India’s Unified Payments Interface (UPI) and QR codes have transformed everyday payments — from street vendors to big-brand stores, a quick scan is usually all it takes. But that convenience has also attracted fraudsters. Fake or tampered QR codes, “refund” or “verification” ruses, and QR-phishing attacks have become common ways to trick people into sending money or leaking credentials. Here’s a clear, practical guide to how these scams work and the steps you can take to stay safe.
Why QR scams rose with UPI adoption
UPI’s meteoric growth and the ubiquity of QR codes (static and dynamic) created many low-friction payment points — but also many low-friction attack surfaces. Criminals exploit users’ habit of scanning QR codes quickly, combine it with social engineering (fake offers, “refunds”, urgent requests), or physically replace legitimate merchant QR stickers with malicious ones. Regulators and payment networks have flagged rising incidents and pushed advisories, while banks and PSPs work on technical mitigations.
Common QR-code fraud types (how they work)
-
Tampered / replaced QR codes (physical overlay stickers). Scammers paste a fake QR sticker over a merchant’s legitimate QR. The customer scans and pays the attacker’s account instead. This is simple but effective at busy tills.
-
Fake dynamic QR links / phishing pages. A QR directs the scanner to a malicious payment page or app which asks for permissions, OTPs, or UPI credentials — enabling theft or remote takeover.
-
“Scan to receive” / reverse-pin trick. Fraudsters ask victims to scan a QR and enter their UPI PIN to “receive” a refund or win a prize. UPI PIN is only for authorising payments — entering it under these pretences hands control to scammers. NPCI and UPI campaigns warn specifically about this.
-
Malicious apps and QR generators. Fraudsters create apps that generate QR codes pointing to attacker wallets or capture screen/OTP information when users interact. Installing apps from unofficial sources increases risk.
-
Social-engineering + “customer care” calls. Scammers combine a QR prompt with a scripted phone call claiming to be from a bank or delivery partner and coax victims into authorising transactions or sharing OTPs.
Real-world impact (quick facts)
-
Regulators and industry reports show material increases in UPI-related fraud incidents and losses in recent years; many victims do not report frauds, which complicates tracking.
-
NPCI and banks maintain fraud-awareness pages and have run campaigns reminding users that UPI PIN is never required to receive money.
Best practices — how to safeguard yourself (practical checklist)
Use these every time you pay with a QR:
Before scanning
-
Verify visually: If the QR is on a printed sticker or board, check it’s securely fixed (not newly pasted over another), and that the merchant name shown by your UPI app matches the shop. If anything looks unusual, pay another way.
-
Don’t scan unsolicited QR codes: Never scan QR codes in random WhatsApp/Facebook messages, public notices promising large rewards, or SMS links. Treat unsolicited QR images like suspicious links.
While scanning / paying
-
Confirm payee details in the app: Most UPI apps show the beneficiary name and VPA before you enter your PIN. Read those details and cancel if the name doesn’t match the merchant. This catches many tampered-QR situations.
-
Never enter your UPI PIN to receive money or to “verify.” UPI PIN authorises payments. If someone asks you to enter it to get money or to confirm a refund, it’s a scam. NPCI/UPI advisories emphasise this repeatedly.
-
Avoid approving suspicious app permission requests: If a merchant asks you to install an app to process a QR payment, decline and use a well-known UPI app instead.
Device and account hygiene
-
Install apps only from official stores, and keep your phone’s OS and banking/UPI apps updated. Rogue apps are a major attack vector.
-
Use device security: Lock your phone, use biometric or PIN unlock, enable app lock for your banking apps if available, and don’t jailbreak/root your device.
-
Limit UPI and transaction limits where possible. Some apps let you set per-transaction or daily limits — use them for extra protection. (NPCI and banks also introduced controls and rule changes to limit abuse.)
Detecting fraud quickly
-
Monitor transaction alerts in real time. Immediately report any unauthorised debit to your bank’s fraud number and through the app. Quick action increases chances of recovery.
-
If asked for OTP or UPI PIN, refuse and call your bank: Never share OTP, CVV, or UPI PIN with anyone, not even someone claiming to be from the bank. Banks will never ask for your PIN.
Reporting and recovery
-
Report to your bank and file a police complaint. Follow the bank’s fraud reporting process (app/call/email) and lodge an FIR with local police if money is lost. Also report scams to NPCI or RBI channels if advised. Prompt reporting matters.
What payments industry and regulators are doing
NPCI, banks, and the RBI are improving detection rules, issuing advisories, and updating UPI rulebooks and API security guidelines to reduce the scope for abuse (for example, limiting background balance checks, tightening APIs, and pushing merchant onboarding checks). But technology and regulation take time — user vigilance remains the first line of defence.
Quick “cheat-sheet” — what to do if you suspect a fake QR
-
Don’t enter any PIN/OTP.
-
Cancel the operation in your app immediately.
-
Take a photo of the QR and the place where it was displayed (useful when reporting).
-
Call your bank’s fraud helpline and block/send them transaction details.
-
File a police complaint and keep the FIR/case number for follow-up.
Final thought
QR codes are a brilliant convenience — but convenience and caution must travel together. Treat every QR like a link: if you wouldn’t click a random link, don’t scan a random QR. A few extra seconds of verification can save you hours of stress and potential financial loss.
Sources and further reading
-
NPCI — UPI product pages and fraud awareness materials.
-
RBI / bank advisories and fraud reporting guidance.
-
Business Standard — reporting on UPI fraud trends and figures.
-
Razorpay — “Fake QR Code Scams: How They Work & How to Stay Safe.”
-
Paytm blog — practical advice on staying safe from UPI frauds.
-
Analysis pieces on QR-phishing trends in India (industry writeups and security blogs).
-
Recent UPI rulebook and API security guideline updates (NPCI/industry summaries).
