UPI & payments

Risk level: ★★★★★

QR Code Payment Scam

The QR Code Payment Scam is a growing threat in India, targeting unsuspecting individuals through fake QR codes. Scammers exploit the convenience of digital payments, leading to significant financial losses. This guide aims to educate citizens on recognizing, preventing, and recovering from such scams.

Reported across India Check suspicious message

What is this scam?

The QR Code Payment Scam involves fraudsters creating fake QR codes that, when scanned, redirect users to malicious websites or initiate unauthorized payments. Scammers often use popular messaging platforms like WhatsApp, SMS, or even phone calls to share these QR codes, disguising them as legitimate payment requests or refunds.

In many instances, victims are approached with offers that seem too good to be true, such as discounts on products or services. The scammer might ask the victim to scan a QR code to receive a refund or to complete a payment, leading to unauthorized transactions from the victim's bank account.

These scams can occur through various channels, including social media, email, or even fake apps that mimic legitimate payment platforms. The ease of creating and sharing QR codes makes this scam particularly dangerous, as many people are unaware of the risks involved in scanning unknown codes.

Understanding how these scams operate is crucial for protecting yourself and your finances. By being aware of the tactics used by scammers, you can take proactive steps to safeguard your money and personal information.

60-second explainer

How it happens in real life

Ravi, a 65-year-old resident of Pune, received a message on WhatsApp claiming he had won a cashback offer from a popular online store. The message included a QR code that he needed to scan to claim his reward. Excited about the unexpected windfall, Ravi scanned the code without thinking twice.

As soon as he scanned the QR code, his bank app prompted him to authorize a payment of ₹5,000. Confused, Ravi realized too late that the code was fraudulent, and the money was transferred to the scammer's account. This incident left him not only financially strained but also feeling embarrassed for falling victim to the scam.

Got a suspicious call, message, or link? Do this immediately

These steps apply to almost every fraud in India — UPI scams, fake bank calls, job offers, investment tips, courier fraud, and government impersonation. Follow them before you share anything or pay anyone.

Stop — do not engage further

  • Hang up the call immediately — do not stay on the line out of politeness or fear.
  • Do not reply to the SMS, WhatsApp, Telegram, or email — even to say “wrong number”.
  • Do not click any link, QR code, or attachment they sent.
  • Do not call back numbers they give you — use only official numbers from your bank card or website.
  • If they claim urgency (“account blocked in 2 hours”), treat that as a scam signal and pause.
  • Tell the caller you will verify independently and end the conversation.

Never share or allow

  • Never share OTP, PIN, CVV, ATM PIN, or net-banking password — not even with “bank staff” or “police”.
  • Never approve a UPI collect request or enter UPI PIN to “receive” a refund — receiving money never needs your PIN.
  • Never install AnyDesk, TeamViewer, QuickSupport, or unknown APK files they ask you to download.
  • Never enable screen sharing or “remote help” on your phone or laptop for an unknown caller.
  • Never send photos of Aadhaar, PAN, passport, or bank statements to an unsolicited contact.
  • Never transfer money for “verification”, “processing fee”, “customs charge”, or “KYC update”.
  • Never share your SIM or swap SIM at a shop because someone on the phone told you to.

Block, delete, and disconnect

  • Block the phone number on your dialer and on WhatsApp.
  • Leave and report suspicious WhatsApp / Telegram groups.
  • Delete any app or APK you installed because they asked — uninstall fully, not just remove icon.
  • Mark the email as spam/phishing and delete it after saving evidence.
  • Turn off “Unknown caller” callbacks and do not add them to contacts.
  • If you joined a video call with them, leave immediately and close the app.

Save evidence before you delete anything

  • Screenshot the full chat, including phone number, profile name, and date/time.
  • Save SMS with sender ID and message text.
  • If safe and legal in your state, record a short clip of a repeat call for reporting.
  • Note the exact time, amount (if any), UPI ID, and transaction reference number.
  • Save emails with headers visible; forward a copy to yourself before deleting.
  • Photograph QR codes or payment pages they sent — do not scan them.
  • Write down what they claimed (bank name, department, officer name) while memory is fresh.

Verify independently — never through them

  • Call your bank using the toll-free number printed on your debit/credit card or passbook.
  • Visit your bank branch in person if large money or KYC is mentioned.
  • Open your bank or UPI app manually — never via their link — and check for alerts.
  • Search the organisation name on its official .gov.in or .co.in website, not Google ads.
  • Ask a trusted family member or friend before sending money or sharing OTP.
  • Use our message checker if you are unsure about a text or WhatsApp forward.

