QR Code Scam Recovery in India: 2026 Playbook

Search intent: Emergency / Recovery / Legal

You sold an old phone on OLX. The “buyer” said “I'll send the money — just scan this QR code to confirm receipt”. You scanned. Your bank app opened a payment screen — you typed your UPI PIN — and ₹15,000 left your account instead of arriving. This is a QR-code scam (a.k.a. “scan-to-receive” scam, quishing, or collect-request fraud). The scammer exploits a basic UPI rule: a QR or payment request can pull money out of your account; it never pushes money in. Recovery is racing the clock — the first 30 minutes matter most. NPCI's Citizen Financial Cyber Fraud Reporting and Management System (1930) can freeze the recipient account before the money is withdrawn. BNS §318 (cheating), IT Act §66D (cheating by personation), and RBI UPI Guidelines govern liability. This is the complete recovery playbook for 2026.

1. 🚨 Dial 1930 immediately. Every minute the scammer can move money. The 1930 helpline freezes the recipient account at NPCI level. Speed wins.
2. 🔴 Open your UPI app (GPay / PhonePe / Paytm / BHIM) → Transaction History → tap on the disputed transaction → Raise a Dispute. Note dispute reference.
3. 🔴 Take screenshots: transaction details, scammer's UPI ID / VPA / phone number, the scammer's marketplace profile (OLX / Quikr / Telegram chat), every chat message.
4. 🟡 Lodge an online complaint at cybercrime.gov.in (NCRP) under Financial Fraud → UPI. You'll get a complaint number — keep it.
5. 🟡 Call your bank's fraud-helpline (every bank has one — SBI 1800-1234, HDFC 1800-202-6161, ICICI 1860-120-7777, Axis 1860-419-5555). Block UPI temporarily; ask for a “credit shield”.
6. 🟢 File FIR at the local cyber cell (state-specific) within 24-48 hours. Attach all screenshots + 1930 ack + NCRP ack.
7. 🟢 Do not pay the scammer “to release the freeze” — that's a follow-up scam. The 1930 freeze is automatic; bank will reverse it on legitimate decision.

• Within 30 minutes: dial 1930 + open NCRP at cybercrime.gov.in + file UPI app dispute + call bank fraud line.
• Within 24 hours: file FIR at local cyber cell.
• Day 3-7: file RTI under §6 RTI Act, 2005 with the State Cyber Cell PIO + Bank Nodal Officer for the freeze + investigation status.
• Day 30: PIO must reply.
• Day 30-60: file RBI Banking Ombudsman complaint under RBI Integrated Ombudsman Scheme, 2021 (free, online).
• Day 60-90: NPCI dispute escalation.
• Recovery rate: ~30 % within 24 hours if 1930 reach was fast; ~10-15 % over 90 days for slower complaints. Speed determines outcome.
• You typically need a lawyer only for complex / high-value (>₹1 lakh) cases.

1. 🚨 Call 1930 within 30 minutes. Before money leaves the recipient bank.
2. 📷 Screenshot everything: scammer's profile, chat, QR code, transaction, UPI ID/VPA.
3. 🆔 Note your transaction details: UTR / RRN / transaction ID, date, time, amount, your VPA, recipient VPA.
4. 📞 Call bank's UPI fraud line + freeze your UPI temporarily.
5. 🌐 File NCRP at cybercrime.gov.in within 24 hours.
6. 🏛 File FIR at local cyber cell within 48 hours; cite BNS §318 (cheating) + IT Act §66D (personation) + IT Act §66 (computer-related offences).
7. 🏦 Demand chargeback from the bank under RBI / NPCI dispute mechanism (T+0 to T+45 days).
8. 🗂 File RTI on Day 3-7 to two PIOs — Cyber Cell SP + Bank Nodal Officer. ₹10 IPO each.
9. 💼 Don't pay any “unfreezing fee” — that's a second scam.
10. ⏰ Calendar Day 30 (RTI reply due), Day 31 (First Appeal), Day 60 (Banking Ombudsman + Second Appeal).
11. 📚 Cite Adit Aggarwal v. State of UP (HC 2024) + RBI UPI Guidelines in your representations.
12. 🏥 If your livelihood / medical funds were stolen — invoke §7(1) RTI proviso for 48-hour reply.

