Asian Tribune Your Multilingual Newspaper covering World and local news News
Listen to this article
Estimated 5 minutes
The audio version of this article is generated by AI-based technology. Mispronunciations can occur. We are working with our partners to continually review and improve the results.
Peter Leventis was in a hurry and needed a Bike Share bike, fast. But the QR code he scanned to unlock the bike wouldn’t work. So he tried scanning a different bike. Then another. That’s when he realized something was off.
“I noticed the QR code looked a little different,” he said. “It didn’t make sense for three or four minutes and then, it all clicked.”
Leventis was scanning a faux QR sticker, the same size as the real QR that’s affixed to each rental bike, but slightly different looking. This one had a little speech bubble reading “Scan and Pay.”
The QR wouldn’t work in the Bike Share app, but Leventis wanted to see where it went.
The code led to a dodgy site called “Direct To App Now” and a page labelled “ParkPay”, asking for personal information like a license plate and credit card to pay for parking — not how Bike Share is paid for.
A search of the URL indicates the site was only registered at the start of April — a red flag.
Leventis found five fake QRs at two different bikes docks around Coxwell and Danforth avenues in Toronto’s east end. He tore them off, reported to Bike Share, then threw them out.
1st time this scam has hit Bike Share
The fake stickers are a known scam tactic, like phishing, but using fraudulent QR codes instead of emails or texts. Some have even given it the nickname “quishing.” It’s plagued parking lots in Ottawa and Montreal, but this is the first time the scam has hit Bike Share Toronto, the system says.
“All the previous times [the bikes have been stickered], the QR code is typically taking people to a Spotify playlist,” said Bike Share’s director Mathew Varsava.
A CBC reporter spotted a fake QR code on a bike near Church and Carlton last week. Shortly after the reporter flagged the issue to Bike Share on Monday, it issued a “safety notice” on social media, warning riders of the fake QRs and advising to “only scan QR codes using the in‑app scanner, not your phone camera.”
The exact faux QR stickers — directing to the same fishy parking payment site — started showing up on city parking machines in Mississauga last week too. The city says it found more than 80 stickers on its machines downtown.
“It’s the first time that this sort of behaviour has been noted in Mississauga,” said Colin Patterson, the city’s director of traffic management and municipal parking.
“I’m hopeful that we caught it before anyone fell victim.”
Metro Morning8:50Scam QR codes showing up on Bike Shares, parking machines
A sneaky scam using QR codes is targeting those using parking machines and Bike Share bikes. Our reporter Haydn Watters found out first hand.
‘We have nothing to do with these QR codes’
Mississauga reported the stickers to Peel Regional Police and put out its own alert, warning about the fake stickers last week.
The Toronto Parking Authority says fake QR stickers have also been showing up on the machines in its Green P lots, but would not confirm how many.
Toronto police say they’ve received at least three recent reports of fake QR codes on parking machines in North York. It’s not clear if they are the same as the ones found in Mississauga and on the bikes.
The link where that QR code directs has been changing since it was first spotted. Earlier this week, it linked not to a scam site but to PayByPhone, a legitimate site that parking lots and some municipalities use to pay for parking, including in the GTA and around the province.
“We have nothing to do with these QR codes,” said Carmen Donnell, managing director of PayByPhone North America in a statement, calling them a “scam.”
“Our recommendation in this instance would be for anyone in Toronto wishing to use these services to pay without using a QR code — even if one is visible.”
As of Thursday evening, the QR was no longer directing to PayByPhone, instead linking to another fishy parking site with a similar URL to the one Leventis was linked to, but only registered on Wednesday.
Kami Vaniea is an associate professor at University of Waterloo’s electrical and computer engineering department, specializes in scams, security and privacy. She’s seen this scam many times before.
“I can literally see someone just giving someone a huge stack of these [QR codes] and saying ‘just put them everywhere,'” she said.
Vaniea agrees there’s no need to use the QR code, especially if its suspicious looking. She also advises to never auto-open a QR code link. You should check where you are being linked to first.
“My only official opinion that I always push … is just how hard it is for the general public to tell the difference between a real QR code and a fake one,” she said.
“It is impressively hard to do.”