Every few months, another story circulates about EV charging fraud. A cloned card. A fake QR sticker. A driver billed for energy they never used. What those stories almost always leave out is the part that matters most: what happens after the fraud begins, and why it usually ends the same way.

Because the system behind public EV charging is built to detect exactly this kind of behavior.

The visible part of charging, the bit you tap or scan, is the oldest and weakest link in a much longer chain. Once you can see the rest of the chain, paying at a public charger looks like what it actually is: a system designed to catch fraud, not invite it.

The part you worry about is the part you can see

When people picture EV payment fraud, they picture the charger, the card reader, and the QR code stuck to the side of the unit. That instinct makes sense.

A contactless card or RFID fob relies on technology that predates EV charging by decades. A printed QR code is exactly what it looks like: a printed QR code. Neither was designed to be impenetrable. They were designed to be convenient.

But the thing protecting your money is not the part you can see.

That protection sits across four layers, and only the first is visible. Once you follow the rest of the chain, the picture changes completely.

blog inline ampeco selected examples of fraud in ev charging

Layer one: the charger and the sticker

This is the layer headlines love, because it is the one people can physically interfere with.

The most common trick today is the fake QR code: a sticker placed over the operator’s real payment code. Scan it, and you land on a convincing but fraudulent payment page. Security researchers call it “quishing” — QR-code phishing — and it has appeared on chargers in multiple countries.

But quishing is not a system breach. The charger has not been hacked. Your card has not been cloned. It is an old-fashioned confidence trick with a modern wrapper, and it is also the easiest layer to defend, because the defense is simply noticing.

What you can do in 30 seconds:

  • Check that the QR code is part of the charger itself, not a sticker peeling at the edges or pasted over another label.
  • Use the operator’s official app or website whenever possible, rather than scanning a code you cannot verify.
  • Expect a small pre-authorization hold when charging begins. That is usually a sign that the real payment system is working.
  • If the charger looks tampered with, or the payment page feels wrong, stop and report it. That is not paranoia; it is exactly how the loophole gets closed.

Card skimming also falls under this layer: copying payment details onto a counterfeit token. It is rarer and harder to pull off than a fake sticker, and it is exactly the kind of fraud the deeper layers are designed to detect.

Luckily, newer versions of OCPP introduce dynamic messages on screens which ultimately pushes a QR code on screen if the charger allows it.

There is a quieter version of this too, and it is a good illustration of how most charger fraud actually works. When a charger briefly loses its connection to the network, it can no longer check a card against the live authorization system in real time. To avoid stranding a legitimate driver during these gaps, many operators enable a setting in the OCPP protocol that tells the charger to accept all RFID cards while offline (the “AllowOfflineTxForUnknownId” configuration). It is a sensible choice for reliability, but it leaves a short window in which the charger will start a session for a card it cannot verify, and someone with a cloned card can aim for exactly that window. The exposure grows on stations with weak or intermittent mobile connectivity, where those offline periods happen more often. The charger was not hacked. A convenience was used against itself, which is the pattern behind a surprising amount of fraud at this layer.

Layer two: the moment charging starts

The second a charging session begins, the system asks a simple question: Is this a real, authorized request, or not?

In a connected charging network, an unknown or suspicious credential does not simply unlock free electricity. Before power flows, the network usually places a pre-authorization hold to confirm the payment method is valid. And when you charge across networks using another provider’s card, the protocols behind it are designed to verify first and charge second.

That is the opposite of the “Wild West” reputation public charging sometimes gets. The system assumes nothing. It checks first, then allows the session to begin.

But a check at the start of a session can only catch what is visible at the start. Some fraud only appears in the pattern of many sessions over time. That is the job of the next layer.

Layer three: the part you never see

This is the layer that does the real work, and it is invisible by design.

Every charging session generates data: where it happened, when, on which credential, and for how much energy. Modern charging platforms watch that data for patterns that should not exist. 

The textbook example is “impossible travel”. If a single card appears to start a session in Brussels at one o’clock and another in Madrid an hour later, nobody has to notice manually amongst 20,000 sessions per day for a company operating in both the Belgian and Spanish markets. The system flags it because the same car cannot be in both places at those times.

Other patterns stand out too: sudden bursts of cross-border charging, sessions at unusual hours far outside a vehicle’s normal range, amounts charged above 1000 kWh for a single session, or a single credential behaving like many different drivers. This is the same kind of anomaly detection banks use to spot card fraud while you are still at the checkout.

