Quishing is QR-code phishing, a scam where a malicious QR code leads to a fake payment page, credential-stealing form, or malware download. Microsoft Q1 2026 security report flagged quishing up 146% year-on-year. India is the largest target market because UPI's 17 billion monthly transactions make a small fraction of misled payments a lucrative scam volume.

How does the UPI QR overlay scam work?

A scammer prints their own UPI QR sticker and physically overlays it on top of a busy shop's existing QR. Customers scan, pay the scammer's UPI ID, and only the bank statement reveals it days later. Common targets: kirana shops, auto-rickshaw dashboards, parking-attendant QRs, temple donation boxes. Defence: laminate or frame the QR, use tamper-evident stickers, train staff to glance at the payer's screen for the payee name.

Can scanning a QR code give me a virus?

Not directly. A QR encodes a URL or text; scanning displays it. The risk is what happens next: if the URL leads to a malicious page that exploits a browser bug or tricks you into downloading an app, that is where infection happens. Modern Android and iOS preview the URL before opening; always read it before tapping. Suspicious shorteners (bit.ly to unknown domains) are red flags.

How can I tell if a QR is genuine before scanning?

Look at the surrounding context. Is the QR printed on the shop's actual signboard, or is it a separate sticker that could have been added by anyone? Is the printed branding around it consistent (font, colour, business name)? For payment, always verify the payee name in your UPI app before confirming. For a service like a parking ticket or a tax notice, cross-check the URL domain against the official website before entering any data.

What is the most common QR scam targeting Indian businesses?

The fake refund scam. A scammer contacts a small business on WhatsApp claiming to be from a delivery platform (Swiggy, Zomato, Amazon) with a 'refund' that requires the business to scan a QR. The QR opens a UPI request that DEBITS the business's account instead of crediting it. Distracted shop owners approve thinking it is incoming. RBI flagged ₹2,300 crore lost to UPI scams in 2024-2025; this category is the largest single segment.

Are QR codes on government notices safe?

Generally yes, but always cross-check. Real GST, FASTag, and RTO notices carry QRs that link to their official .gov.in domains. Scammers send fake notices with QRs leading to credential-phishing sites that look identical. Rule: open the URL on a desktop browser first, verify the domain ends in .gov.in or the verified PSU domain, and only then enter any data.

Can I scan QR codes safely on WhatsApp camera?

Yes. WhatsApp's QR scanner shows the URL and lets you decide whether to open. iOS Camera, Google Lens, and most Android default cameras do the same. Avoid third-party QR scanner apps from unverified sources; some have been caught injecting affiliate parameters or redirecting through ad networks.

How do I protect my shop's UPI QR from being overlaid?

Five steps. Laminate the QR or place it under glass. Use a tamper-evident sticker base that leaves a 'VOID' chequerboard pattern when peeled. Print your shop name in bold ABOVE the QR. Train counter staff to glance at the payer's phone screen to confirm the payee name. Check your bank statement daily to catch any mismatch within 24 hours. Optional: install a CCTV camera angled at the QR sticker.

What should I do if I accidentally paid a scammer's UPI QR?

Three steps, in order. First, call your bank's UPI fraud hotline within 1 hour to request a chargeback (some banks honour this for ≤₹2,000 if reported quickly). Second, file a complaint at cybercrime.gov.in within 24 hours; this triggers an investigation and freezes the recipient's UPI ID if confirmed. Third, file an FIR at your local police station's cyber cell; required for amounts over ₹10,000 and for insurance claims if applicable.

Is dynamic QR more or less secure than static?

Same security posture. Both can be scanned to reach a malicious destination if the QR pattern itself is malicious. The difference is recoverability: dynamic QR's destination can be changed if you discover it was compromised; static QR cannot. For high-value campaigns where the destination might be replaced, dynamic offers a recovery path. For UPI payments where the destination is your own bank, it does not matter.

Are QR codes safer than typing a URL?

Marginally safer for typing accuracy (less chance of fat-fingering a domain). Marginally less safe for trust (you cannot see the URL before scanning, only after). The verdict: same as URL safety; you have to verify the destination before acting on it, regardless of how you got there.

How does QRSprint reduce QR security risk?

