If enough people do it, they'll find a way to solve the problem (e.g. a subdomain of the official city site, putting back regular parking meters/machines, ...)
I mean in this case I would recommend using a search engine to cross-reference, and any other phishing countermeasures you might normally use.
I think the situation is dire when it comes to non-technical users, but I don't think QR codes are the problems here, someone could equally well paste a sticker over the entire board with all the URLs replaced or with details of a completely different (fake) parking company (but I agree replacing QR codes probably makes it harder for an employee to spot).
My actual IRL solution would be to look up the parking company and their domain based on the lot's Google/other map data. It might also be fake but that seems less likely.
If there's no machine to pay directly, no attendant, not a city owned lot, and no verifiable payment site online... I'd be inclined to do what someone else suggested and just not pay and see what happens.
The real solution seems like it should be a physical payment machine that accepts credit cards/cash. Those could also be fake, but much much harder to pull off successfully. (easier to track fraudulent credit cards processors, and no chance of leaking CC credentials with EMV contactless)
Yeah, we need authenticated QR codes and web of trust (only half-joking.)
My experience is that Easypark works in most of Europe and is great because of that. I trust them, and that's all I need. I really avoid QR codes, and I don't want to install your little local app.
Another commenter in this thread says parking works well in China, because WeChat is the trusted middle man.
Sadly, as always, winner takes it all has its benefits in terms of ease of knowing what to trust.
Barring vulnerabilities in your QR reader, it should be enough to just read the URL.