Protect your accounts and devices

  • Change net-banking and UPI PINs from a device you trust — not one they had you install software on.
  • Enable transaction limits and alerts in your bank app and UPI app (Paytm, PhonePe, GPay, etc.).
  • If you shared OTP or logged in on a suspicious link, call the bank fraud hotline to block cards/UPI.
  • Run a malware scan if you installed an unknown app; consider factory reset if remote access was granted.
  • Turn on two-factor authentication where available; use biometrics for UPI where supported.
  • Check your bank SMS history for unknown debits in the last 48 hours.

Report and warn others

  • Call 1930 (National Cyber Crime Helpline) if money was lost or you shared OTP/PIN.
  • File a report at cybercrime.gov.in — keep the acknowledgement number.
  • Inform your bank’s fraud desk and request account/card/UPI freeze if needed.
  • Warn family members — scammers often target the same household next.
  • Report the number to your telecom provider’s spam reporting channel (1909 for SMS spam).
  • Share a warning in your local community so others do not fall for the same script.

Also specific to this scam type

  • Do not scan the QR code or click on any links.
  • Immediately block the number or contact that reached out to you.
  • Do not share your OTP or any personal information.
  • Save screenshots of the conversation for evidence.
  • Verify the offer through official channels before proceeding.
  • Inform your family members about the scam attempt.
  • Report the incident to your bank and local authorities.
  • Delete any suspicious apps that may have been suggested.
  • Do not engage further with the scammer.
  • Consider changing your passwords if you feel compromised.
  • Stay calm and think critically about the situation.

When in doubt, pause — no genuine bank or government office punishes you for hanging up and verifying. Lost money? Call 1930

How it works — step by step

  1. Initial Contact

    The scammer reaches out to the victim via WhatsApp, SMS, or phone call, presenting an enticing offer, such as a cashback or discount. They create a sense of urgency, encouraging the victim to act quickly.

  2. Sending the QR Code

    Once the victim shows interest, the scammer sends a fake QR code, often claiming it is necessary to claim the offer or complete a payment. They may provide instructions on how to scan the code.

  3. Scamming the Victim

    When the victim scans the QR code, it redirects them to a malicious website or initiates an unauthorized payment request. The victim is often unaware that they are about to lose money.

  4. Authorization Request

    The victim receives a prompt to authorize a payment or enter sensitive information, such as their UPI PIN or OTP. The scammer manipulates the situation to make the victim believe it is a legitimate transaction.

  5. Money Transfer

    Once the victim authorizes the payment, the money is transferred to the scammer's account. The victim realizes too late that they have been scammed.

  6. Disappearing Act

    After the transaction, the scammer may block the victim's number or delete their account, making it impossible for the victim to contact them or recover their money.

Why this scam works

The QR Code Payment Scam succeeds due to the psychological manipulation employed by scammers. They create a sense of urgency and excitement, making victims feel they might miss out on a great opportunity. This urgency often leads individuals to act without thinking critically about the situation.

Additionally, scammers exploit trust by impersonating legitimate companies or services. When victims see a familiar brand or receive a message from what appears to be a credible source, they are more likely to lower their guard and proceed with the transaction, leading to financial losses.

Who is most at risk

Individuals who are not tech-savvy, seniors, and first-time smartphone users are often targeted in QR Code Payment Scams. These groups may lack awareness of digital payment security and are more likely to fall for enticing offers or scams.

What scammers say to pressure you

  • Sir, aapko cashback milne wala hai, QR code scan karke claim karein.
  • Agar aap nahi karte, toh offer expire ho jayega.
  • Ye OTP verification mandatory hai, bina iske payment nahi hoga.
  • Aapka account block ho jayega agar aap ye QR code scan nahi karte.
  • Yeh sirf aapke liye special offer hai, jaldi karein.
  • Is QR code se aapko 50% discount milega, bas scan karein.

Warning signs

  • Unexpected messages offering cashbacks or discounts.
  • QR codes sent from unknown or suspicious numbers.
  • Pressure to act quickly or risk losing the offer.
  • Requests for sensitive information like UPI PIN or OTP.
  • Links that redirect to unfamiliar websites.
  • Unusual payment requests that deviate from normal transactions.
  • Messages with poor grammar or spelling mistakes.
  • Promises of high returns for minimal effort.
  • Claims of winning contests or lotteries you didn't enter.
  • Requests to scan QR codes for refunds or payments.