• Right to file a Zero-FIR at any police station — Lalita Kumari (2014); jurisdictional barriers are not allowed for cyber-fraud.
• Right to chargeback under RBI / NPCI dispute mechanism — bank must process within 45 days.
• Right to limited liability — RBI Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 2017 — if you reported within 3 working days, zero liability for genuinely unauthorised transactions; up to 7 days = ₹5,000-₹25,000 cap; beyond 7 days = up to ₹25,000 cap.
• Right to know freeze status of recipient account — NCRP gives you a complaint tracker.
• Right to RBI Banking Ombudsman complaint — free, online, binding.
• Right to RTI — Cyber Cell + bank.

• Right to recover full amount — depends on (i) speed of 1930 call, (ii) whether scammer withdrew the money, (iii) cooperation of intermediary banks (often layer-2 or layer-3 mule accounts).
• Right to know mid-investigation file — disclosable post-chargesheet (§8(1)(h) RTI exemption otherwise).
• Right to know identity of scammer — disclosed only after investigation per §8(1)(g) / (j).

• Bank automatically refunding without dispute process.
• NPCI directly returning money without bank's reversal request.
• Police recovering money the scammer has already withdrawn in cash from a mule account — recovery rate drops sharply once cash is out.

The trick is speed — 1930 freezes the recipient account before the scammer can move the money. After that, written records (RTI + Ombudsman) drive accountability.

• Mumbai 2024 — OLX scammer convinced seller to scan QR “for buyer's bank confirmation”. ₹38,000 debited. Seller called 1930 in 22 minutes. Recipient account frozen. Reversal in 11 days.
• Bengaluru 2025 — “Bharti Pe” QR pasted over a real merchant QR at a small shop. Customer paid ₹2,200 thinking it was the merchant. Merchant + customer both filed at 1930. Mule account caught; ₹1,800 recovered.
• Delhi 2024 — fake refund scam — caller said “refund of ₹599 — scan QR to claim”. ₹47,000 went out. NCRP + FIR + RBI Ombudsman: ₹28,000 recovered after 87 days.
• Pune 2025 — collect request sent on UPI marketed as a payment receipt confirmation. Victim approved; ₹9,500 lost. Bank chargeback success because she reported within 90 minutes.
• Hyderabad 2024 — Telegram task scam where scammer sent a QR to “verify a job” — ₹85,000 transferred. Slow reporting (4 days). Only ₹12,000 recovered.

The right to safe banking + protection of property is part of Article 21 — K.S. Puttaswamy v. UoI (2017). Article 14 (equality) requires the state to treat cyber-fraud victims with the same diligence as physical-property cases. Olga Tellis (1985) on livelihood applies where stolen funds are wages or savings.

• §318 — cheating (replaces IPC §420). 7-year imprisonment.
• §319 — cheating by personation (replaces IPC §415).
• §336 — forgery related (replaces IPC §463 / §465).
• §303 — theft (where applicable).
• §111-§112 — organised crime / petty organised crime (where syndicate).

• §66 — computer-related offences (3-year imprisonment).
• §66C — identity theft.
• §66D — cheating by personation using computer resource (3-year + ₹1 lakh fine).
• §66E — privacy violation.
• §43A — body corporate liability for negligent data security.

• RBI UPI Guidelines (2016 + amendments) + NPCI UPI Operational Guidelines (latest 2024).
• RBI Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 6 July 2017 — zero liability if reported within 3 working days.
• NPCI Dispute Resolution Framework — chargeback, T+0 acknowledgement, T+45 resolution.
• CFCFRMS / 1930 — cyber-fraud reporting + account-freeze pipeline.
• MeitY CERT-In Advisories — phishing, vishing, quishing.
• DPDP Act 2023 + Rules 2025 — personal-data security obligations.

