Scammers Target Desperate EV Drivers with Fraudulent QR Codes

Fake QR codes direct EV drivers to a malicious site when all they want is to charge their car.

Dan Carney, Senior Editor

September 9, 2024

3 Min Read
QR codes on public infrastructure such as EV charging stations or parking meter pylons like this pose a risk to users.
QR codes on public infrastructure such as EV charging stations or parking meter pylons like this pose a risk to users.Patrick T. Fallon via Getty Images

At a Glance

  • Scammers target customers at EV chargers, parking meters, and public transit
  • Scanned images my bypass your security protection
  • Look for fake QR code stickers applied to the sign

Problems with public EV charging stations are so common that this difficulty is considered one of the top obstacles to speedier EV adoption in the U.S. Frequent issues with public EV charging networks include connection problems and payment for the electricity.

Most charging stations provide a QR code that drivers who are understandably desperate for a charge can scan with their smartphone’s camera in a bid to find a way to get the station to work with their car.

The problem is that now scammers are replacing the EV charging networks’ QR codes with their own, directing these unsuspecting victims to their own malicious site. Once there, drivers enter their credit card information in a bid to pay for a charge, only to have the scammers steal that information for misuse.

This is called “quishing,” a mashup of “QR” and “phishing.” In addition to EV charging stations, other public infrastructure locations like parking meters and bus stops are also being used for quishing attacks by covering their legitimate QR codes with malicious ones.

“Quishing, or QR phishing, is a cybersecurity threat in which attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content,” explains security specialist company Cloudflare. “The goal of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), and use that information for other purposes, such as identity theft, financial fraud, or ransomware.”

Related:Protecting Against Hidden Security Risks in Connected Cars

While web browsers might ordinarily flag sites that look like they are impersonating a different site, entering the site’s address through the camera may circumvent that protection, warns Cloudflare. “This type of phishing often bypasses conventional defenses like secure email gateways. Notably, QR codes in emails are perceived by many secure email gateways as meaningless images, making the users vulnerable to specific forms of phishing attacks.”

DePaul University security researchers have found that authority, urgency, and reciprocation are all factors that nudge victims toward falling for a quishing scam. EV charging is uniquely appealing to scammers because they benefit from the perceived authority of the EV charging network while preying on the victim’s urgency to charge their car and offering the chance to charge as a reciprocation for the trust of providing the credit card information.

“This is a particularly insidious form of fraud because it preys on people’s trust in familiar technology,” U.S. Dept. of Energy cybersecurity expert Dr. Emma Thompson told Cybersecurity News. “QR codes have become so ubiquitous that we often scan them without a second thought,” she said.

Related:How Is Europe’s EV Charging Infrastructure?

IT security specialist Neuways offers a list of five suggestions for combatting EV charger quishing:

  1. Inspect charging stations. Before scanning a QR code, check for signs of tampering, such as stickers or modifications to the station.

  2. Use official apps. Whenever possible, rely on official apps from trusted charging networks instead of scanning QR codes directly.

  3. Be cautious with payments. Avoid entering personal or payment information on unfamiliar websites. Always double-check the URL to ensure you are on a legitimate site.

  4. Keep your devices updated. Ensure that your phone’s operating system and security software are up to date to defend against the latest threats.

  5. Report suspicious activity. If you notice anything unusual at a charging station, immediately report it to the operator and local authorities.

About the Author

Dan Carney

Senior Editor, Design News

Dan’s coverage of the auto industry over three decades has taken him to the racetracks, automotive engineering centers, vehicle simulators, wind tunnels, and crash-test labs of the world.

A member of the North American Car, Truck, and Utility of the Year jury, Dan also contributes car reviews to Popular Science magazine, serves on the International Engine of the Year jury, and has judged the collegiate Formula SAE competition.

Dan is a winner of the International Motor Press Association's Ken Purdy Award for automotive writing, as well as the National Motorsports Press Association's award for magazine writing and the Washington Automotive Press Association's Golden Quill award.

AstonMartinVanquish_©AndyMorgan_025_copy_2.JPG

He has held a Sports Car Club of America racing license since 1991, is an SCCA National race winner, two-time SCCA Runoffs competitor in Formula F, and an Old Dominion Region Driver of the Year award winner. Co-drove a Ford Focus 1.0-liter EcoBoost to 16 Federation Internationale de l’Automobile-accredited world speed records over distances from just under 1km to over 4,104km at the CERAM test circuit in Mortefontaine, France.

He was also a longtime contributor to the Society of Automotive Engineers' Automotive Engineering International magazine.

He specializes in analyzing technical developments, particularly in the areas of motorsports, efficiency, and safety.

He has been published in The New York Times, NBC News, Motor Trend, Popular Mechanics, The Washington Post, Hagerty, AutoTrader.com, Maxim, RaceCar Engineering, AutoWeek, Virginia Living, and others.

Dan has authored books on the Honda S2000 and Dodge Viper sports cars and contributed automotive content to the consumer finance book, Fight For Your Money.

He is a member and past president of the Washington Automotive Press Association and is a member of the Society of Automotive Engineers

Sign up for the Design News Daily newsletter.

You May Also Like