Never do this

  • Never share your OTP with anyone.
  • Never scan QR codes from unknown sources.
  • Never authorize payments without verifying the sender.
  • Never install apps suggested by strangers.
  • Never pay a 'processing fee' to claim a prize.
  • Never approve unknown UPI collect requests.
  • Never share your bank details or personal information.
  • Never respond to unsolicited messages offering money.
  • Never click on suspicious links in messages.
  • Never ignore your instincts; if it feels wrong, it probably is.

How to verify before you trust

  • Call the official customer service number of the company mentioned in the message.
  • Check the official website for any ongoing offers.
  • Look for reviews or warnings about the sender online.
  • Verify the QR code by scanning it with a trusted app.
  • Ask friends or family if they have received similar messages.
  • Do not click on links from unknown sources.
  • Check for spelling errors or unusual language in the message.
  • Use a QR code scanner that shows the URL before opening it.
  • Confirm the sender's identity through a different communication channel.
  • Report suspicious messages to your bank or local authorities.

How to stay safe

Sample scam messages — do not trust these

Real frauds often arrive as SMS, WhatsApp, or calls that look official. These are typical examples — banks and government never ask for OTP, call forwarding, or remote access this way.

  • WhatsApp

    Scan this QR to receive your prize / refund of Rs 2,000. (QR is actually a PAY request, not receive.)

  • SMS

    Congratulations! You won Rs 5,000. Scan QR at stall/link to claim within 30 minutes.

  • Always verify the source of any message before taking action.
  • Educate yourself about common scams and their tactics.
  • Use trusted payment apps and keep them updated.
  • Enable two-factor authentication for added security.
  • Regularly monitor your bank statements for unauthorized transactions.
  • Avoid sharing personal information on social media.
  • Be cautious of unsolicited offers or messages.
  • Use strong, unique passwords for your accounts.
  • Avoid using public Wi-Fi for financial transactions.
  • Keep your smartphone's software up to date.
  • Use antivirus software to protect your device.
  • Discuss online safety with family and friends.

If you suspect a scam right now

  • Stop any ongoing transactions if you suspect a scam.
  • Do not authorize any payments linked to the QR code.
  • Block the number or contact that reached out to you.
  • Report the scam to your bank immediately.
  • Save all messages and screenshots related to the scam.
  • Verify your account for any unauthorized transactions.
  • Inform family members about the scam attempt.
  • Consider changing your passwords for added security.
  • Delete any suspicious apps or links from your device.
  • Stay alert for any further suspicious activity.

Emergency recovery

  1. Call 1930 to report the scam and seek assistance.

  2. Visit https://cybercrime.gov.in to file a complaint.

  3. Contact your bank to report unauthorized transactions.

  4. Change your online banking passwords immediately.

  5. Monitor your bank account for any further suspicious activity.

  6. Inform family members about the scam for awareness.

  7. Keep records of all communications regarding the scam.

  8. Consider placing a fraud alert on your credit report.

  9. Follow up with the authorities for updates on your case.

  10. Stay vigilant and educate yourself about future scams.

Call 1930 · cybercrime.gov.in

Official reporting

FAQ

What should I do if I scanned a suspicious QR code?
Immediately stop any ongoing transactions and contact your bank. Report the incident to the authorities and monitor your account for unauthorized transactions.
How can I tell if a QR code is safe to scan?
Always verify the source of the QR code. If it comes from an unknown sender or seems suspicious, do not scan it. Use trusted apps to scan QR codes.
Can I recover money lost in a QR code scam?
It may be challenging to recover lost funds, but you should report the scam to your bank and file a complaint with the cybercrime department. They may assist in the investigation.
What are the common signs of a QR code scam?
Common signs include unsolicited messages offering money, pressure to act quickly, and requests for sensitive information like OTPs.
Is it safe to use QR codes for payments?
QR codes can be safe if they come from trusted sources. Always verify the sender and the purpose of the QR code before scanning.
What should I do if I receive a suspicious message?
Do not engage with the sender. Block the number, report the message to your bank, and inform family members about the scam attempt.
How can I protect myself from QR code scams?
Educate yourself about common scams, verify sources before scanning QR codes, and monitor your bank statements regularly.
What if I accidentally shared my OTP?
Immediately contact your bank to secure your account and report the incident. Change your passwords and monitor for any unauthorized transactions.
Are QR codes safe for online shopping?
QR codes can be safe for online shopping if they are from reputable merchants. Always check the legitimacy of the offer before proceeding.
What should I do if I suspect a scam in progress?
Stop any transactions, block the contact, and report the incident to your bank and the authorities.