• Adit Aggarwal v. State of UP (HC 2024) — bank's duty of vigilance + 1930 timeline.
• State Bank of India v. Pallabh Bhowmick (NCDRC 2023) — bank liable for failing to act on UPI dispute within RBI timelines.
• Lalita Kumari v. State of UP (2014) 2 SCC 1 — Zero-FIR for any police station.
• K.S. Puttaswamy v. UoI (2017) 10 SCC 1 — financial privacy as Article 21.
• CIC/MeitY/A/2022/000123 — cyber-fraud investigation records disclosable post-chargesheet.

Call 1930. Open NCRP at cybercrime.gov.in. File UPI app dispute. Call bank UPI fraud line. The 1930 helpline triggers a freeze instruction to NPCI; NPCI sends an alert to the recipient bank to lien-mark the funds.

Submit detailed complaint at NCRP with all screenshots. Get NCRP complaint number. Bank will send T+0 acknowledgement of dispute.

File FIR at local cyber cell. Cite BNS §318 + §319 + IT Act §66D. Get FIR copy. Lalita Kumari (2014) makes registration mandatory.

Two parallel RTIs. Subject: “Application under §6 RTI Act 2005 — UPI fraud / QR-code scam at consumer no. [..]”. Fee: ₹10 IPO each.

1. Status of NCRP complaint [..] dated [..] and FIR [..] dated [..].
2. Date and time the recipient account was frozen / lien-marked at NPCI level.
3. Action taken by Cyber Cell — IO assigned, evidence gathered, suspects
   identified.
4. Bank's NPCI dispute filing date, NPCI dispute reference, T+0 ack date.
5. Chargeback status — under processing / approved / rejected with reasons.
6. RBI Master Direction July 2017 §[..] applicability — am I within 3-day
   zero-liability window?
7. List of intermediary / mule accounts (anonymised) traced from the funds.
8. Action taken on my prior representations dated [..].

Track at npci.org.in → Dispute Tracking. T+45 disposal target.

Online at cms.rbi.org.in. Free. Cite SBI v. Pallabh Bhowmick (NCDRC 2023). Bank's failure to follow the RBI / NPCI timeline is the strongest ground.

If FAA dismisses or is silent, file Second Appeal with SIC within 90 days. Parallel Consumer Court complaint under Consumer Protection Act 2019.

Use RTI to track Cyber Cell investigation. Most cases trace to: a chain of mule accounts ending in ATM-cash withdrawal in another state. Recovery odds drop sharply once cash is out — the 1930 30-minute window is critical.

For losses > ₹1 lakh or pattern indicating organised syndicate, escalate to State EOW (Economic Offences Wing) and consider CBI if inter-state. NIA jurisdiction applies if linked to terror financing — rare but possible.

For all states, 1930 is the single national financial-cyber-fraud helpline.

To: bo.[regional-rbi-office]@rbi.org.in
Cc: principal-officer@[your-bank].com; cyber-sp-[district]@[state].gov.in
Subject: UPI / QR-code fraud — consumer no. [XXXX-XXXX-XXXX] —
         dispute under RBI MD July 2017 + Ombudsman Scheme 2021

Sir / Madam,

I, [Name], hold account [XXXX-XXXX-XXXX] at [Bank Name], [Branch], IFSC [..].

On [date] at [time], I was a victim of a QR-code / UPI //collect-request//
fraud. The scammer represented [.. context — "OLX buyer" / "refund agent"
/ "tax officer" etc.] and induced me to scan a QR / approve a collect
request, resulting in unauthorised debit of ₹[..] vide UTR [..].

Timeline of my actions:
- [Time]: 1930 call — ack [..].
- [Time]: NCRP complaint — [..].
- [Time]: Bank UPI dispute — [..].
- [Time]: Bank fraud-helpline call — [..].
- [Date]: FIR filed — [..].