But it would be misleading to say the system catches everything instantly. Fraud detection is not a tripwire; it is a race against time.

blog inline ampeco the monitoring view

Blatantly impossible behavior can be flagged almost immediately. Careful fraud is harder. Small charges, plausible locations, and activity spread across multiple cards can look ordinary for weeks before the pattern becomes clear. The EV industry has already seen cases in which cloned credentials quietly led to five- and six-figure losses before investigators connected the dots. The technology to detect fraud existed the entire time. What was missing was speed.

That is the real state of play. The deeper layers do not make fraud impossible. They make it visible, and they shrink the gap between the first fraudulent session and the moment the network shuts it down.

That gap is getting smaller. Platforms across the industry, including AMPECO’s, now run continuous behavioral monitoring designed to catch suspicious patterns faster and earlier than before. We see operators in the EU increasingly leveraging our suspended billing rules to avoid losses while also preserving customer trust and satisfaction.

Layer four: who actually pays, and how disputes get settled

This is the most reassuring layer, and the one headlines rarely mention.

When fraud happens at a public charger, the financial loss usually does not fall on the driver. It is typically absorbed by operators, payment providers, and banks, much like card fraud at a petrol station.

Behind every charging session is a settlement and dispute system built to handle exactly these cases.

If a charge looks wrong — for example, a roaming session that does not add up — there is a formal record of the transaction (CDRs) and a process to challenge it. Charges are not simply accepted the moment they appear. They are reconciled, reviewed, and corrected when necessary.

That machinery is not glamorous, and that is precisely the point. Quiet, procedural systems are what make large payment networks trustworthy in the first place.

When “fraud” isn’t really EV charging fraud

To be honest about risk, the industry also has to be honest about this: a large share of what gets labeled as fraud is actually misuse.

The distinction matters. Fraud is theft: someone taking energy or money they have no right to. Misuse is different. It is using the system in ways that are technically allowed but clearly against its intended purpose, such as a company charging card used for the family car on weekends, a home charger opened up for reimbursed roaming or a tariff applied in ways the rules technically permit, but common sense does not.

Most misuse is not criminal, and lumping it together with skimming or cloned credentials only muddies the picture. There are also ways to resolve many of these examples above, for example by setting a rule to enable a company charging card to be used only with a specific vehicle MAC address.

Being clear about that distinction is not downplaying the problem. It is how the industry earns credibility when it says genuine fraud is manageable. Better to acknowledge where formal rules end and trust begins than pretend the line does not exist.

Fraud appears when a system becomes valuable

It is fair to ask why charger fraud is even a topic now, when a few years ago it barely registered.

The honest answer is a sign of success, not decline. Public EV charging has grown large enough to be worth targeting. Cloned access cards now circulate through semi-organized channels and attempts are becoming more deliberate. This is the same path every mainstream payment system has followed: once enough money flows through it, people try to exploit it, and the industry responds by hardening every layer. 

The EV charging industry has matured and is already deep into that response. Which brings us to the next step: removing the weakest visible link altogether.

How EV charging outgrows payment fraud

The most durable fix for the visible, vulnerable layer is to remove it.

That is the promise of Plug & Charge. Instead of relying on cards or QR codes, the car and charger authenticate each other directly through encrypted credentials built into the connection itself. You plug in, the vehicle proves its identity, and charging starts. No card to clone. No sticker to fake. The attack surface largely disappears.

Plug & Charge is already rolling out across Europe, and expanding it is one of the clearest ways the industry can make payment fraud steadily less relevant.

There is one more thing worth doing, and it is where policy can help. Fraud rarely stays on one network. It moves between operators and providers, and right now those parties do not always share warning signals quickly enough to stop a pattern early. A common, privacy-respecting way to share fraud signals across the industry would let the system catch the next large case in days rather than months. That is a coordination problem, and coordination is something an industry can choose to solve.

For drivers, the takeaway is simple: the part you can see is the part you can guard, and the rest is built to guard you. For the industry, the work is to keep shrinking the gap, and to do it together. To this end, we need to increase the application of open protocols. We also need companies to introduce cybersecurity policies and processes in partnership with their suppliers.

From CDR sanity checks to pre-authorization controls and continuous behavioral monitoring, the tools that close the gap already exist. If you are a CPO or eMSP thinking about your own defenses, see what AMPECO’s platform can do.

Author

Sasha Kostov

Content marketing manager

About the author

Leading content strategy at AMPECO, Sasha translates the complexities of EV charging into powerful business narratives. Her insights guide CPOs worldwide in making smarter, more strategic decisions.