[Arch-TK]

I mean in this case I would recommend using a search engine to cross-reference, and any other phishing countermeasures you might normally use.

I think the situation is dire when it comes to non-technical users, but I don't think QR codes are the problems here, someone could equally well paste a sticker over the entire board with all the URLs replaced or with details of a completely different (fake) parking company (but I agree replacing QR codes probably makes it harder for an employee to spot).

[varenc]

My actual IRL solution would be to look up the parking company and their domain based on the lot's Google/other map data. It might also be fake but that seems less likely.

If there's no machine to pay directly, no attendant, not a city owned lot, and no verifiable payment site online... I'd be inclined to do what someone else suggested and just not pay and see what happens.

The real solution seems like it should be a physical payment machine that accepts credit cards/cash. Those could also be fake, but much much harder to pull off successfully. (easier to track fraudulent credit cards processors, and no chance of leaking CC credentials with EMV contactless)