“Quishing” attacks are the new digital threat targeting electric car owners to steal drivers’ payment details, Eset’s cyber security experts warn, in an article recently published on the company’s Romanian blog.
“In recent years, many countries and regions around the world have made rapid progress in adopting electric cars. About 14 million new cars were registered in 2023 alone, an annual increase of 35%, bringing the global total to more than 40 million. But new technologies also come with new threats. Ever alert for opportunities, criminal groups combine threats from the physical and virtual worlds. One of the latest scams observed in several European countries, it is the use of QR code phishing techniques, known as “quishing”, to intercept or steal payment details. In fact, this method is very similar to scams that use fake QR codes on parking meters, and electric vehicle drivers must be aware of this type of threat at charging stations,” says Phil Muncaster, Eset specialist, according to Agerpres.
According to the quoted source, “quishing” represents a threat derived from “phishing”, and through this cybercriminals manage to “paste” various fake QR codes over the real ones.
“When scanned, victims are directed to a phishing site where their data is stolen or malware is downloaded. It’s a particularly effective tactic because it doesn’t raise the same suspicion as, for example, phishing URLs. Mobile devices they are usually less protected than laptops and PCs, so the chances of success are higher,” notes the author of the article.
A report published at the end of last year indicated a 51% increase in “quishing” incidents in September 2023, compared to the period January – August 2023.
In this context, the hackers have adapted the scam to electric vehicle (EV) owners in Europe. Thus, according to reports in Great Britain, France and Germany, scammers attach malicious QR codes over legitimate ones from public charging stations.
“The code is intended to direct users to a site where they can pay the station operator (e.g. Ubitricity) for electricity. However, if they scan the fake code, users will be directed to a similar phishing site asking them to enter their details of payment, which the criminals will collect. The correct site will load on the second attempt, so that the victims can finally pay for the upload. There are also reports that the criminals are even using the technology of signal jamming, to prevent victims from using charging apps and force them to scan the malicious QR code With over 600,000 EV charging points across Europe, there are many opportunities for scammers to catch unsuspecting drivers with such scams .There have been numerous reported incidents of fraudsters targeting drivers via malicious QR codes affixed to parking meters. In this case, the unauthorized driver can not only lose his card details, but could also receive a parking fine from the local authorities,” says the Eset expert.
Against the background of this new threat, there are a number of methods aimed at reducing the risk of “quishing”, among which: pay attention to the QR code displayed at parking meters or charging stations; never scan a QR code unless it is displayed directly on the charging/parking terminal; pay only through a phone call or through the official charging application of the respective operator; disable the option to automatically perform actions when scanning a QR code; check your bank statement for any suspicious transactions; use two-factor authentication (2FA) on all accounts that offer this option for added security; make sure your mobile device has security software installed from a trusted vendor.