and how do you know the real parking company's URL is 'city-secure-parking.com' and not 'express-city-parking.com'?

You don't. But the problem is not the QR code. The problem is the same as "URL randomly written on a billboard".

I think the term you two look for is "Lack of Authentication". The QR codes are not authenticated to the reader.

Call the city to verify.

If enough people do it, they'll find a way to solve the problem (e.g. a subdomain of the official city site, putting back regular parking meters/machines, ...)

A lot of these car parks are privately owned, so the local authority will reasonably respond by saying "nothing to do with us mate".

I mean in this case I would recommend using a search engine to cross-reference, and any other phishing countermeasures you might normally use.

I think the situation is dire when it comes to non-technical users, but I don't think QR codes are the problems here, someone could equally well paste a sticker over the entire board with all the URLs replaced or with details of a completely different (fake) parking company (but I agree replacing QR codes probably makes it harder for an employee to spot).

My actual IRL solution would be to look up the parking company and their domain based on the lot's Google/other map data. It might also be fake but that seems less likely.

If there's no machine to pay directly, no attendant, not a city owned lot, and no verifiable payment site online... I'd be inclined to do what someone else suggested and just not pay and see what happens.

The real solution seems like it should be a physical payment machine that accepts credit cards/cash. Those could also be fake, but much much harder to pull off successfully. (easier to track fraudulent credit cards processors, and no chance of leaking CC credentials with EMV contactless)