CYBERSECURITY ALERT
On This Page
How QR Code Scams Work and How to Stay Safe in India
Learn how QR code scams (quishing) work in India and practical protection strategies. Understand the risks of scanning unknown QR codes and stay safe from fraud.
Cybrotech Security Team
Sep 4, 2021
You're at a trendy restaurant, scanning a QR code to view the menu. You're at a parking meter, scanning to pay. You're at a concert, scanning to check in. Innocent acts, right? But what if that QR code was planted by a criminal waiting to steal your banking details? Welcome to the world of 'quishing' — QR code phishing — the scam that's exploding in 2024. Unlike traditional scams that require you to click obvious phishing links, QR codes are invisible invitations to danger. Users scan them without hesitation, assuming they're safe. Scammers love this.
What Are QR Code Scams?
QR code scams ('quishing') work because they exploit one dangerous assumption: that a scanned code is safe. A malicious QR code looks identical to a legitimate one. You can't see malware or malicious intent in those black and white squares. This invisibility is the perfect weapon. Scammers print fake QR codes and place them over legitimate ones in restaurants, parking meters, transit stations, and even storefronts. When you scan it, you're instantly redirected to a fake website — a perfect clone of your bank, PayPal, or credit card company. You enter your credentials. The attacker gets access. Within minutes, your accounts are compromised.
Common QR Code Scam Tactics in India
- ✓Fake UPI Payment QR Codes — Criminals place malicious QR codes over UPI payment codes at restaurants, shops, and markets. Instead of sending money to the business, payments go to the scammer.
- ✓Bank Phishing Through QR Codes — ICICI, HDFC, Axis, and other Indian bank phishing sites disguised as legitimate portals. Scanning redirects to fake login pages collecting credentials.
- ✓E-commerce Scams — QR codes linking to fake Amazon, Flipkart, or local e-commerce sites used to steal payment information and delivery addresses.
- ✓Fake Recharge QR Codes — QR codes for mobile recharge redirecting to fraudulent sites stealing card details.
- ✓WhatsApp and Signal Impersonation — QR codes sent via WhatsApp claiming to update profiles but actually installing spy software.
- ✓Tax/Passport/Aadhaar Scams — QR codes claiming to be from Income Tax Department or Passport Seva sites.
QR Code Scams Statistics in India
Increase in Fraud Cases (2024)
Average Loss Per Victim
UPI Fraud Cases
- ✓Delhi, Mumbai, Bangalore, and Hyderabad report the highest QR code scam incidents
- ✓Women aged 25-45 are the most targeted demographic in India
- ✓UPI-related QR code frauds account for 62% of all QR code scams
- ✓Restaurant and retail sectors are primary attack targets
How to Spot a Malicious QR Code
- ✓Unusual Placement — QR codes pasted over existing ones or in unexpected locations should raise red flags.
- ✓Tampered Codes — Look for signs of physical tampering or overlapping codes.
- ✓Unknown Sources — Be cautious of QR codes received via unsolicited messages or emails.
- ✓Suspicious URLs — Before scanning, use a QR code preview tool or check what URL the code points to.
- ✓Unfamiliar Domains — If the code directs to a domain you don't recognize, avoid scanning it.
Practical Protection Strategies
- 1Use QR Code Preview — Many smartphone apps allow you to preview the destination URL before opening it.
- 2Verify Before Scanning — If a QR code promises something urgent, go to the official website directly instead.
- 3Enable Security Features — Use your phone's built-in security features and keep antivirus software updated.
- 4Check for Overlays — Inspect physical QR codes to ensure no stickers or overlays have been placed on top.
- 5Don't Grant Unnecessary Permissions — When installing apps from QR code links, carefully review permission requests.
- 6Use Official Sources Only — Scan QR codes only from trusted businesses and official materials.
- 7Enable Browser Security — Ensure your phone's browser has security warnings enabled for suspicious sites.
The convenience of QR codes is outweighed by the risk if you're not vigilant. Always pause before scanning and verify the source is legitimate.
Key Takeaways
- ✓QR code scams (quishing) are growing 47% faster than other fraud types in India
- ✓Never scan QR codes from unknown sources or ones that appear to be placed over existing codes
- ✓Use your phone's built-in QR preview feature to see the destination URL before opening
- ✓For payments, use only official app QR codes or codes from verified merchants
- ✓Report suspicious QR codes to local police cybercrime cell or www.cybercrime.gov.in
- ✓Enable two-factor authentication on all financial and banking accounts
- ✓Educate family members and elderly relatives about QR code dangers