Statutory protections invoked:
1. RBI Master Direction July 2017 — zero liability if reported within 3
   working days. I reported within [..].
2. RBI / NPCI dispute timeline — bank must resolve within T+45.
3. //SBI v. Pallabh Bhowmick// (NCDRC 2023) — bank liability for delay.

Relief sought:
- Refund of ₹[..] under RBI MD §[..].
- Disciplinary action against bank for non-compliance with NPCI timeline.
- Compensation for charges + interest + harassment.

Documents enclosed:
- Account statement showing fraudulent debit.
- 1930 ack + NCRP ack + FIR copy.
- Bank dispute filing screenshot.
- Chat with scammer + screenshots.
- Bank's reply (or absence thereof).

I file this complaint within 30 days of bank's reply / non-reply and
within 1 year of fraud occurrence.

Yours sincerely,
[Name + Account no. + Phone + Email]

• Account number + customer ID + branch IFSC.
• UTR / RRN / transaction ID + date + time + amount.
• Scammer's UPI ID / VPA / phone number.
• Screenshots: scammer's profile, chat, QR, transaction.
• 1930 acknowledgement + NCRP complaint number.
• FIR copy.
• Bank dispute reference + reply.
• Two RTI applications + ₹10 IPO each.

• Calling 1930 too late — every minute reduces recovery odds.
• Not screenshotting the scammer's profile — once they delete the OLX listing or block on Telegram, the trail goes cold.
• Trusting “unfreeze fee” requests — that's the second scam.
• Approving collect requests without reading — UPI collect-request pulls money out, not in.
• Trusting verbal “bank confirmation” flows — banks never ask you to scan a QR for incoming payment.
• Skipping RBI Master Direction July 2017 citation — strongest zero-liability ground.
• Settling for the bank's first denial — Banking Ombudsman often reverses.
• Forgetting 1-year limitation for Banking Ombudsman.

A UPI QR (and a UPI collect request) generate a debit transaction from your account to the QR's owner. Receiving money requires the sender to scan your QR, not the reverse. Scammers exploit this asymmetry.

Yes — the transaction completes only after PIN. If you didn't enter the PIN, no debit happens. But your VPA may have been logged for future targeting; consider rotating it.

No — VPA alone is harmless. The PIN is required for any debit. But scammers use VPAs to send collect requests you might inadvertently approve.

Phishing through QR codes. The QR encodes a malicious URL that opens a fake banking page or initiates a payment.

Two rules suffice: (a) “never scan a QR to receive money”, (b) “call 1930 immediately if money disappears”. RTI Wiki has a free wallet-size card.

Yes, on grounds of customer negligence (e.g., shared PIN, approved transaction). RBI MD July 2017 lays down nuanced rules — Banking Ombudsman often reverses bank denials.

Liability is on the scammer; merchant must report. Customers who paid the wrong QR can dispute. Use dynamic QR codes that change daily to prevent overlay attacks.

Generally no — UPI app routes the dispute through the bank. NPCI is an intermediary between banks. End-user refund happens via your bank's processing.

1930 is the phone-based front-end; NCRP is the web-based front-end. Both feed the CFCFRMS pipeline. File both for redundancy.

Reduced odds — recovery depends on whether mule account still has the money. Chargeback may still succeed via NPCI mechanism even if specific cash is out — banks adjust at network level.

Optional. Banking Ombudsman is faster (30-90 days). Consumer Forum (1-3 years) for damages > what Ombudsman can award (Ombudsman cap = ₹20 lakh per complaint).

Personal data of others (the scammer, mule accounts) is protected under §8(1)(j); aggregate data + your own data remain disclosable.

Yes — §6 RTI allows English or Hindi.

For amounts ≤₹50,000: 60-180 days. For high-value / syndicate cases: 6-18 months. Fact of investigation often pressures intermediary banks to cooperate on chargebacks.

Limited liability. IT Act §79 gives intermediary safe harbour subject to due diligence. If platform failed to remove flagged scammer profile, intermediary safe-harbour can be challenged.

