Quishing Threats Target Electric Vehicle Owners in Europe, Stealing Payment Information

• A novel scam targeting electric car owners leverages fake QR codes placed at charging stations.
• These QR code phishing techniques, known as “quishing,” are used by threat actors to see or steal payment details.
• Lookalike phishing sites prompt victims to enter their payment details, which are then harvested by the fraudsters. 

With over 40 million electric vehicles (EVs) on the road worldwide, new cybersecurity threats are emerging. One of the latest scams targeting EV owners is "quishing," a sophisticated phishing technique that uses fake QR codes to steal payment information at charging stations. 

This tactic has been reported in multiple European countries, including the UK, France, and Germany.

Quishing involves fraudsters placing counterfeit QR codes over genuine ones on public EV charging stations. When scanned, these codes redirect users to a phishing site that mimics legitimate payment portals. 

Here, unsuspecting victims enter their payment details, which are then harvested by cybercriminals. In some instances, perpetrators employ signal jamming to compel users to scan the malicious QR code instead of using official apps.

The widespread adoption of EVs, coupled with over 600,000 charging points across Europe, provides ample opportunity for attackers. 

Many EV owners are new to this technology, making them prime targets for scams exploiting QR codes as a quick alternative to downloading multiple apps. This vulnerability is exacerbated by user fatigue and the convenience factor offered by QR code payments. 

To safeguard against quishing, EV owners should always verify the legitimacy of QR codes before scanning, use official charging/payment apps whenever possible, and be cautious of unsolicited requests for financial information, even at familiar locations.

In other recent news, a large-scale cryptocurrency-stealing malware campaign compromised over 28,000 users in Russia, Turkey, Ukraine, and other Eurasian countries, disguising trojans as legitimate software via YouTube promotions and fraudulent GitHub repositories.