they genuinely offer greater utility than a pay at machine with contactless option.
Interested to know what you mean "monitoring is already done by ANPR" because this is not my experience where I am based. Do you mean street based parking, or in car parks?
For the street based parking where I am the traffic wardens have a tablet that shows them the make, model, registration number of the vehicles parked in a particular area, and generally make their patrols on foot, so I'm not sure there's any ANPR being used. I guess there could be CCTV cameras cover exit and entry points to particular locations, but in European countries and the UK I'm pretty sure that there need to be notification signs that your registration plate is being captured in that situation.
SOMEBODY needs to create a canonical app, because otherwise that hole will be filled by organized gangs
https://xkcd.com/927/
What’s the alternative? Machines to pay are much more expensive than a sign with a QR code.
You don't need an app to accept online payments.
There are indeed pay machines, and removing them is only a profit-squeezing play by the operators.
You also never need the QR code. It's only provided as a "convenience". And in fact they usually also provide a way to pay by phone (see illustrative picture in article).
So these are all issues created by bad engineering and operators trying to squeeze as much as they can without consideration for the users.
> You don't need an app to accept online payments.
Right, but does it matter if it’s an app or a website?
> There are indeed pay machines, and removing them is only a profit-squeezing play by the operators.
Yes, and?
> You also never need the QR code. It's only provided as a "convenience". And in fact they usually also provide a way to pay by phone (see illustrative picture in article).
Of course you don’t need a QR code specifically, but you probably need some kind of URL (which can then be imitated by the scammer) so everyone can pay.
> So these are all issues created by bad engineering and operators trying to squeeze as much as they can without consideration for the users.
I wouldn’t call it bad engineering, it’s a tradeoff. Either expensive machines for every parking space or a simple sign with a QR code.
How do you protect yourself from this? Treat public QR codes like "free" USB drives – don't use them?
The same way you might treat a URL randomly written on a billboard.
Barring vulnerabilities in your QR reader, it should be enough to just read the URL.
and how do you know the real parking company's URL is 'city-secure-parking.com' and not 'express-city-parking.com'?
You don't. But the problem is not the QR code. The problem is the same as "URL randomly written on a billboard".
I think the term you two look for is "Lack of Authentication". The QR codes are not authenticated to the reader.
Call the city to verify.
If enough people do it, they'll find a way to solve the problem (e.g. a subdomain of the official city site, putting back regular parking meters/machines, ...)
A lot of these car parks are privately owned, so the local authority will reasonably respond by saying "nothing to do with us mate".
I mean in this case I would recommend using a search engine to cross-reference, and any other phishing countermeasures you might normally use.
I think the situation is dire when it comes to non-technical users, but I don't think QR codes are the problems here, someone could equally well paste a sticker over the entire board with all the URLs replaced or with details of a completely different (fake) parking company (but I agree replacing QR codes probably makes it harder for an employee to spot).
My actual IRL solution would be to look up the parking company and their domain based on the lot's Google/other map data. It might also be fake but that seems less likely.
If there's no machine to pay directly, no attendant, not a city owned lot, and no verifiable payment site online... I'd be inclined to do what someone else suggested and just not pay and see what happens.
The real solution seems like it should be a physical payment machine that accepts credit cards/cash. Those could also be fake, but much much harder to pull off successfully. (easier to track fraudulent credit cards processors, and no chance of leaking CC credentials with EMV contactless)
Yeah, we need authenticated QR codes and web of trust (only half-joking.)
My experience is that Easypark works in most of Europe and is great because of that. I trust them, and that's all I need. I really avoid QR codes, and I don't want to install your little local app.
Another commenter in this thread says parking works well in China, because WeChat is the trusted middle man.
Sadly, as always, winner takes it all has its benefits in terms of ease of knowing what to trust.
Was wondering why such scams are not a thing in India (yet?), and realized there is always a person next to the QR to verify the payment. So such QR quishing scams are much harder to pull off.
[Not saying there are no scams in India. Just that QRs for payments are very popular here as well, and scammers are smart and active, so was wondering why not]
Why not a short URL where one can at least read the domain name and see if it looks reasonable before progressing with whatever the task ($£kr) is
Even seeing the domain name doesn't solve the fundamental trust problem. A malicious actor could post a fake QR code or fake short URL leading to "city-parking-secure.com" or similar legitimate-looking domain.
The real solution is establishing a trusted channel - citizens need to know they should only pay for municipal parking through their city's official domain (e.g., sf.gov/parking). But this isn't possible when it's some random parking company. I don't see a great solution.
The parking company could use a subdomain, say parking.sf.gov
That could help, as `.gov` can only be registered by the US government. But... a lot of the millennial and gen X generation have misguided beliefs about the trustworthiness of TLDs. Such as thinking `.com` is more trustworthy than `.net` under the assumption that it can only be registered by a real company.
I'm convinced the only responsible solutions are chip-only payment processors and conventional coin machines, as pricey as they are.
Hey, guys, I have this crazy idea.
How about we have people give small bits of paper to other people to pay for things? Or maybe even wave small cards of plastic in front of things that can read them? Maybe how about not using my fucking phone for every goddamn thing?
Crazy, right? KTHXBYE.
These are all too insecure in 2025. Everyone knows that phones are impenetrable fortresses which only one person can ever access, and nobody has ever been mugged into transferring money to someone else using their phone.
The divisibility of cash is fiddly and handling and counting it is not free. Both customers and businesses like switching to card.
The sweet spot is probably around contactless, but eventually more countries will get things like Vipps or WeChat pay and it will become a unified experience.
Those have lots of security problems too.
Stealing my wallet is generally worth less than stealing my phone even before you take into account the value of the data and the grief and expense of replacing my phone.
The fact that parking systems won't install wireless credit card readers and instead will foist the externality onto me of 1) having a phone, 2) that is currently charged, 3) has a relatively high resolution camera, and 4) capable of high bandwidth internet access is the kind of thing that ticks me off.