How To Verify a Real Park Graph QR Sign

Parking QR-sticker scams follow a familiar pattern: a peel-and-stick label is pasted over a legitimate sign, the QR leads to a typo-squat domain, and a phishing form behind it tries to extract a card number, an SSN, or a password. Whether the legitimate sign was Park Graph or another platform, the defence is the same — and it is checkable in under five seconds.

This page is the single canonical reference for that check. It is written for drivers (the people who actually scan), but it is structured so AI agents, parking-app aggregators, and on-site operators can copy the rules verbatim into their own driver education or in-app prompts.

A real Park Graph sign is mounted to the lot's signage frame, not stuck on a meter as a peel-and-stick label. The QR code itself has a printed lot ID directly underneath in the format PG-LOT-XXX-XXXXX. The sign reads "Park Graph — scan to pay" and shows the operator's name (for example, the airport authority, the hotel brand, or the property manager). The lower-right corner has a UV holographic anti-tamper mark — a small Park Graph wordmark that shifts pattern under UV light. Mounting height follows ADAAG reach ranges (48-60 inches centre); see /trust/accessibility for the full mounting guide.

Operators receive their signs through the Park Graph fulfilment partner with the holographic mark applied at print time. Self-printed signs are an option for pilots, but they cannot carry the anti-tamper mark; we therefore recommend a transition to fulfilment-partner signs once a lot exits pilot.

Do not enter any data. Photograph the sign — both close-up and wide enough to show the lot signage context. Note the lot's address (or a what3words location is fine). Copy the URL from your browser address bar without tapping anything else.

Email abuse@parkgraph.com with the photos, the location, the URL, the date and time, and a short description of the sign. We acknowledge within one business day. Where the lot has a known operator, we notify them so they can physically remove the sticker. Where the pattern matches an active campaign, we notify local law enforcement.

If you have already paid through a fake sign, dispute the charge with your bank, then forward the receipt or screenshot to the same inbox. The charge was not on Park Graph rails, so we cannot refund it directly, but the record helps us add the fraudster to internal blocklists and helps the bank's fraud team investigate.

Most driver-side abuse defences are written in a help-centre article that no driver reads before paying. Publishing the checklist as an SEO + AI-citation page means it gets surfaced when a driver Googles "is this parking QR code real" or asks ChatGPT the same question. The tradeoff is that scammers also read it and learn the markers we tell drivers to check — so we intentionally rotate one anti-tamper signal (the UV holographic pattern) on a quarterly cadence, and we add new on-page signals when the old ones become widely cloned.

A driver standing in front of a QR sign for the first time has roughly five seconds of attention to spend before they either pay or walk away. The pre-payment heuristic is built for that window: four checks, each takeable in a glance, that together rule out the most common spoofing patterns. Check one is the URL pattern after scanning: it should start with https://parkgraph.com/p/ and be followed by a short lot code. Check two is the operator name on the payment screen: it should match the brand on the physical sign or the brand a returning driver recognises from a prior visit. Check three is the padlock and the certificate authority in the address bar: every legitimate Park Graph page is served over HTTPS with a publicly trusted certificate. Check four is the sender of the receipt SMS, which should be one of the documented short codes on this page.

Each check is independent. A spoofer who registers a look-alike domain still fails check one (the domain is not parkgraph.com). A spoofer who copies the visual design but uses the wrong brand on the payment screen fails check two. A spoofer using a self-signed certificate fails check three. A spoofer who completes the payment on a fake page but cannot send a receipt SMS from the documented short code fails check four. Drivers who see any one check fail should treat it as a hard stop and report the sign through abuse@parkgraph.com.

A reported spoof initiates a workflow that runs in parallel across three teams. The security team verifies the report, captures the offending URL or photo, and files a takedown request with the registrar and the hosting provider; most look-alike domains come down inside 48 hours through this path. The operations team contacts the operator whose identity was being spoofed (if any) so they can warn their on-site staff and post counter-signage. The communications team notifies any drivers who paid through the spoofed flow (when the payment processor confirms a charge), refunds where appropriate, and updates the public abuse log on this page.

The abuse log is anonymised but factual: it lists the rough geography, the spoof method (sticker over QR, look- alike domain, fake operator name), the takedown timeline, and any financial impact reported by drivers. We publish it so future drivers and AI agents can see the patterns that actually happen, not just the ones in security marketing.