A surge in QR code scams across India has prompted renewed warnings from law enforcement and cybersecurity experts. Fraudsters are using tampered or fake QR codes to deceive individuals and steal money directly from their bank accounts. The scale and sophistication of these “quishing” attacks are raising national concerns.
How QR Code Scams Work
What Is Quishing?
“Quishing” is a type of phishing that uses Quick Response (QR) codes to lure victims into making unauthorised payments or revealing sensitive data. Unlike traditional scams, these attacks often do not require clicking a suspicious link. Instead, scanning a malicious QR code is enough to trigger financial loss or identity theft.
Common Tactics
Scammers typically tamper with legitimate QR codes in public places or send fraudulent codes via SMS, email, or messaging apps. When scanned, these codes can:
- Redirect users to fake payment portals
- Auto-fill payment fields in Unified Payments Interface (UPI) apps
- Install spyware or malicious apps
In several cases, QR codes were used under the pretext of refunds, government grants, online sales, and scholarship disbursals.
Recent Cases Highlighting the Risk
Fake Scholarship Scam in Coimbatore
In Coimbatore, multiple parents reported losing between Rs 28,000 and Rs 53,000 after receiving WhatsApp messages offering scholarships for their children. Victims were persuaded to scan a QR code during a video call with the scammers. The money was deducted immediately after inputting the code values, according to a police report published by The Times of India.
QR Code Tampering in Retail Shops
In Mumbai, a man was arrested for pasting his own QR codes over those of legitimate shopkeepers. Customers unknowingly transferred money to the scammer. Police recovered Rs 49,000 and launched an investigation into similar incidents across the city.
E-Challan Phishing Alerts in Chennai
The Chennai Cyber Crime Division warned about fraudulent QR codes being sent via SMS, claiming to be from traffic police e-challan systems. Clicking or scanning the code redirected users to a fake payment gateway. Victims were tricked into entering bank credentials, leading to withdrawals without consent.
Why India Is a Key Target for QR Scams
Digital Adoption Without Security Maturity
India’s aggressive push toward digital payments, particularly through UPI and QR-based transactions, has made it a high-risk environment for scams. According to the Reserve Bank of India (RBI), UPI recorded over 10 billion transactions in a single month in 2024.
However, widespread usage often outpaces user education. “Users treat QR codes as inherently safe, which is problematic,” said Dr. Ankit Sharma, a cybersecurity researcher at the Indian Institute of Technology (IIT) Delhi.
Low Barriers for Perpetrators
Creating and circulating a malicious QR code requires minimal technical expertise. Free tools allow scammers to generate QR codes that link to phishing sites or mobile apps. These codes are then disseminated through social media, messaging platforms, and even physical stickers placed in public venues.
How to Stay Safe from QR Code Scams
For Individuals
- Never scan a QR code to receive money. UPI transactions require scanning only for sending payments.
- Use secure apps. Ensure your QR scanner or UPI app comes from a reputable source such as the Google Play Store or Apple App Store.
- Verify the destination. Most UPI apps allow users to preview recipient details before confirming payments. Double-check these before proceeding.
- Avoid scanning codes from unknown sources. Be cautious with codes sent via SMS or WhatsApp, particularly those accompanied by urgent language.
- Enable transaction alerts. Real-time SMS or app notifications can help detect suspicious activity early.
For Businesses
- Use tamper-proof QR displays. Laminate or encase codes in a way that makes tampering evident.
- Regularly verify codes. Store owners should test displayed QR codes to confirm the correct recipient name.
- Educate staff and customers. Awareness is the first line of defence against fraud.
Government and Law Enforcement Response
Policy and Awareness Initiatives
The Ministry of Electronics and Information Technology (MeitY) has advised citizens to report scams through cybercrime.gov.in. Meanwhile, the National Payments Corporation of India (NPCI), which manages UPI infrastructure, has released updated guidelines and safety tips.
“We are working with banks and payment service providers to include dynamic fraud detection and blocklists,” said Nalin Sharma, a spokesperson for NPCI.
Law Enforcement
The Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs is tracking cases and coordinating with state police units. Many arrests have been made in Delhi, Maharashtra, Tamil Nadu, and Karnataka in connection with QR fraud rings.
The Global Context: QR Scams on the Rise
India is not alone. In 2023, the Federal Bureau of Investigation (FBI) in the United States issued a public alert warning consumers to avoid scanning random QR codes, citing increasing reports of malware and financial fraud. Similar alerts have been issued by Germany’s Federal Office for Information Security (BSI) and the UK’s National Cyber Security Centre (NCSC).
Conclusion
The rise of QR code scams in India is a clear reminder that convenience must be balanced with caution. As digital tools continue to evolve, so too do the methods of cybercriminals. Protecting financial information now requires both technological safeguards and public awareness.
