With the rapid growth of digital payments and the widespread adoption of UPI, QR codes have become an unavoidable part of daily transactions, used at grocery stores, restaurants, parking facilities, hotels and public services. Cybercriminals are exploiting that convenience by planting fake QR codes designed to redirect victims to counterfeit payment pages and phishing links, stealing banking credentials, personal information and money in the process.
How Fraudulent QR Codes Reach Victims
Cybersecurity professionals warn that fraudsters often place fake QR sticker overlays directly on genuine payment codes at shops, parking lots, restaurants and fuel stations. In parallel, scammers circulate malicious codes through social media, email and messaging apps, dressed up as cashback offers, reward claims or urgent account-update requests. Once scanned, these codes can redirect users to malicious websites or silently trigger unauthorised payment requests.
The scale of this shift is considerable. QR code phishing, or “quishing,” attacks increased fivefold across 2025, with roughly 12 percent of all phishing emails now containing a QR code, up from negligible levels just two years earlier. Nearly 68 percent of quishing attacks specifically target mobile users, exploiting smaller screens and less visible URL previews, while around 90 percent aim to steal login credentials outright.
The fraud has also grown more technically sophisticated. Delhi Police recently exposed a racket, reportedly inspired by a South Indian film’s plot, in which a man contacted shopkeepers on WhatsApp posing as a customer, requested their QR code to “confirm a purchase,” then digitally altered the image so the shopkeeper’s name stayed visible while the underlying account was silently swapped. Many merchants had saved the same QR image in their phone gallery for repeated use, unaware it had been tampered with, until customer payments began routing to the fraudster’s account instead of their own.
The Hidden Risk for Merchants and Shopkeepers
QR fraud does not only hurt the person who scans the code. Investigators say local and interstate fraudsters increasingly use small merchants’ own QR codes to launder stolen money, paying for goods using funds that trace back to an unrelated cybercrime victim elsewhere. When police later trace that money trail, it is the merchant’s account that gets frozen, even though the shopkeeper had no knowledge the payment was tainted.
The consequences for merchants caught in this pattern can be severe. Small business owners have reported being unable to purchase stock, pay salaries or clear dues once their accounts are frozen pending investigation, while salaried customers and families dependent on digital payments have similarly been pushed into financial uncertainty by account freezes triggered through no fault of their own. Regulators have begun responding to this specific vulnerability: several states have pushed dynamic QR codes that refresh every 60 seconds at high-risk locations like petrol pumps, and the National Payments Corporation of India has piloted a “SafePay” verification tick for genuine merchant codes in Mumbai, Pune, Delhi and Bengaluru, with plans to expand to 50 cities by September 2026.
What Consumers Can Do Before Scanning
Experts advise inspecting any QR code carefully before scanning it. A code pasted over another one, with peeling edges or a recently attached look, should never be trusted, since genuine businesses generally display professionally printed codes rather than temporary stickers. Users should scan only codes from trusted businesses or verified sources, and should check the destination URL most smartphones display before opening it, cancelling immediately if the address contains misspellings or unfamiliar domains.
Prof. Triveni Singh, the former IPS officer and cybercrime specialist, said QR code fraud has become an increasingly common form of social engineering that exploits trust, urgency and familiarity with digital payments. He stressed a point that trips up many victims: receiving money never requires scanning a QR code. If anyone asks a person to scan a code to receive a refund, salary, prize or cashback, he said, it is almost certainly designed to initiate a payment out of the victim’s account rather than into it, since UPI QR codes are built to send money, not collect it.
Users should exit immediately if a website opened through a QR code requests an OTP, UPI PIN, card PIN, CVV or internet banking password, since no bank or authorised payment provider ever asks for such details this way. The RBI has separately proposed further structural safeguards against related digital payment fraud, including a one-hour delay on large peer-to-peer transfers and an annual receiving cap on UPI credits aimed specifically at curbing mule accounts, though these remain discussion-paper proposals rather than live rules. Anyone who suspects QR code-related fraud is advised to report it immediately through the National Cyber Helpline at 1930 or the National Cyber Crime Reporting Portal, since prompt reporting significantly improves the chances of freezing fraudulent transactions before the money disappears.
