Fake QR code stickers on Christchurch parking meters are stealing payments

Scammers placed fraudulent stickers over real payment instructions to redirect drivers to copycat websites. The Christchurch City Council is urging residents not to scan any QR code found on a parking machine.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal news-editorial image of a generic laptop screen displaying a blurred, anonymized account security warning dialog in cool blue
Share

Key points

  • Fraudulent stickers bearing fake QR codes, meaning scannable square barcodes that open a website on your phone, appeared on multiple Christchurch parking meters on 14 July 2026.
  • Both public and private parking machines were targeted across the city.
  • The stickers directed drivers to fake payment websites designed to collect money and card details.
  • The Christchurch City Council issued a public warning the same morning the stickers were discovered.
  • No official QR code on a Christchurch parking meter should be trusted until the council confirms otherwise.

Someone got up early with a roll of stickers and a plan.

On the morning of 14 July 2026, Christchurch City Council workers found fraudulent stickers plastered over the screens and payment panels of parking meters around the city. The stickers carried QR codes, those square scannable barcodes you point your phone camera at, that led drivers to fake websites built to look like legitimate parking payment pages.

Pay through one of those pages and your money goes to the scammers. Your card details may go with it.

This kind of attack has a name in security circles: quishing, which is phishing (tricking someone into handing over money or personal details) carried out through a QR code rather than a dodgy link in an email. The mechanics are old. The twist is physical. Someone has to walk up and stick the fake code on the real machine, which means this is a targeted, on-the-ground operation, not a mass email blast.

First reported by NZ Herald, the scam hit both council-operated and privately run parking machines, suggesting the people behind it scouted the city rather than picking targets at random.

Should drivers worry about their card details?

Yes, if you scanned a parking meter QR code in Christchurch on or around 14 July 2026, you should act now. Contact your bank, explain that you may have entered your card details on a fraudulent website, and ask them to monitor your account or reissue your card. Banks deal with this regularly and the process is straightforward.

If you paid and the transaction went through, report it to your bank as an unauthorised payment. Keep a record of the amount and the time.

For everyone else: pay at the machine's keypad or touchscreen directly, using the instructions printed on the meter itself. Do not scan any QR code on a parking meter until the council confirms the machines are clear.

This attack requires almost no technical skill. Print a sticker, stick it on a machine, collect payments. The "AI-powered" label some outlets reach for in cases like this does not apply here. It is fraud with adhesive backing.

The Christchurch City Council has not yet confirmed how many meters were affected or whether any have been fully cleared.

© 2026 Threat Vectr