UPI QR Code Security Risks

QR codes have made UPI payments faster and more convenient than ever. A simple scan is all it takes to pay a merchant, split a bill, or send money. But this convenience has also attracted fraudsters who exploit QR codes to deceive users into sending money to the wrong person or compromising their accounts. Understanding the security risks associated with UPI QR codes is essential for every digital payment user.

How UPI QR Code Payments Work

A UPI QR code encodes a VPA and optionally a fixed payment amount. When you scan it with your UPI app, the app reads the encoded information and pre-fills the recipient's UPI ID in the payment form. You review the details, enter the amount if it is not pre-filled, and authenticate with your UPI PIN to complete the payment. The critical point to understand is that scanning a QR code only sends money — it never receives money. This distinction is at the heart of the most common QR code scam.

The Fake Receive Money QR Code Scam

The most widespread UPI QR code scam involves a fraudster sending you a QR code and claiming it will allow you to receive money. The fraudster may pose as a buyer on a resale platform, a customer making a payment, or even a bank representative processing a refund. In reality, the QR code they send is a payment QR code that, when scanned, initiates a payment from your account to theirs. There is no such thing as a QR code for receiving money — scanning any QR code in a UPI app will always result in a debit from your account, never a credit. If anyone sends you a QR code and asks you to scan it to receive money, it is a scam.

Tampered QR Codes at Physical Merchant Locations

Another risk involves fraudsters physically replacing a legitimate merchant's QR code with a fake one that routes payments to a different VPA. This can happen at small shops, stalls, or any location where a printed QR code is displayed. When you scan what appears to be the merchant's QR code, the payment goes to the fraudster instead. Always check the name displayed in your UPI app after scanning a QR code and before confirming payment — the name should match the merchant you intend to pay.

Screen Sharing Scams Involving QR Codes

Some fraudsters ask victims to share their screen, ostensibly to help with a technical issue or payment problem. While the screen is shared, the fraudster can see the user's UPI app and guide them through scanning a malicious QR code or approving a fraudulent transaction. Never share your screen with anyone who is not a trusted person, and never follow instructions from an unknown caller while your UPI app is open.

Dynamic QR Code Risks

Dynamic QR codes — which embed a specific payment amount — can be misused by dishonest merchants who set a higher amount than the agreed price. Always check the payment amount displayed in your UPI app after scanning a QR code and before entering your PIN. If the amount is incorrect, cancel the transaction and alert the merchant.

How to Stay Safe When Using UPI QR Codes

The most important safety rule is to always read the payment details in your UPI app before entering your PIN. Check the recipient's name and the payment amount every time. Never scan a QR code sent to you by someone you do not know, especially if they claim it will help you receive money. At physical locations, verify that the QR code belongs to the merchant — some shops display the merchant's name above or near the QR code, which helps verify authenticity. Report any suspicious QR code or transaction immediately through the Stashfin app or to your bank.

What to Do if You Have Been Scammed

If you realise you have been deceived into scanning a fraudulent QR code and money has left your account, act quickly. Contact your bank immediately to report the fraudulent transaction and request a freeze on further activity. File a complaint on the National Cyber Crime Reporting Portal or call the national cybercrime helpline. Keep all transaction reference numbers and screenshots as evidence for the dispute process.

UPI transactions are governed by NPCI guidelines. Stashfin is an RBI-registered NBFC. Please ensure transaction details are correct before confirming payment.