Introduction
QR codes have become a routine part of digital payments, particularly with the growth of UPI transactions in India. Restaurants, parking meters, online marketplaces, and delivery services widely use QR codes for quick payments. However, cybercriminals increasingly exploit this technology through QR code scams, commonly called “quishing.”
In these scams, victims scan a malicious QR code that redirects them to fraudulent payment pages, phishing websites, or malware downloads. A single scan may expose banking details or trigger unauthorized transactions. Several cybercrime complaints and police investigations in India show that people have lost large sums within seconds after scanning a fraudulent code.
What Are QR Code Scams?
QR code scams involve the use of fake or manipulated QR codes to deceive individuals into transferring money or revealing sensitive financial information. The QR code may redirect users to a phishing page that imitates a legitimate payment interface or banking portal.
Once scanned, the victim may unknowingly approve a payment request or enter login credentials. Some malicious links may also install harmful software that captures passwords, OTPs, or other confidential data. Because QR codes hide the underlying web address, victims may not realize the destination until after scanning.
How Do Scammers Use Fake QR Codes?
Cybercriminals use several techniques to distribute fraudulent QR codes in everyday situations. One common tactic involves placing fake QR stickers over legitimate ones at restaurants, fuel stations, or parking meters. Customers attempting to make payments scan the code and unknowingly transfer money to the scammer’s account instead of the business.
Another widely reported method appears in online marketplace fraud cases. In State v. Mohammed Danish (Bengaluru QR Code Fraud Case, 2023), a professor reportedly lost ₹63,000 after scanning a QR code sent by a scammer posing as a buyer. The code created a payment request rather than a receiving transaction, resulting in an immediate debit from the victim’s account.
Similarly, in State v. Rahul Kumar (OLX QR Code Scam Case, Delhi Police Investigation, 2022), a seller attempting to receive payment for goods scanned a QR code sent by a fraudster. Instead of receiving money, the seller authorized multiple payments and lost approximately ₹1.9 lakh. Police investigations later revealed that the QR code functioned as a disguised payment request.
Scammers also distribute QR codes through unsolicited packages or promotional messages. These codes may redirect victims to phishing websites that collect card details, banking credentials, or OTPs.
Why Are QR Code Scams Increasing?
The rapid expansion of digital payment systems has created new opportunities for QR-based fraud. Millions of consumers rely on QR scanning for daily transactions, making it easier for malicious codes to blend with legitimate payment systems.
Another factor lies in the structure of QR technology itself. A QR code appears as a simple pattern of black and white squares. Users cannot identify the embedded link by looking at the code. This visual opacity allows scammers to hide harmful links behind ordinary-looking codes.
Cybercriminals also take advantage of the speed of digital payments. Many transactions occur quickly in public spaces where users scan codes without verifying the source. This quick interaction reduces the chance of detecting fraudulent codes.
What Real Losses Have QR Code Scams Caused?
Financial losses associated with QR code fraud have increased significantly across several countries. Cybercrime reports indicate that victims in the United States lost more than $580 million to QR-related scams in 2024.
Authorities in the United Kingdom also recorded losses exceeding £3.5 million from reported quishing incidents between 2024 and 2025. These scams often involved fraudulent QR codes placed on parking meters or public payment points.
India has experienced a steady rise in such cases as well. Cybercrime units across several states have reported incidents where bank accounts emptied almost instantly after victims scanned malicious QR codes during online transactions or marketplace dealings.
What Legal Provisions Apply to QR Code Scams in India?
QR code scams may attract several provisions under Indian cyber and criminal laws depending on the nature of the offence. Authorities often invoke the Information Technology Act, 2000 and the Indian Penal Code, 1860 in such cases. Section 66C of the Information Technology Act deals with identity theft involving misuse of electronic credentials such as passwords or digital signatures. Section 66D addresses cheating by personation through computer resources, which may apply when fraudsters impersonate buyers or service providers to send deceptive QR codes. Section 43 of the Act covers unauthorized access to computer systems and data extraction through malicious links or malware. In addition, Section 420 of the Indian Penal Code relates to cheating and dishonest inducement to deliver property, while Sections 468 and 471 concern forgery and the use of forged electronic records for fraudulent purposes. These provisions collectively form the legal framework used by investigating agencies to prosecute QR code fraud and related cybercrimes in India.
How May People Reduce the Risk of QR Code Fraud?
Basic verification practices may reduce the chances of falling victim to QR code scams. Examining the physical placement of QR codes in public spaces may help detect suspicious overlays or tampered stickers. In restaurants or stores, confirming the official payment code with staff may prevent accidental transfers to fraudulent accounts.
Many smartphones now display the preview of a link before opening it. This feature allows users to review the destination address and identify suspicious websites. Using trusted UPI applications instead of unknown web links may also reduce the risk of phishing attacks.
Immediate transaction alerts from banks may help users detect unauthorized payments quickly. Victims who notice suspicious activity may report incidents through India’s national cybercrime helpline at 1930 or through the official cybercrime reporting portal.
Conclusion
QR codes have simplified digital payments and contactless transactions across many sectors. However, the same convenience has opened new opportunities for cybercriminals. Fraudsters continue to exploit the speed and trust associated with QR-based payments.
Awareness about common tactics, real-life cases, and verification practices may help individuals identify suspicious codes before scanning them. As digital payments become increasingly integrated into everyday life, informed and cautious usage may help reduce financial losses linked to QR code fraud.
