Dangerous QR codes have appeared in car parks across Luxembourg
Ahmed, Unsplash
Cybersecurity experts at LetzSecure (letzsecure.com) have uncovered an active physical phishing campaign, or ‘quishing’, targeting motorists in Luxembourg. Stickers bearing the words ‘SCANNEZ ET PAYEZ’ (Scan and Pay) have begun to appear en masse on the city’s official parking meters. These stickers mimic a legitimate contactless payment method, but redirect users to a third-party website designed to steal financial data in real time.
The user’s confusion begins with a redirect to the fake domain directingtoapps.com, where a fraudulent service called ParkPay operates. To lull the victim into a false sense of security, the system mimics the behaviour of a genuine payment terminal: first, it asks for the vehicle registration number and the estimated duration of parking. At the same time, the screen displays the amount ‘0 EUR’, which is explained as being subject to subsequent billing once parking has been completed.
This psychological ploy allows criminals to freely request a cardholder’s full bank card details, including the card number, expiry date and CVV security code. The information obtained enables them to carry out unauthorised transactions in the cardholder’s name. It is worth noting that this service has no connection whatsoever with Indigo Neo — the official app used by the local authorities.
As of 27 April 2026, counterfeit QR codes have been detected at several key locations across the city. Despite the prompt removal of the codes from the parking meters at the Glacis car park, compromised stickers are still being reported at the following locations:
- Avenue de la Faïencerie;
- Jean l'Aveugle Street;
- Alfred de Musset Street;
- Joseph II Boulevard.
Following the incident, official notifications were sent to the City of Luxembourg’s parking service, the Computer Incident Response Centre (CIRCL) and the police. The authorities strongly advise drivers to avoid scanning any third-party codes on the city’s infrastructure and to use only the verified app or the physical card slots on the parking meters themselves to make payments.
