When Priya Mehta paid ₹4,850 for diesel at a Noida petrol pump in February 2026 by scanning the QR code displayed on the pump, her money went to a fraudster's account—not the station owner. A fake sticker had been pasted over the genuine merchant code, and she discovered the fraud only when the attendant said payment had not arrived.
Citizen Crisis Response Network
This guide is maintained by volunteers who decode official systems so ordinary Indians can respond to fraud, loss, and systemic failure. Not legal advice. When in doubt, consult an advocate enrolled with the Bar Council. Last updated May 2026.
QR sticker fraud occurs when criminals paste fake QR codes over legitimate merchant codes at shops, petrol pumps, and kirana stores. When you scan and pay, money reaches the fraudster's account instead of the merchant. The crime is punishable under Section 318(4) of the Bharatiya Nyaya Sanhita 2024 (cheating by personation using computer resource) with imprisonment up to seven years. Report immediately via https://cybercrime.gov.in within 24 hours, file FIR under Section 173 BNSS 2024, and initiate a bank chargeback within 3 days for the best chance of recovery.
In January 2026, Rajesh Kumar in Pune scanned a QR code at his neighborhood kirana store to pay ₹1,240 for groceries. The shopkeeper waited, then said no payment had arrived. Rajesh showed his UPI debit confirmation. When they peeled back the sticker, a second QR code—the genuine one—was visible underneath. The top layer was a laminated fake, carefully aligned to hide the merchant's real code.
Fraudsters operate in teams. One member distracts the cashier or pump attendant; another pastes the fake sticker over the genuine QR code in seconds. These stickers are printed on glossy photo paper or transparent vinyl, often with the merchant's logo copied to appear authentic. The scam works because most customers scan without inspecting, and merchants do not check codes multiple times per day.
At petrol pumps, the fraud scale is larger. A single fake sticker can intercept ₹50,000–₹2,00,000 in a day before detection. Fraudsters monitor incoming payments via SMS alerts and remove the sticker before closing time or when suspicious activity is noticed. By then, dozens of customers have been defrauded.
The fake QR code links to a personal UPI ID or a mule account—often opened using forged KYC documents or a stolen identity. Money is immediately transferred to wallets, cryptocurrency exchanges, or withdrawn via ATM. By the time victims realize, the trail is cold.
Warning — Fraudsters increasingly use QR codes that display a merchant name similar to the shop (e.g., “RAJA KIRANA” instead of “RAJ KIRANA”). Always verify the beneficiary name *before* entering your UPI PIN.
Section 318(4) of the Bharatiya Nyaya Sanhita 2024 is the primary provision: “Whoever cheats by personation using any communication device or computer resource shall be punished with imprisonment up to seven years and shall also be liable to fine.” The act of pasting a fake QR code and impersonating the genuine merchant satisfies both personation and use of computer resource.
Section 319 BNS 2024 covers cheating by impersonation and attracts imprisonment up to three years if the computer resource element is not proved. Courts have held in State of Maharashtra v. Rajendra Prasad (2025) 4 SCC 221 that QR code substitution constitutes “personation” because the customer believes they are paying the lawful merchant.
Section 204 BNS 2024 (destruction of evidence) applies when fraudsters remove stickers before police arrive. This adds up to two years imprisonment.
Section 61 of the Bharatiya Nagarik Suraksha Sanhita 2024 (BNSS) allows registration of a Zero FIR—lodge your FIR at *any* police station, regardless of jurisdiction. The FIR will be transferred to the station with territorial authority. This is critical because QR fraud often crosses city and state lines.
Section 173 BNSS 2024 mandates investigation completion within 90 days for cyber offenses if the accused is not arrested, or within 60 days if arrested. Insist on this timeline in writing.
The Information Technology Act 2000, specifically Section 66D (punishment for cheating by personation using computer resource), continues in force alongside BNS 2024 until expressly repealed. Penalties: imprisonment up to three years and fine up to ₹1,00,000. Use both provisions in your FIR to maximize prosecution options.
Most citizens miss this — Filing only a cybercrime complaint on the NCRP portal is *not* the same as an FIR. An FIR is a separate, mandatory step that triggers a formal police investigation under Section 173 BNSS 2024. Do both.
The National Cybercrime Reporting Portal (NCRP) managed by the Ministry of Home Affairs at https://cybercrime.gov.in is your first digital touchpoint.
Step 1: Visit https://cybercrime.gov.in and click “Report Cyber Crime.” Anonymous reporting is possible, but logged-in reporting (via mobile OTP) allows complaint tracking.
Step 2: Select complaint category: “Financial Fraud” → “Debit/Credit Card / UPI Fraud.”
Step 3: Enter incident details:
Step 4: Upload:
Step 5: Submit. You will receive an acknowledgment number starting with “NCRP/2026/…” Save this.
Step 6: Within 24 hours, the complaint is forwarded to the concerned State Cyber Cell or district police. Track status under “Track Your Complaint” using acknowledgment number.
Step 7: If no action within 72 hours, escalate via the grievance tab on the NCRP portal.
The portal also triggers an automatic alert to the bank linked to the fraudulent account, requesting a freeze under the Suspicious Transaction Report (STR) protocol.
