Quishing, an insidious threat to electric car owners

Quishing is a type of phishing attack where crooks use QR codes to trick users into providing sensitive information or downloading malware.

In recent years, the spread of electric cars has led to an increase in public charging stations. However, new cyber threats have emerged with this growth, including “quishing.” This term, a combination of “QR Code” and “phishing,” describes a scam in which fraudsters use counterfeit QR Codes to steal sensitive information from users.

How the electric column scam works.

Scammers superimpose a fake QR code on top of the original one on charging stations.

QR code
Credit automoto.it

When users scan the code with their smartphone, they are redirected to a fake website that may mimic the legitimate one. Then, they are asked to enter sensitive data such as credit card information. Once entered, this data is sent directly to the scammers.

Impacts and risks

Quishing also poses a significant threat to electric car owners. Not only can they lose money, but their personal data can be used for further fraudulent activities. In addition, trust in public charging infrastructure can be compromised, slowing the adoption of electric cars.

“New e-car drivers who are not yet familiar with public charging stations are particularly at risk,” IT security expert Eddy Willems told to LifePR website. “He knows of cases from Belgium, the Netherlands, France, Spain, Italy and Germany. So-called charging station squishing, derived from phishing, is “definitely a problem within the EU, if not worldwide,” says Willems. The expert advises charging station operators to avoid stickers; the codes should be shown on the display. “That’s safe. Unless someone hacks the charging station. But I haven’t heard of that, and it would be very difficult.”

How to Protect Yourself

To protect yourself from this scam, it is advisable to take some precautions:

  • Use recharge cards: Many operators offer cards that provide greater security than QR
  • codes.
  • Check the site URL: Make sure the site address begins with “https” and that the domain is correct.
  • Check for suspicious changes: Fake sites often have minor changes in the URL, such as missing or substituted letters.
  • Report suspicious QR Codes: If you notice a QR Code that appears to have been overlaid or modified, it is important to report it immediately to the charging station operator.

Conclusion

Quishing is an emerging threat that requires attention and awareness from everyone. By taking preventive measures and remaining vigilant, you can protect yourself from this scam and continue to benefit from public charging infrastructure safely as well.

About the author: Salvatore Lombardo (Twitter @Slvlombardo)

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, QR code)