Peter Leventis encountered difficulties when attempting to use a Bike Share bike quickly. Despite his urgency, the QR code he scanned to unlock the bike failed to work. After trying multiple bikes with no success, he eventually realized that something was awry.
Upon closer inspection, Leventis discovered that he had been scanning fake QR stickers resembling the authentic ones affixed to the rental bikes but with slight differences. These deceptive stickers featured a speech bubble prompting users to “Scan and Pay.” Curious about where the QR code led, he followed it to a suspicious website named “Direct To App Now,” prompting users to input personal details such as a license plate and credit card information for parking payment, which is not the standard payment method for Bike Share.
Further investigation revealed that the website had been registered in early April, raising suspicions about its legitimacy. Leventis uncovered five fake QR stickers at different bike docks in Toronto’s east end, promptly removing and reporting them to Bike Share before discarding them.
This incident marks the first time the scam tactic of using fraudulent QR codes, dubbed “quishing,” has targeted Bike Share Toronto. Previously, similar scams had affected parking lots in Ottawa and Montreal. Mathew Varsava, the director of Bike Share, noted that typically, fake QR codes directed individuals to a Spotify playlist, but this recent occurrence diverged from that pattern.
In response to the discovery, Bike Share issued a safety notice on social media, cautioning riders to only scan QR codes using the in-app scanner and not their phone cameras. The fraudulent QR stickers have also appeared on city parking machines in Mississauga, with over 80 stickers found on machines downtown.
Mississauga authorities promptly reported the incident to Peel Regional Police and issued an alert warning residents about the fake stickers. Similarly, the Toronto Parking Authority acknowledged the presence of fake QR stickers at its Green P lots but refrained from disclosing the exact number.
Reports of fake QR codes on parking machines have also surfaced in North York, although it remains uncertain if they are linked to the incidents in Mississauga and Bike Share. The destination website of the QR codes has been fluctuating, at times leading to legitimate sites like PayByPhone, commonly used for parking payments in the Greater Toronto Area and beyond.
Carmen Donnell, managing director of PayByPhone North America, disassociated the company from the fraudulent QR codes, denouncing them as a scam. She advised users in Toronto to avoid using QR codes for payments, even if visible, and opt for alternative payment methods.
Experts like Kami Vaniea, an associate professor specializing in scams, security, and privacy at the University of Waterloo, emphasized the challenge of distinguishing between real and fake QR codes. She advised caution when dealing with suspicious QR codes and recommended verifying the destination before scanning.
As the investigation continues, vigilance is crucial to combat these deceptive practices targeting unsuspecting individuals using public services like Bike Share and parking machines.
[Source](https://www.cbc.ca/news/canada/toronto/scam-qr-codes-bike-share-parking-machines-9.7183271)