If you scanned a QR at a shop counter, petrol pump, tea stall or parking lot and the payment "failed" but money still left your account — stop and check the name on your payment screen before trying again. In the QR sticker swap scam, a fraudster pastes their own printed UPI QR sticker over the shop's real one. You scan it, you pay, and the money goes to the scammer while the shopkeeper never receives a rupee. The single most important habit that stops this: always read the payee name on your UPI app before you tap pay — if it doesn't match the shop, cancel.
What is the QR sticker swap scam
Every shop that accepts UPI usually displays a printed QR code — a laminated sticker taped to the
counter, or a standee near the till. That sticker encodes the shop's UPI ID (called a VPA, or Virtual
Payment Address — basically a payment "username" like shopname@upi). Because it sits in the open all
day, unattended, anyone can walk up and paste a second QR sticker directly on top of the real one.
The new sticker looks identical from a distance — same size, same "Scan & Pay" branding, sometimes even the same bank logo. But underneath, it encodes a different UPI ID: one belonging to the scammer, or more often to a "mule" account — a bank account opened using someone else's stolen documents, used only to receive stolen money and withdraw it fast before anyone notices.
How the scam actually works
A typical version goes like this:
- The sticker gets swapped when no one is watching — overnight at a closed shop, during a busy
- A customer scans it normally. Nothing looks unusual — the phone opens the UPI app, shows a
- The payee name is wrong — but it's easy to miss. Every UPI app shows the payee's registered
- The shopkeeper sees no payment arrive, since the money went to the scammer's account, not
- The scammer withdraws or moves the money fast, often within minutes, to stay ahead of any
The same trick works over UPI payment links, not just printed stickers — a link that looks like a shop's payment page can actually point to the scammer's own VPA. The core deception is identical: you think you're paying one party, but the decoded destination is someone else.
customer, and may have no idea their counter QR was tampered with until several customers report the same "payment failed but money was debited" problem.
The red flags
| Red flag | Why it matters |
|---|---|
| Payee name on the confirmation screen doesn't match the shop name | This is the single most reliable signal — UPI always shows the real registered name of who you're paying |
| The QR sticker looks slightly crooked, newer, or is stuck over another sticker's edge | A physical sign of tampering — the original sticker is still underneath |
| Shopkeeper says "payment failed" but your bank app shows money debited | Classic symptom of paying the wrong VPA — your money left, but not to the shop |
| Someone claiming to be from a bank or UPI provider wants to "reissue" or "reprint" your QR sticker | Banks and NPCI do not send people to physically swap stickers at your counter |
| The QR is taped over an older, curling, or torn original sticker | Suggests the visible QR was added later, not the original one issued to the shop |
| You're asked to scan a "backup" or "alternate" QR because the main one is "not working" | A common excuse to get you to scan the fraudulent sticker instead |
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanIf it is happening right now
If you've just scanned and are looking at the payment confirmation screen — **stop before you enter your PIN.**
- Read the payee name out loud. It must match the shop, exactly, not something close.
- If it doesn't match, cancel the transaction. Do not proceed. Tell the shopkeeper what name showed
- Never pay again "to be safe." If a shopkeeper says a payment failed, ask them to check their own
- Pay by an independent method instead — a QR the shopkeeper generates fresh on their own phone is
- If you already entered your PIN and the money is gone, note the exact time and go straight to the
random personal name, an unrelated business, or a generic-sounding handle. If in doubt, ask the shopkeeper to confirm the exact name that should appear before you pay.
Checking the QR before you pay
Because this scam depends entirely on you scanning a QR and paying without reading what's actually encoded in it, a QR-checking step before payment is a genuinely useful layer — not a guarantee.
The Bachao UPI Scanner is a free Android app built for exactly this moment: scan the QR with it first and it shows the payee's UPI ID, payee name, and amount clearly on screen before any payment happens. It never auto-opens or auto-pays. It gives a plain-English risk score, checks whether the handle looks like a typo-squatted or look-alike version of a real bank or PSP handle, and flags patterns like a pre-filled unusually high amount. If everything checks out, it hands off to your own UPI app so you complete the payment there.
Its honest limitation: it checks the QR itself for fraud signals but does not verify the payee's real identity or bank records. A swapped sticker pointing to an unremarkable-looking mule account may not trigger a red flag by itself — reading the payee name against the shop is still the check only you can make, every time, regardless of any app.
If you have already paid the wrong UPI ID
Speed decides whether this money can be recovered. Every hour matters, because mule accounts are typically drained fast.
- Call 1930 immediately — India's National Cyber Crime Helpline, built to request an emergency
- File a complaint at cybercrime.gov.in — this creates an official
- Call your bank's helpline right away and ask them to flag the transaction and raise a freeze
- Preserve evidence — screenshot the payment confirmation, the payee name and UPI ID, the
- Tell the shopkeeper. If their sticker was swapped, other customers may be about to fall for the
or moved onward within minutes to hours. The 1930 helpline and your bank can only act on money that is still sitting in the receiving account — once it's withdrawn, recovery becomes far harder.
For shopkeepers: protecting your own counter
Shopkeepers are targets too — a swapped sticker directly costs them sales and customer trust.
- Check your own QR sticker regularly for signs it's been peeled and re-stuck, or that a second
- Prefer generating a fresh QR from your own banking or UPI app for each payment, rather than
- Reconcile what you actually received against what customers say they paid, at the end of each
- **Be suspicious of anyone claiming to represent your bank or UPI provider who wants to physically
Protecting elderly parents and family
Elderly parents, in particular, are often the least used to double-checking a payee name on a screen before paying — and this scam relies entirely on someone paying quickly without reading the confirmation carefully.
- Sit with them once and show them exactly where the payee name appears on their UPI app's
- Tell them clearly: if a payment "fails" at a shop, ask the shopkeeper to check their own account
- Save the 1930 helpline number in their phone contacts, labelled clearly, so it's one tap away.
counter QR] --> B[UPI app shows
payee name] B --> C{Name matches
the shop} C -->|Yes| D[Proceed to pay
normally] C -->|No| E[Stop before
entering PIN] E --> F[Cancel and tell
shopkeeper] F --> G[Mismatch caught
before paying] D --> H{Was sticker
swapped} H -->|No| I[Payment reaches
real shop account] H -->|Yes, missed it| J[Money reaches
mule account] J --> K[Call 1930 and file
at cybercrime.gov.in] style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0 style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0 style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0 style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0 style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0 style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0 style G fill:#1e3d2f,stroke:#10B981,color:#e2e8f0 style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0 style I fill:#1e3d2f,stroke:#10B981,color:#e2e8f0 style J fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0 style K fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
The chart below is a qualitative picture of where customers most commonly report finding swapped or tampered QR stickers — not a precise measurement, just where to be most alert.
Bachao.AI, built by Dhisattva AI Pvt Ltd, publishes guides like this one to help people recognise scams before they lose money — read more on the blog. For official guidance on secure digital payments, see the Reserve Bank of India and NPCI, which governs UPI.