EV Charging App Phishing Scam
Fraudulent QR codes and cloned apps at electric vehicle charging points trick drivers into entering payment details on lookalike sites or installing malicious apps.
Last reviewed: 5 July 2026
What this scam is
EV charging app phishing scams exploit the fact that most public electric vehicle charge points require payment through a QR code scan-to-pay flow or a dedicated network app, and that there are many competing charging networks each with their own branding and process. Criminals place fraudulent QR code stickers over the genuine ones on charge point units, or publish cloned apps that imitate a legitimate charging network's name, logo, and interface.
Because EV drivers regularly encounter charge points from networks they have never used before, a fake QR code or app does not stand out the way it might in a more familiar context. The driver simply wants to start a charging session and assumes the code or app in front of them is genuine.
The result is either a phishing page that captures full card details under the guise of starting or paying for a charging session, or a cloned app — sometimes sideloaded outside official app stores — that harvests login credentials, payment details, or both.
How it works
At the charge point itself, a scammer covers the genuine QR code with their own sticker, styled to match the charging network's branding. A driver scans it expecting to be taken to the network's official payment page to start a session. Instead, the page is a convincing clone that asks for full card details, sometimes alongside creating an 'account' using an email and password the driver may reuse elsewhere.
In the app-based version, a cloned app appears in a third-party app store, or is promoted via a sideload link, using the same name and icon as the real charging network app. Once installed, it may request excessive permissions, harvest login and payment details entered by the user, or simply fail silently while the underlying phishing form has already captured the data.
A related version involves a sticker on the charge point advertising a 'customer support' phone number for when a session fails to start. Calling the number connects the driver to a scammer posing as network support, who talks them through 'resolving' the fault by reading out their card number and security code over the phone.
Why this scam works
Electric vehicle drivers frequently encounter charge points belonging to networks they have never used before, so there is no established mental model of what the 'normal' payment flow should look like for any given operator. This lack of familiarity, combined with the pressure to get a vehicle charging quickly — sometimes with limited remaining range — reduces the scrutiny drivers apply to the QR code or app in front of them.
The sheer number of competing charging networks, each with its own app, account system, and branding, also means drivers are used to downloading new apps and entering payment details for services they have not used before, which is exactly the behaviour a cloned app or phishing page is designed to exploit.
Common red flags
- QR code sticker at the charge point looks tampered with or misaligned
- App was found via a QR code or third-party store rather than an official app store search
- App requests permissions unrelated to charging, such as contacts or messages
- Web address after scanning does not match the charging network's known domain
- Support number only appears on a sticker at the unit, not the network's official channels
- Request to read out a full card number and security code over a phone call
- Urgent message claiming the charging session or payment has failed and details must be re-entered
- No padlock or secure connection indicator on the payment page
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Session could not start. Confirm your payment details to activate this charger: [link]
Your charging session failed. Please call our support line to resolve: [phone number]
Claim [amount] of free charging credit — verify your account here: [link]
Payment declined for your last charging session. Re-enter your card to avoid account suspension: [link]
Common variations
- Fake QR code sticker placed over the genuine code on a charging unit
- Cloned charging network app listed in an unofficial or third-party app store
- Sideloaded fake app promoted via a link at the charge point or online forum
- Fake 'customer support' phone number on a sticker leading to a card-detail phone scam
- Phishing email offering free charging credit that harvests network account login details
- Fake 'session failed, re-enter your card' popup shown after an initial phishing capture
How to verify before you act
Only use a charging network's app if it was downloaded directly from an official app store search for the network's verified publisher name, or via a link from the network's own official website — never from a QR code at the charge point itself. Check that the charger's unit or bay number displayed in the app matches the physical unit you are standing at.
Before entering card details on any page reached by scanning a QR code at a charge point, check the web address carefully against the charging network's known official domain. If a support number is only available via a sticker at the charge point rather than the network's official website or app, treat it as unverified and look up the real support number independently instead.
Payment methods used
- Card details entered on a phishing charging session page
- Recurring or one-off unauthorised card charges
- Prepaid charging account top-up fraud
Who is usually targeted
- New electric vehicle owners unfamiliar with charging network apps
- Drivers using an unfamiliar network away from home
- Travellers relying on public charging infrastructure
- Fleet drivers using multiple different charging networks
What to do immediately
- Stop the transaction and do not enter further details if something feels wrong
- If card details were already entered, contact your bank's fraud line immediately
- Uninstall any app downloaded via a QR code or unofficial store and check for unusual permissions granted
- Check your charging network account and bank statements for unauthorised activity
- Report the tampered QR code or fake support number to the charging network operator
- Report the incident to your national fraud reporting body
How to prevent it
- Download charging network apps only from an official app store, verifying the publisher name
- Never scan a QR code at a charge point to install an app — go to the network's official website instead
- Check the charger's unit or bay number matches what the app displays before starting a session
- Verify the web address of any payment page reached via QR code against the network's known domain
- Look up support numbers independently rather than trusting a sticker at the charge point
- Never read a full card number, expiry date, or security code aloud over an unsolicited call
- Report suspicious stickers or charge point tampering to the network operator
- Use payment cards with transaction alerts enabled to catch unauthorised charges quickly
Evidence to preserve
- A photo of the QR code sticker and the charge point unit number
- A screenshot of the phishing website or app listing, including its web address or store link
- Any phone number given for 'support' on the sticker
- Bank or charging account statements showing unauthorised transactions
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do I know if a charging app is genuine?
Search for the app directly in an official app store using the charging network's exact name, and check that the publisher matches the network's known company name. Avoid installing anything via a QR code or link found at the charge point itself.
Is it safe to scan the QR code on a charging unit to pay?
Only if you have verified the code has not been tampered with and the resulting web address matches the network's known official domain. If in doubt, use the network's official app instead of scanning.
A sticker gave a support number for a failed charging session — is that safe to call?
Treat it with caution. Look up the charging network's official support number independently through its verified app or website rather than trusting a number printed on a sticker at the unit.
What should I do if I already entered my card details on a fake charging page?
Contact your bank's fraud line immediately to freeze the card and monitor for unauthorised transactions, change any reused passwords, and report the incident to your national fraud reporting body.