QR code or trap – Threat in parking lots and charging stations: the rise of quishing in Germany

In many European cities, motorists and passengers are increasingly faced with a new form of phishing – “quishing”. The scheme is as follows: fraudsters place fake QR codes on parking meters, charging stations or even car windshields, passing them off as official notices. When such a code is scanned, the user is taken to a fake website where the attackers try to obtain personal data or banking information.

The European Consumer Protection Centre is sounding the alarm: drivers are particularly vulnerable, as criminals are increasingly counterfeiting QR codes on parking meters and charging stations.

The goal of “quishing” — a portmanteau of “quick response” (QR) and “phishing” — is to lure the victim to a fake website where they are asked to enter their personal information and/or confirm a payment. In the worst-case scenario, the criminals not only steal money once, but also use the data they receive to commit further fraud. At the same time, criminals can use quishing to try to install malware on a smartphone to gain access to banking apps, etc.

Favorite field of action

As Kerstin Weber, an expert at the European Consumer Protection Centre, points out, quishing is rapidly spreading in places with heavy traffic: train stations, bus stops, bike rental points. Counterfeit “parking tickets” under car windscreen wipers are also a common occurrence. Drivers do not always think about the authenticity of stickers with QR codes, since they assume that this is a regular service for paying for parking or charging an electric car. However, fraudsters exploit this gullibility by simply sticking their counterfeit codes on top of the real ones.

The European scale of the problem

According to consumer protection organizations, cases of quishing are recorded not only in Germany, but also in France, Belgium, Ireland, Italy, the Netherlands and Spain. European police agencies have repeatedly warned users that accessing the Internet “on the go” (via QR codes in public places) can open the way to fraudsters to your accounts. The German automobile club ADAC also draws attention in its publications to the fact that criminals can redirect the victim to a real site after an “unsuccessful” payment process, during which they have already managed to collect bank data.

How to protect yourself: five simple rules from experts

• Be skeptical of public QR codes

If you come across a code on a pole, poster, parking meter or charging station, always first consider whether it really belongs to an official service.

• Check out alternative payment methods

If possible, enter the website address manually or use trusted official applications (for example, services recommended on the website of your city or parking company).

• Please read the link carefully before clicking.

Many scanning apps show the URL in advance. Look out for spelling errors, suspicious domains (e.g. “.net” instead of “.de”), and strange combinations of letters and numbers.

• If in doubt, do not enter data.

Close the site if you are asked to enter a card number, CVV code or personal information where it should not be. It is better to contact the service operator directly and ask if they really use this payment method.

• Act quickly if you see signs of fraud

If you have already made a suspicious transaction, immediately block your bank card (or PayPal/Apple Pay/Google Pay account), file a chargeback request and contact the police. It is also important to notify the parking meter or charging station operator about the incident so that they can remove the fake stickers as soon as possible.

Key takeaway

Despite the fact that QR codes offer many advantages – from fast payment to instant access to useful information, you should not let your guard down. Experts emphasize that one incorrect scan can give fraudsters control over your finances. Therefore, if in doubt, it is better to spend an extra minute manually entering the address or find another payment method than to deal with stolen money and hacked accounts later.