In today’s India, where paying by UPI is as easy as a tap, scammers have discovered a new tool: QR codes. What seems like a harmless square can turn your money into theirs in seconds. This article explains how QR fraud works, why it matters, and what legal safeguards exist under laws like the IT Act and BNS 2023.
Why You Should Care: When Convenience Becomes Risk
In 2024 and 2025, India saw an explosion in QR code-based payments, handling billions of transactions. From street vendors to shopping malls, people across the country embraced this tap-and-pay culture, making India one of the world’s top players in digital payments. But this ubiquity comes at a price. Experts report that QR scams nearly doubled between 2023 and 2024, with over 40,000 incidents reported last year alone.
In Rajasthan, cyber police recently warned that fraudsters are placing fake QR stickers over legitimate ones at shops, diverting payments into their own accounts. Victims walk away confused, while shopkeepers see no money. In a troubling case from Nagpur, cyber fraudsters pulled a sly move they discreetly swapped the original QR code on a donation banner at a local shrine with a fake one. As unsuspecting devotees scanned the code to contribute to a good cause, their money was instead funneled into the scammers’ accounts. Unsuspecting devotees scanned the fake code, unknowingly sending money straight into the scammers’ accounts. Authorities quickly stepped in and froze the associated bank accounts to stop further misuse.
How These QR Scams Work: Everyday Examples
Retail Scam (Khajuraho, Madhya Pradesh)
In a well-planned overnight operation, a group of cyber fraudsters quietly went around several local shops and pasted counterfeit QR codes over the genuine ones. When customers paid, the funds flowed into scammers’ accounts. Businesses didn’t see the money until the next day, often too late.
Case 1: Marketplace Scam (Bengaluru OLX Seller)
An 18-year-old selling books received a QR code for payment reassurance. Initially, the scan appeared successful, drawing her trust. But then funds totaling ₹90,000 vanished from her and her mother’s bank accounts.
Case 2: Misused QR at Shrines (Nagpur)
A banner displayed at a shrine carried a QR code, claiming to collect donations for a women’s welfare organization. But the funds diverted elsewhere, leading authorities to freeze suspicious accounts.
Case 3: Brushing Scam via Delivery (FBI observed)
Packages bearing QR codes were sent unsolicited. Victims were asked to scan them “to track” or “verify delivery.” Instead, the scans installed malware or led to phishing pages seeking sensitive information.
Understanding the Scam Tactics
Here are the most common techniques used:
- Sticker Swap: Fraudsters cover genuine QR codes with fakes.
- Fake Delivery Notices: Misleading QR slips lure victims into phishing sites.
- Social Media Phishing: Scammers on platforms like WhatsApp or Instagram send QR scans claiming “transfer” or “verification.
- Conditional QR Links: Malicious codes adjust based on device to bypass security scans.
These frauds work because QR codes are trusted and scanned without much thought.
QR Code
That little square you scan with your phone to make a payment or get quick info used everywhere from kirana shops to hospitals.
Quishing
A mix of “QR” and “phishing.” It’s when scammers trick you into scanning a fake QR code that steals your money or personal details.
Mule Account
A regular person’s bank account is often hacked or misused by cybercriminals to receive stolen funds, making it hard to trace the real culprit.
Identity Theft
When someone secretly uses your PAN, Aadhaar, or other personal info to open accounts, take loans, or commit fraud in your name.
Critical Infrastructure Breach
When essential digital systems like UPI, banking apps, or government portals are attacked, putting millions at risk.
The Legal Perspective: How Indian Law Responds
IT Act, 2000
● Section 43A of the IT Act makes it clear: if a company or digital platform is handling your sensitive personal data, it’s their duty to keep it secure. When companies or digital platforms don’t take enough precautions to safeguard your personal data, and that negligence leads to a data breach, they can be held legally accountable and may be required to compensate the individuals who suffered because of it. If a company or platform doesn’t take proper care to protect your personal data and a breach occurs, they can be held responsible and may have to pay compensation to those whose information was compromised.
- Section 66: Criminalizes unauthorized actions like tampering with electronic records.
Bharatiya Nyaya Sanhita (BNS), 2023
- Section 318 deals with cheating specifically when someone uses dishonest means or tricks to wrongfully gain money or property. In simple terms, if a person fools someone into handing over
- Section 111 (Organized Crime): Targets coordinated scams like QR mule rings.
These laws allow victims to demand compensation, and law enforcement to pursue cybercriminal networks legally.
Related Cases & Emerging Trends
Related Articles from Ashish Agrawal Cyber
- In Top 10 Most Common Online Scams in India 2025, QR code phishing or “quishing” is specifically mentioned. It explains how scammers trick people into scanning QR codes under false pretenses, redirecting payments to their own accounts.
- The post Trapped by Taps and Clicks: Jabalpur’s Alarming Rise in Cyber Frauds emphasizes the importance of verifying QR code links and being cautious of scanners from unknown sources. The article also offers public safety tips to defend against QR-enabled scams.
- Additionally, OTP Scams in India: How They Work & How to Stay Safe covers complementary fraud types like OTP theft often used alongside QR scams to compromise accounts and authorize payments.
How to Protect Yourself
Stay Safe When Scanning
- If a QR code seems unusually placed, tampered with, or looks like it’s been stuck over something else, trust your instinct and avoid scanning it. It could be a trap set by fraudsters.
- Only trust codes displayed in permanent, well-lit, official areas.
- Stay cautious and don’t scan QR codes sent by strangers or forwarded in WhatsApp messages; these could be bait from scammers trying to trick you.
Behavior Tips
- Preview the URL when your phone displays it before opening.
- Pause before clicking if the link looks unfamiliar or asks for odd permissions, it’s best to steer clear. It could be a trap set by cybercriminals.
- Never share OTPs or banking details after scanning.
For Businesses
- Use tamper-evident holders for codes.
- Remove QR codes when closed or overnight.
- Train staff and raise awareness about suspicious transactions.
Legal & Policy Measures
- Report incidents via cybercrime.gov.in or dial 1930.
- Banks and merchants should set low transaction thresholds for new QR payments.
- Authorities should monitor QR usage in public spaces and enforce penalties for fraud.
Why Awareness Matters More Than Ever
India’s surge in digital transactions has opened a bigger playground for scams. As QR codes appear everywhere from kiosks to temples, so do fraudsters. Public awareness isn’t just helpful, it’s essential.
Final Word: Treat Every QR Code with Respect
QR codes are a part of daily life in post-pandemic India but scammers have turned that convenience into a weapon. A quick scan can lead to stolen funds, identity theft, or malware infection. Your safest move? Slow down, verify first, scan last. Use legal protections under the IT Act and BNS 2023, and report any suspicious activity immediately.
Together, a bit of caution can turn digital convenience back into digital safety.