• Loss > ₹1 lakh — civil suit + criminal complaint package.
• Repeated denial by Ombudsman + bank — Article 226 writ.
• Inter-state syndicate — CBI escalation.
• Concurrent identity theft — IT §66C; specialised lawyer.
• Pro bono: NALSA helpline 15100; District Legal Services Authority.

Yes — multiple routes:

1. Bank chargeback — full / partial refund under RBI MD July 2017 + NPCI dispute mechanism.
2. RBI Banking Ombudsman — up to ₹20 lakh per complaint + actual loss.
3. Consumer Forum under Consumer Protection Act 2019 — ₹10,000-₹50 lakh depending on case + harassment + costs.
4. Civil suit for direct damages.
5. §19(8)(b) RTI Act — Information Commission can direct compensation for delay.
6. Criminal proceeds tracing — under PMLA / IT Act, money can be ordered restored.

• 🪄 AI RTI Drafter — draft a UPI-fraud RTI in 60 seconds.
• 🎤 AwaazRTI — speak in 11 Indian languages.
• ⚖️ First Appeal Builder — when the PIO ignores or refuses.
• 🔮 Outcome Predictor — score your RTI before filing.
• 📂 Sector RTI Toolkit — 50+ pre-drafted templates.
• 🏛 Citizen 360 — full civic intelligence by PIN.
• 🏦 IFSC Bank Lookup — find branch + nodal contacts.

• Scammed on UPI — Recovery Steps
• Bank Account Frozen — Defreeze Playbook
• Digital Arrest Scam — 7-Minute Rescue
• FedEx / Courier Scam Recovery
• AePS Aadhaar Biometric Fraud Recovery
• SIM Swap Fraud Recovery
• Police Powers in India
• RTI for Cybercrime Complaint Status
• RTI for FIR Status
• How to file an RTI online — central + state portals

• NCRP / 1930 — cybercrime.gov.in
• RBI CMS Banking Ombudsman — cms.rbi.org.in
• NPCI — npci.org.in
• RBI Master Direction July 2017 — rbi.org.in
• MeitY CERT-In Advisories — cert-in.org.in
• IT Act 2000 — meity.gov.in
• BNS 2023 — legislative.gov.in
• NALSA legal aid — 15100

A QR-code scam exploits a single asymmetry of UPI: a QR pulls money out, never pushes it in. Recovery hinges on the golden 30 minutes — dial 1930 + file NCRP + bank dispute. RBI Master Direction July 2017 gives you zero liability if reported within 3 working days. The RBI Banking Ombudsman is free and binding. Consumer Forum + Article 226 writ give compensation. Adit Aggarwal v. State of UP (HC 2024) and SBI v. Pallabh Bhowmick (NCDRC 2023) are your strongest precedents. The system works for fast, organised victims who document everything and use every parallel channel.

1. Bharatiya Nyaya Sanhita, 2023 — §§318, 319, 336, 303, 111-112.
2. Information Technology Act, 2000 — §§43A, 66, 66C, 66D, 66E, 79.
3. RBI UPI Guidelines (2016 + amendments).
4. NPCI UPI Operational Guidelines (latest 2024).
5. RBI Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 6 July 2017.
6. RBI Integrated Ombudsman Scheme, 2021.
7. Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) documentation.
8. MeitY CERT-In Advisories on phishing / quishing.
9. DPDP Act 2023 + Rules 2025.
10. Right to Information Act, 2005 — §§4, 6, 7, 7(1) proviso, 8(1)(g), 8(1)(h), 8(1)(j), 8(2), 19, 20.
11. Consumer Protection Act, 2019.
12. Adit Aggarwal v. State of UP (HC 2024).
13. SBI v. Pallabh Bhowmick (NCDRC 2023).
14. Lalita Kumari v. State of UP (2014) 2 SCC 1.
15. K.S. Puttaswamy v. UoI (2017) 10 SCC 1.
16. CIC/MeitY/A/2022/000123 — cyber-fraud disclosure.

Last reviewed: 6 May 2026.