Scammers Target Desperate EV Drivers with Fraudulent QR Codes
Fake QR codes direct EV drivers to a malicious site when all they want is to charge their car.
At a Glance
- Scammers target customers at EV chargers, parking meters, and public transit
- Scanned images my bypass your security protection
- Look for fake QR code stickers applied to the sign
Problems with public EV charging stations are so common that this difficulty is considered one of the top obstacles to speedier EV adoption in the U.S. Frequent issues with public EV charging networks include connection problems and payment for the electricity.
Most charging stations provide a QR code that drivers who are understandably desperate for a charge can scan with their smartphone’s camera in a bid to find a way to get the station to work with their car.
The problem is that now scammers are replacing the EV charging networks’ QR codes with their own, directing these unsuspecting victims to their own malicious site. Once there, drivers enter their credit card information in a bid to pay for a charge, only to have the scammers steal that information for misuse.
This is called “quishing,” a mashup of “QR” and “phishing.” In addition to EV charging stations, other public infrastructure locations like parking meters and bus stops are also being used for quishing attacks by covering their legitimate QR codes with malicious ones.
“Quishing, or QR phishing, is a cybersecurity threat in which attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content,” explains security specialist company Cloudflare. “The goal of this attack is to steal sensitive information, such as passwords, financial data, or personally identifiable information (PII), and use that information for other purposes, such as identity theft, financial fraud, or ransomware.”
While web browsers might ordinarily flag sites that look like they are impersonating a different site, entering the site’s address through the camera may circumvent that protection, warns Cloudflare. “This type of phishing often bypasses conventional defenses like secure email gateways. Notably, QR codes in emails are perceived by many secure email gateways as meaningless images, making the users vulnerable to specific forms of phishing attacks.”
DePaul University security researchers have found that authority, urgency, and reciprocation are all factors that nudge victims toward falling for a quishing scam. EV charging is uniquely appealing to scammers because they benefit from the perceived authority of the EV charging network while preying on the victim’s urgency to charge their car and offering the chance to charge as a reciprocation for the trust of providing the credit card information.
“This is a particularly insidious form of fraud because it preys on people’s trust in familiar technology,” U.S. Dept. of Energy cybersecurity expert Dr. Emma Thompson told Cybersecurity News. “QR codes have become so ubiquitous that we often scan them without a second thought,” she said.
IT security specialist Neuways offers a list of five suggestions for combatting EV charger quishing:
Inspect charging stations. Before scanning a QR code, check for signs of tampering, such as stickers or modifications to the station.
Use official apps. Whenever possible, rely on official apps from trusted charging networks instead of scanning QR codes directly.
Be cautious with payments. Avoid entering personal or payment information on unfamiliar websites. Always double-check the URL to ensure you are on a legitimate site.
Keep your devices updated. Ensure that your phone’s operating system and security software are up to date to defend against the latest threats.
Report suspicious activity. If you notice anything unusual at a charging station, immediately report it to the operator and local authorities.
About the Author
You May Also Like