Hospital car park scams rise as QR-code fraud targets patients

A wave of scams targeting hospital car parks is drawing attention from consumer groups and law enforcement, with fraudsters increasingly using fake QR codes, spoofed parking apps and other tricks to siphon payments from patients and visitors. The scams arrive at a moment when people are stressed and distracted by medical appointments, creating ripe conditions for fraud.

One account described to investigators by Lucy Elkins places the scene in a hospital car park ahead of a medical scan. While looking for a way to pay, she searched for the car-park provider Apcoa Connect and clicked on what appeared to be the right site. She entered her personal details and attempted to pay with Apple Pay, only to receive a bank alert moments later about a suspicious transaction. The fraudsters then pressed on with an attempted charge of £40.56 for a so-called all‑in‑one digital media service, a subscription she says she cancelled promptly after the warning. In another case, Emma Bovey reported losing about £146.79 after visiting Totnes Hospital in Devon last November, when criminals pasted a fake QR code over the genuine one used for quishing. When she scanned the code, criminals redirected her to a fraudulent site designed to steal her information, and her account was drained before she could intervene. The hospital said the fake QR code had been removed and the car park was being closely monitored.

Experts say quishing—the tampering of QR codes to lure victims to fraudulent sites—has become a growing method for thieves looking to harvest personal data and financial details. Oliver Chan, an associate professor of criminology at the University of Birmingham, explains that the stolen information is often used to commit broader fraud. "If you look closely a fake QR code will look like a sticker that has been stuck over something else or tampered with," Chan said. The trend is part of a broader pattern in which criminals target people when they are most vulnerable, such as while navigating hospital visits.

Between April 2024 and April 2025, Action Fraud, the UK's national reporting centre for fraud, recorded about £3.5 million lost to quishing scams, with hospital car parks accounting for most of the cases reported. Officials warn that the total may be higher because many hospital car parks are run by private providers that are not required to share figures under FOI rules. In June, Action Fraud urged the public to check QR codes before scanning and to report suspicious activity.

The tactics go beyond QR codes. Some scammers have used text messages or WhatsApp messages demanding penalties for alleged parking offences and including fake payment links. University Hospitals Sussex NHS Foundation Trust issued warnings in June after receiving several reports of such messages that appeared to come from a mobile number with the hospital site listed at the top. Card skimming, involving a fake magnetic-strip reader, and the purchase of top-tier search ads that mimic legitimate parking apps are other channels criminals have exploited, according to security researchers.

The attackers often target cars in car parks that are unattended or under-monitored, particularly at night, which helps them place fake codes and tamper with payment machines. Schemers also exploit cognitive load and stress—patients and relatives may be preoccupied, making it harder to spot red flags. In some cases, operators pay for ads that appear at the top of search results, which can mislead people into clicking a fraudulent link instead of the official app.

When victims do realize what happened, the financial impact can range from a few pounds to several hundred, and the experiences can leave people wary of seeking medical care. In Lucy Elkins’s case, she learned a valuable lesson about paying for parking in a hospital setting and the importance of verifying the payment method before entering any personal information. A hospital spokesperson said it is reviewing the incident and has taken steps to remove the fraudulent material identified in the incident.

Experts offer practical steps to reduce risk in a hospital car park: use only authorised parking apps such as RingGo, PayByPhone, or JustPark that are downloaded from official app stores; inspect QR codes for signs that they have been replaced or overlaid, and avoid codes that appear to be stickers placed over legitimate signs or machines; examine payment machines for tampering, such as loose card readers or unfamiliar keypads; never respond to text messages about penalties or parking offences, as legitimate notices are typically delivered by post or via a ticket left on the vehicle; and if you suspect a scam, close the browser or delete the app immediately and report the incident to your bank and to Action Fraud. Experts emphasize that acting quickly can help limit access to personal data and reduce further financial loss.