Fake UPI QR Code Scams: How to Spot and Avoid Them Before You Pay (2026 Guide)

Fake UPI QR codes are one of the fastest-growing payment frauds in India right now. A scammer pastes a printed sticker over the shopkeeper's genuine QR, you scan it, and the money goes into a stranger's account — not the merchant's. By the time anyone notices, the attacker is gone and the payment is irreversible. This guide explains exactly how fake UPI QR code scams work, the red flags you must check before every scan, and what to do if you have already been hit.

How Fake UPI QR Code Scams Work

Understanding the attack helps you spot it every time.

graph TD
    A[Scammer prints fake QR sticker\npointing to their own VPA] --> B[Sticker pasted over merchant's\ngenuine QR code at counter/door]
    B --> C[Customer scans the QR code]
    C --> D{Customer checks\nbeneficiary name?}
    D -- No, pays immediately --> E[Money credited to scammer's VPA]
    D -- Yes, checks name --> F[Name mismatch spotted]
    F --> G[Alert merchant, do not pay]
    E --> H[Merchant notices zero credit\non their app]
    H --> I[Fraud discovered — often too late]
    I --> J[Report to 1930 / cybercrime.gov.in]
    G --> J

The anatomy of the scam is simple but effective:

Step 1 — Create a fake VPA. A Virtual Payment Address (VPA) is the handle after the @ symbol in a UPI ID — for example, merchant123@upi or shopname@okaxis. Scammers register a throwaway VPA at any UPI-enabled bank in minutes.

Step 2 — Generate a QR. Any UPI app lets you generate a QR for your VPA. Scammers print this on a sticker that looks identical to the legitimate merchant QR.

Step 3 — Swap or overlay. The fake sticker goes on top of the original — on counters, doors, donation boxes, parking meters, and even e-commerce packaging return labels. Some attackers do this at temples, dhabas, and petrol pumps during busy hours when nobody is watching.

Step 4 — Victim scans and pays. The customer's app shows a VPA and a name. If the customer does not read the name carefully, they approve the payment. The real merchant never sees a credit.

A related variant — the "collect request" trap. Instead of a fake QR, the scammer calls the victim pretending to be a buyer ("I'll send you money for your OLX listing"). They send a UPI collect request, which looks like an incoming payment notification. Approving it actually authorises a debit. Never approve a collect request when you expect to receive money — legitimate payers send money, they do not request it from you.

The Five Checks Before You Scan Any UPI QR

These take under ten seconds and catch almost every fake.

1. Look at the QR physically. Is there a sticker on top of another sticker? Does the QR look slightly crooked, or is the print quality different from the surrounding signage? Peel back any loose edges — shops do not re-sticker their own QRs routinely.

2. Check the VPA (the handle after @). After scanning but before paying, your UPI app shows the beneficiary VPA. Does it match the merchant's shop name, the bank they use, and what their signage says? A QR on a "Sharma General Store" counter that resolves to randomnumber92847@paytm is a strong warning sign.

3. Verify the beneficiary name. Every UPI app displays the registered account holder name after resolving the QR. The name shown should match the shop name or owner. If it says "Ravi Kumar" but the shop is "Sheela Sarees," stop and ask the shopkeeper to show you their registered UPI ID from their own phone.

4. Check the amount field. Static QRs (the kind printed on stickers) should show zero in the amount field — you type the amount. Pre-filled amount QRs are legitimate for some merchants (parking, tickets), but always verify the amount before confirming.

5. Do not pay if anything feels off. Genuine merchants will not mind you asking for their UPI ID verbally or via their own phone. Anyone who pressures you to pay quickly without checking should be treated as a red flag.

Who Is Most at Risk

Consumers most at risk:

1. First-time UPI users who are unfamiliar with the confirmation screen
2. Shoppers in crowded markets, melas, or railway stations where focus is low
3. People scanning QRs in parking lots, petrol pumps, or public toilets (coin boxes)

1. Any business that uses a printed static QR as the sole payment method
2. Shops in high foot-traffic areas where anyone can walk up and touch the display
3. Restaurants and dhabas that leave the QR unattended near the entry or table

1. Donation drives and NGO collection boxes — easy to tamper with
2. OLX / Quikr sellers being asked to "receive" payment via collect request
3. Rental deposits where the landlord's QR was "shared" over WhatsApp (easy to swap in transit)

pie title Where Fake UPI QR Scams Happen Most (Reported Cases)
    "Retail shops & markets" : 38
    "Online (OLX/WhatsApp collect requests)" : 27
    "Temples & NGO donation points" : 14
    "Petrol pumps & parking" : 12
    "Other public locations" : 9

What Merchants Can Do Right Now

If you are a merchant, the risk is on both sides — a customer pays the wrong account and blames your shop, even though your QR was tampered without your knowledge.

Daily QR audit. Before opening, take a fresh photo of your displayed QR. Compare it with the previous day's photo. If the module pattern looks even slightly different, do not let customers use it until you have regenerated and reprinted your own.

Use dynamic QRs for large amounts. Payment apps like PhonePe, Paytm, and Google Pay Business allow merchants to generate a fresh QR for each transaction that includes the exact amount. Dynamic QRs are harder to pre-swap because they expire quickly.

Put the QR behind glass or inside a frame. A laminated or framed QR is significantly harder to sticker over than a loose paper printout. Some merchants weld the QR plate to the counter.

Display your VPA in plain text next to the QR. Write Pay to: yourshop@okicici in large font alongside the QR. If a scammer swaps the code, the VPA shown on the customer's screen will not match the printed text.

Register on UPI as a verified merchant. NPCI's merchant onboarding through acquiring banks provides a verified merchant name that appears on the customer confirmation screen — easier to verify than a personal VPA.

If You Have Already Been Scammed

Time matters. UPI payments are final within 30 minutes of settlement, but early reporting can help freeze the recipient's account before they withdraw.

Step 1 — Call 1930 immediately. This is India's national cybercrime helpline. Provide the transaction ID (UTR number), amount, time, your VPA, and the beneficiary VPA shown in your transaction history.

Step 2 — File on cybercrime.gov.in. Go to the National Cybercrime Reporting Portal and raise a financial fraud complaint. You will need the same details as above.

Step 3 — Report to your bank and the beneficiary bank. Your bank can flag the transaction and coordinate with NPCI's fraud management system. The beneficiary bank — identifiable from the VPA suffix (e.g., @okaxis = Axis Bank, @oksbi = SBI) — can freeze the account if the complaint arrives before withdrawal.

Step 4 — File a local police complaint. A written FIR creates a legal record and is sometimes required by banks to process refunds under RBI's zero-liability framework.

Refunds on completed UPI transactions are not guaranteed, but early reporting dramatically increases the chance of account freeze before the fraudster withdraws.

Scan Any UPI QR Before You Pay

Bachao.AI's free UPI QR scanner lets you paste a UPI ID or upload a QR image and instantly flags mismatches, newly registered VPAs, and VPAs associated with reported fraud patterns. It takes five seconds and costs nothing — use it for any payment you are uncertain about, especially high-value transactions.