Three ways. First, our static QR generators encode the destination URL directly into the pattern, so no third-party redirect server can be hijacked. Second, our Smart Tag scan pages are hosted on qrsprint.com with verified TLS; scanners can verify they reached the real QRSprint domain before entering anything. Third, our masked-WhatsApp relay means owners never expose their real phone number to scammers, so the most common spam-call attack vector is closed by design.

Security · India · 2026

QR Code Security Risks in India,
the 2026 quishing playbook.

QR phishing is up 146% year on year (Microsoft Q1 2026). India is the largest target market because UPI's scale makes even a small fraction of misled payments lucrative. The 5 scams to know, how to spot them, and how to defend your shop.

Why India is the world's biggest quishing target

Three numbers explain it. UPI processes 17.4 billion transactions per month (NPCI, March 2026). Of those, an estimated 65% are initiated by scanning a QR code. Roughly ₹2,300 crore was lost to UPI fraud in FY 2024-25 (RBI). The combination of massive scan volume, low security awareness in tier-2 and tier-3 cities, and the trust placed in printed QRs at counters has made India the most lucrative market on earth for QR-based fraud.

Microsoft's Q1 2026 security report named "quishing" (QR phishing) the fastest-growing attack vector globally, with India accounting for over 40% of detected attacks. RBI's Sachet portal logged a 3x increase in QR-related complaints in 2025 alone.

The 5 most common QR scams in India

1. The UPI overlay scam (most common)

A scammer prints their own UPI QR sticker and physically overlays it on top of a busy shop's QR. The shop sticker is usually a cheap paper print, easy to cover. Customers scan, see "Paying to: [some name]" in their UPI app, but tap Pay without reading because they trust the shop counter context. Money goes to the scammer; the shop owner only realises when the daily bank reconciliation falls short.

Targets: kirana shops, auto-rickshaw dashboards, parking attendant boards, temple donation boxes, restaurant counter standees, street food carts. Anywhere a printed paper QR sits unattended for hours.

Average loss per attack: ₹5,000–₹50,000 before detection. Larger shops with higher per-transaction averages lose more.

Defence:

Laminate the QR or place it under glass so it cannot be peeled.
Use tamper-evident vinyl base (₹200 for 50 stickers on Amazon). When peeled, it leaves a chequerboard VOID pattern.
Print your shop name in bold ABOVE the QR. Scammers cannot match your branding cleanly, and customers will notice if the sticker looks different.
Train counter staff to glance at the payer's screen and read the payee name aloud ("Paying to Sharma Stores?" / "Yes"). A 5-second check kills 95% of overlay attacks.
Reconcile bank credits daily, not weekly. Catch mismatches within 24 hours.

2. The fake refund scam (most lucrative)

A scammer contacts a small business owner on WhatsApp pretending to be from Swiggy / Zomato / Amazon / Flipkart support. Says there is a refund pending, asks the business to scan a QR to receive it. The QR is a UPI collect request, which DEBITS the business's account when approved. Distracted owners tap Approve thinking the money is coming in.

Targets: small business owners, gig workers, freelancers, anyone with a UPI-linked merchant account.

Average loss per attack: ₹2,000–₹40,000 before the victim realises.

Defence:

Refunds NEVER require you to scan a QR. Legitimate platforms refund directly to the bank account on file.
If you must scan, read carefully: a refund will show as "Receiving from:" not "Paying to:" in your UPI app.
Cross-verify by contacting the platform through their official app or website, not the WhatsApp number that messaged you.
Never approve a UPI request to an unknown UPI ID.

3. The fake parking ticket / e-challan scam

A QR sticker appears under your windshield wiper claiming to be a parking violation or e-challan. The QR leads to a fake government-looking page demanding ₹500-2,000 with a urgent "pay within 1 hour to avoid towing" warning. The page captures both the payment and your card or UPI details.

Defence:

Real e-challans come via SMS from the official RTO short code (e.g. "VAHAN" or "PARIVAHAN"), with a transaction ID you can verify on echallan.parivahan.gov.in.
Always verify the URL domain ends in .gov.in before paying.
Open the URL on a desktop browser first, not your phone, so you can see the full URL.

4. The courier delivery QR scam

A WhatsApp or SMS claims a courier (FedEx, DHL, India Post, Blue Dart) needs ₹35–₹200 to release a package. Includes a QR for "quick payment". The QR leads to a card-capture phishing page styled to look like the courier company.

