Amid an accelerated growth in the number of electric cars globally, hackers are exploiting new digital fraud techniques, including "quishing", a form of phishing that uses fake QR codes. Cybersecurity experts at Eset draw attention to this type of attack, which is affecting an increasing number of electric vehicle (EV) drivers in Europe, putting their payment details at risk at public charging stations.
• "Quishing", extremely dangerous
The "quishing" attack derives from phishing, but uses QR codes placed over legitimate ones, luring victims to phishing sites. Drivers, in an attempt to charge their vehicles, scan QR codes displayed at charging stations, and in some cases are redirected to websites that mimic the station operator's payment portal (such as Ubitricity or other local operators). In this way, cybercriminals gain access to the drivers' payment information. Unlike traditional phishing methods, the "quishing" attack is effective for two major reasons: QR codes inspire less suspicion compared to suspicious online links, and mobile devices, which are usually used for scanning, are more vulnerable to attacks than regular computers, having a lower level of protection.
• Alarming increase in attacks
According to a 2023 report, "quishing" incidents increased by 51% compared to the beginning of the year, showing an alarming trend. In particular, electric vehicle drivers in the UK, France and Germany are increasingly affected, as criminals use QR codes placed on charging stations to lure drivers to fake websites. To increase the chances of success, some hacking groups are even using jamming devices, blocking users from accessing charging apps and forcing them to scan the malicious QR code. With over 600,000 charging points in Europe, attackers find fertile ground to exploit vulnerabilities in payment systems and driver inattention, especially since the technology is still new and users may not be aware of all the associated risks.
• Tips for drivers
Eset offers some tips for electric vehicle drivers who want to protect themselves from "quishing" threats: "Check QR codes - If a QR code is displayed on a sticker on the charging station, it is recommended to verify its authenticity. Avoid scanning unknown codes - It is recommended to use the official apps of the charging station operator for direct payment, without scanning additional codes.
Disable automatic action option when scanning QR codes - Turning off the automatic action feature when a QR code is scanned can reduce the risk of unintentionally accessing a phishing link.
Monitor bank statements - Any suspicious transaction should be checked immediately, and two-factor authentication (2FA) can add an extra layer of security. Install security solutions - Using trusted security software on mobile devices is essential in preventing access to malicious sites or downloading dangerous programs".
• Adapting digital security to new forms of mobility
This threat highlights the need for cybersecurity adapted to technological progress. In a world where electric mobility is rapidly expanding, with millions of electric vehicle drivers, it is essential that users are informed and protected against scams of this type. Digital security thus becomes a critical aspect of green mobility infrastructure.