Hospital car park scams prompt safety warnings as quishing cases rise

A rising class of scams targeting hospital car parks is exploiting patients and visitors at vulnerable moments. Victims report fraudulent parking charges, cloned apps and tampered payment devices near medical facilities, with some left financially exposed as they wait for care. One patient identified as Lucy Elkins described being approached in an unfamiliar hospital car park prior to an intrusive scan and facing a payment prompt that led to repeated attempts to charge her account.

The scams vary, but quishing has become a common tactic. In Elkins's case, she searched for the parking operator Apcoa Connect, clicked what appeared to be the official site, and entered personal details before agreeing to use a card stored on her phone. Within minutes a bank alert signaled a suspicious transaction, and the fraud attempts continued even after she cancelled the card, with attackers pursuing a recurring charge for a service she had not signed up for.

Emma Bovey’s experience at Totnes Hospital in Devon illustrates another tactic. She scanned a QR code to pay for parking but did not realize criminals had replaced a genuine code with a malicious one, a method known as quishing. The incident drained about 146.79 pounds from her account, and there were attempts to pull another 849 pounds, which were blocked by insufficient funds. The hospital said the fake QR code had been removed and the car park was closely monitored. Bovey’s case is not isolated; quishing scams targeting hospital car parks have become increasingly common, according to security researchers and crime data.

Oliver Chan, an associate professor of criminology at the University of Birmingham, explains that quishing works by directing victims to fraudulent websites designed to steal personal and financial information. The stolen data can then be used to commit broader fraud. The method thrives in hospital settings where time pressure and on-site stress create openings for tampering and misdirection.

In many cases, the scammers are not merely stealing parking fees. They seek to harvest data that can be used for follow-on fraud campaigns, including texts or app messages that purport to enforce penalties for parking offences. Iain Swaine, a fraud strategist at Outseer, notes that fake QR codes can look like stickers placed over legitimate signs, enabling attackers to steer victims to malicious sites. He also emphasizes that criminals tailor their lures to occur when people are most vulnerable, such as when a patient or relative is anxious about care. There is an element of psychology to the crime, Swaine says, and the teams behind it know scams work best when people are at their lowest point.

Between April 2024 and April 2025, Action Fraud reported about 3.5 million pounds lost to quishing, with hospital car parks accounting for the bulk of those losses. Officials say many sites attract criminals because car parks are often unattended or under-monitored, allowing fake codes to be placed and payment machines to be tampered with. Hospital car parks are described as a prime target for the crime, with attackers able to move quickly from site to site as blocks are put in place.

Stories of harm continued to surface in late 2024 and into 2025. In Royal Stoke University Hospital’s car park, a man in his 80s was swindled out of around 1,000 pounds after being approached by someone posing as a parking attendant who directed him to pay with a handheld card reader and then vanished with the card. On the same day, another man in his 70s was targeted at County Hospital in Stafford, about 16 miles away. Analysts say the attacks unfold rapidly and rely on social engineering and the perceived authority of on-site staff to appear credible. The tactic is seen as a way to exploit a moment of distraction and urgency when individuals are focused on their health needs.

Experts note a broader pattern in the targeting of hospital car parks. Some criminals rotate through sites, replacing a successful scheme with new ones to beat early blocks and to maintain a steady stream of victims. In addition to QR based schemes, attackers may send text messages or WhatsApp messages demanding penalties for supposed parking offences, directing victims to fraudulent payment links. Criminals often obtain stolen personal data on the dark web, then use it to target older individuals who may have previous hospital interactions and might be more likely to comply with perceived enforcement messages.

In June, University Hospitals Sussex NHS Foundation Trust issued a warning after receiving several reports of scams that used a mobile number with the hospital site at the top of the message to mislead recipients. Another tactic involves card skimming, where a fake strip inserted into a payment machine clones card data. And some attackers have paid for advertising that places a counterfeit site at the top of Google search results, making it easy for people to click through to a fraudulent page that resembles the official car park app. In other words, an advert that looks legitimate can lure a user who is navigating stress and time pressure.

Patient safety and awareness campaigns have become focal points for health systems and policing partners. The overarching message is simple: practice vigilance at the point of care, especially when managing parking payments near hospital facilities. Health authorities stress that the most common fraud vectors involve tampered QR codes, fake payment interfaces, and aggressive follow-up messages that seem to duplicate legitimate notices.

To reduce risk, authorities outline several checks that patients and visitors can perform. First, use only authorised parking apps such as RingGo, PayByPhone or JustPark, and download them from official app stores rather than following links from text messages or emails. Second, examine QR codes closely for signs of tampering, such as codes that look like stickers placed over legitimate signs or machines, and verify authenticity with reception if possible. Third, inspect payment machines for signs of tampering, such as loose card readers or unfamiliar keypads. Fourth, never respond to text messages about penalties for parking offences; legitimate notices typically arrive by post or as a physical ticket left on the vehicle. Fifth, if anything seems off, close the browser or delete the app immediately to limit criminals’ access to personal information, and report the incident to the bank and to Action Fraud without delay.

For patients, some hospitals have adjusted procedures to avoid unnecessary charges. In the case of Lucy Elkins, the quickest resolution was to register the car number plate with reception, which allowed the patient to avoid paying for hospital parking altogether. Experts caution that prevention requires vigilance across the health system, as more car parks—particularly those operated by private firms—may be targeted in the months ahead.

As fraud tactics evolve, health-care facilities say they are increasing monitoring, posting clearer signage and educating staff and visitors about common scams. Authorities encourage people to stay informed, verify payment channels and report suspected fraud promptly to banks and to Action Fraud.