Quishing Alert: Fraudulent QR Codes on Ville de Luxembourg (VdL) Parking Meters

A dangerous physical phishing campaign, known as "Quishing," has been identified targeting motorists in Luxembourg City, specifically at the Glacis parking. Attackers are placing fraudulent stickers with the text "SCANNEZ ET PAYEZ" (Scan and Pay) directly onto legitimate parking meters. When a user scans the code, they are directed to a highly convincing but malicious website designed to steal financial credentials.

How the Scam Works:

1. Physical Deception: The scam begins on-site at Glacis and other city areas, where a fake QR code is placed to look like an official mobile payment option.

2. Fraudulent Domain: The QR code leads to the domain directingtoapps.com, which is not an official portal payment portal.

3. The "Pay-Per-Duration" Hook: To lower the victim's guard, the site claims an initial amount of "0 EUR," stating that the user will be charged only after they finish parking based on the actual duration.

4. Complete Financial Data Theft: The process requires the user to enter their vehicle registration number, parking duration, and full credit card details, including the card number, expiry date, and CVV.

Drivers in Luxembourg City are urged to use official parking app Indigo Neo or the physical payment slots on the meter. Never scan unverified QR codes stuck onto public infrastructure.