Defence:

Real couriers don't ask for surprise micro-payments via WhatsApp QR.
If in doubt, log into the official courier app (which you installed from Play Store directly) and check for any open issues.
Block and report the sender on WhatsApp; forward to cybercrime.gov.in.

5. The fake KYC update scam

A WhatsApp message from "Bank" or "Paytm" says your KYC will expire today. Includes a QR for "instant KYC verification". The QR leads to a phishing page that captures your Aadhaar, PAN, OTP, or banking credentials.

Defence:

Banks NEVER conduct KYC via QR code. Period.
Real KYC updates happen at the branch, on the bank's verified app, or via UIDAI's official portal.
Block and report. File a complaint at cybercrime.gov.in if you fell for it.

What to do if you got scammed

Time matters. Three steps, in order, within 24 hours:

Call your bank's 24x7 fraud helpline. Most banks honour same-day chargebacks for UPI fraud under ₹10,000 if reported within 60 minutes. Keep the helpline number saved before you need it.
File a complaint at cybercrime.gov.in.Online, takes 15 minutes. This triggers an automated freeze on the recipient's UPI ID if the case is confirmed.
File an FIR at your local police station cyber cell. Mandatory for amounts over ₹10,000 and for any insurance claim. Bring screenshots, transaction ID, and the WhatsApp number used.

Bonus: report the recipient UPI ID to NPCI via the BHIM app's Report Fraud option. NPCI maintains a blacklist that propagates across all UPI apps within hours.

For businesses: how to protect your QR-driven revenue

Static QR on durable material

Replace paper UPI stickers with laminated PVC or acrylic-mounted prints. The marginal cost (₹50–200 per QR) saves you the overlay scam loss many times over.

Verify before bulk-printing

Before sending 500 QR posters to print, scan the test print with three different apps (PhonePe, Google Pay, your bank app) and confirm the payee name shows your business correctly. Static QR cannot be changed after print, so a mistake at this stage means redoing the whole run.

Use a trustworthy generator

Free generators that hide ads in the QR pattern do exist (rare but real). Generate from established providers. QRSprint, the-qrcode-generator.com, Orca Scan, and TEC-IT are clean. Verify by scanning your test QR and confirming the destination matches what you typed exactly.

Add a verification layer for high-value scans

For payment QRs above ₹10,000 per transaction, consider dynamic QR with per-scan logging. You will not prevent fraud, but you will have evidence and traceability if something goes wrong.

For QR generators (us, and our peers): the platform's responsibility

QR generation platforms have three obligations to user safety:

Encode exactly what the user typed. No silent affiliate parameters. No analytics piggybacked into the URL. No A/B-rotated destinations on free static QR. QRSprint does none of these.
Make verification trivial.Show the user the encoded URL or UPI ID before they download, so they can confirm. Most generators do this; the ones that don't should be avoided.
For dynamic redirects, host on a trusted domain. qrsprint.com/r/XXXXX is verifiable as ours; a random domain like quickqr-redirect.xyz is not. Domain reputation matters.

QRSprint security posture

Three guarantees built into the product:

Static QR encodes directly. No third-party redirect server can be hijacked. The destination is in the QR pattern itself.
Scan pages on verified TLS. Smart Tag scans land on qrsprint.com/t/XXXXX with HSTS preload, no plaintext interception possible.
Masked WhatsApp relay. Tag owners never expose their real phone number to scanners or scammers. Standard masking-relay practice; the most common spam-call vector is closed at design.

Frequently asked questions

Can scanning a QR give me a virus?

Not directly. The risk is what the URL leads to next. Always read the URL preview before tapping.

How do I report a QR scam?

Bank fraud helpline to cybercrime.gov.in to local cyber cell. Within 24 hours.

Are government QRs safe?

Real ones, yes. Always cross-check that the URL domain ends in .gov.in or the verified PSU domain.

Is dynamic QR more secure than static?

Same posture. Dynamic offers recoverability if the destination is compromised; static does not.

Generate safely

Trusted QR generation, India-first

Static QR encodes the destination directly. No third-party redirect. No silent affiliate. No surprise after print.

Open QRSprint generators