Cybersecurity Threats Grow as Mexico’s EV Market Expands

With electric vehicle (EV) adoption on the rise, the automotive industry is becoming increasingly vulnerable to cyber threats. One of the latest scams is "quishing," a new form of phishing seen around the world that uses fraudulent QR codes to target EV owners directly. Cybercriminals exploit these codes at public EV charging stations, deceiving customers into disclosing sensitive information like payment details and personal data. This emerging threat poses significant risks to the growing number of EV customers, highlighting the urgent need for strengthened cybersecurity measures in both public charging infrastructure and automotive services.

Quishing is a cyberattack method that combines phishing with QR codes to deceive users. At public EV charging stations, criminals place counterfeit QR codes over legitimate ones. When scanned, the fake codes redirect customers to fraudulent websites designed to steal sensitive information. The scam is particularly effective because the legitimate site may load afterward, reinforcing the deception and making the user unaware of the breach.

"One of the latest tricks involves using identity spoofing techniques through QR codes, known as 'quishing,' to spy on or steal payment data. In fact, it is not very different from the tricks that use fake QR codes on parking meters, and those who drive electric vehicles should be cautious of this type of threat at charging stations," comments Camilo Gutiérrez Amaya, Head of the Research Laboratory, ESET Latin America.

Globally, with 14 million new electric vehicles registered in 2023, representing a 35% increase from the previous year, quishing has become a critical concern. The rise in EV adoption provides cybercriminals with more opportunities to exploit unsuspecting users.

Quishing incidents increased by 51% in 2023, with major cases reported in countries such as the United Kingdom, France, and Germany. “Cybercriminals have demonstrated a high level of sophistication, targeting sectors once considered secure,” states ESET. The company further explains that the convenience of QR codes has become a double-edged sword: “While they facilitate quick transactions, they also provide an avenue for exploitation. Many EV owners, often new to the charging process, may prefer scanning a QR code rather than downloading multiple apps or calling customer support.”

"The increase in electric vehicles exposes the industry to greater cybersecurity risks, as the systems used in these vehicles are targets for cyberattacks," said Verónica Becerra, Co-Founder of the cybersecurity company Offhack, in an interview with El Financiero.

Mexico is also experiencing a rapid expansion in the EV market. By September 2024, the country had sold 18,612 electric and hybrid vehicles, up from 14,405 units sold in 2023, according to INEGI. In total, Mexico now has approximately 125,295 fully electric vehicles on the road. 

Although specific quishing statistics in Mexico are not yet available, cybersecurity incidents in the automotive industry are rising. As much as 84% of companies in Mexico’s automotive sector reported experiencing a cybersecurity breach between 2023 and 2024, according to data from Offhack. The shift to electric vehicles has changed how personal data is stored and accessed, making customers more attractive targets for cybercriminals. As EV technology becomes more connected, personal data is often transferred between vehicles, mobile devices, and charging networks, exposing multiple points of vulnerability. “The risk is heightened by the fact that mobile devices are typically less secure than desktop computers, increasing the likelihood of a successful breach,” ESET states.

In addition to quishing, the broader automotive industry faces multiple cybersecurity threats. IQSEC recently reported that, globally, connected vehicles, which are currently at around 775 million, offer at least 12 attack targets, ranging from the drivetrain and control units to communication systems. These vulnerabilities extend along the entire automotive supply chain, making the industry a prime target for cybercriminals.

General phishing is also on the rise in the country. In 2023, Kaspersky recorded 43 million phishing attacks in Mexico, a number expected to increase with the adoption of new technologies like artificial intelligence (AI) and deepfakes, which can further enhance the sophistication of cyberattacks.

For EV customers, the personal cost of falling victim to quishing can include identity theft, financial loss, and compromised personal data. As the EV market grows, so too does the need for stronger protections to prevent customers from becoming victims of these targeted attacks.