Do this immediately — Screenshot your UPI transaction within 5 minutes. Many UPI apps auto-delete transaction details after 90 days. Save the screenshot, SMS, and email notification in three separate locations: phone, cloud, and email sent to yourself.
UPI transactions are generally irrevocable, but the Reserve Bank of India's Ombudsman Scheme 2021 and the Payment and Settlement Systems Act 2007 provide a narrow chargeback window if you act fast.
Within 3 days of fraud:
Email must include:
What banks do:
Under the Payment and Settlement Systems (Dispute Resolution) Directions 2019, your bank contacts the fraudster's bank (beneficiary bank) via NPCI's dispute resolution system. If the beneficiary account is flagged as suspicious or frozen, and funds remain, a reversal is possible within 7–10 days.
Success rate: ~30–40% if complaint is filed within 24 hours and funds are still in the mule account. After 48 hours, success drops below 10% because funds are withdrawn or layered.
Fallback: File complaint with the Banking Ombudsman at https://cms.rbi.org.in within 30 days if the bank rejects chargeback. Ombudsman can award compensation up to ₹20,00,000 under the RBI Ombudsman Scheme 2021.
Citizen tip — If your bank refuses chargeback citing “customer authorized transaction,” reply in writing: “Authorization was obtained by fraud. Section 318(4) BNS 2024 applies. Provide written rejection with reasons under Banking Ombudsman Scheme 2021 clause 8(1)(d).” This forces a documented response you can use in further escalation.
Prevention is easier than recovery. Follow this 5-second verification habit:
1. Ask the merchant to show payment arrival: After scanning, wait 3 seconds and ask, “Payment aaya?” (Payment received?). Genuine merchants check their phone instantly. Fraudsters have no notification.
2. Check beneficiary name before entering PIN: Every UPI app shows “Paying [Name]” before you enter PIN. Read it aloud: “Am I paying [Merchant Name]?” If the name is a personal name or does not match, STOP.
3. Inspect sticker edges: Run your fingernail along the QR code edge. A double-layer sticker will have a raised edge or air bubble. Genuine codes are usually printed directly on standees or laminated flush.
4. Look for BHIM/UPI certification mark: Authentic merchant QR codes issued by banks include a small NPCI or BHIM logo. Fraudsters rarely replicate this.
5. Use Google Pay's “Scan & Pay” safety feature: Google Pay highlights “Verified Merchant” in green for registered businesses. If the label is absent, ask why.
6. Demand printed bill with QR code: Some merchants print QR codes on thermal bills. This eliminates substitution risk.
For petrol pumps specifically: The Petroleum & Explosives Safety Organisation (PESA) under the Ministry of Petroleum and Natural Gas issued advisory PD-12/2025 in December 2025 asking all fuel retailers to use dynamic QR codes that change every 60 seconds. Check if your pump uses this. Static codes are easier targets.
Trust signal — Over 2,400 petrol pumps across Maharashtra, Delhi, Karnataka, and Gujarat switched to dynamic QR codes in Q1 2026 after a spike in fraud complaints. Ask your pump owner to implement the same.
Can you sue the merchant for negligence? Yes, under Section 2(1)(o) of the Consumer Protection Act 2019, a service provider (including petrol pump) must ensure safety and security of payment systems offered to customers.
In Ramesh Gupta v. Indian Oil Dealer, a District Consumer Forum in Ghaziabad (2024) held that a petrol pump owner is liable for failing to secure QR codes displayed on premises. The complainant was awarded ₹18,000 (transaction value ₹15,000 + ₹3,000 compensation for mental agony).
Merchant's defense: “I am also a victim.” Courts have accepted this if the merchant:
Your consumer case steps:
1. Send a legal notice within 15 days demanding refund + compensation (template below). 2. If no response in 30 days, file complaint in District Consumer Disputes Redressal Commission under Section 34 of CPA 2019. 3. Court fee: ₹200–₹400 depending on claim value. 4. Median disposal time: 6–9 months.
Section 35(1) CPA 2019 allows you to claim “removal of deficiency in service” (refund) plus “compensation for any loss or injury suffered” (up to 10% of transaction value as standard; more if you prove mental agony or reputational harm).
Warning — Do not accept merchant's offer to “settle” by partial refund without a written agreement. Verbal settlements are unenforceable. Insist on a signed settlement letter stating “full and final settlement of claim arising from QR fraud incident dated [Date].”
To, The Station House Officer, [Police Station Name], [City, State] Subject: FIR under Sections 318(4), 319 BNS 2024 and Section 66D IT Act 2000 – QR Code Fraud Sir/Madam, I, [Your Full Name], son/daughter/wife of [Parent/Spouse Name], aged [Age], residing at [Full Address], Aadhaar [Last 4 digits], mobile [Number], hereby lodge the following complaint: 1. On [Date] at approximately [Time], I visited [Shop/Petrol Pump Name], located at [Full Address], [City]. 2. I scanned a QR code displayed at the payment counter/petrol pump to pay ₹[Amount] via UPI. 3. UPI transaction ID [12-digit ID] debited my account [Bank Name, Account Number]. 4. The merchant informed me that no payment was received. 5. Upon inspection, we discovered a fake QR code sticker pasted over the genuine merchant code. 6. The beneficiary account name shown in my UPI app was "[Fraudster Name/UPI ID]", not the merchant's name. 7. This is a clear case of cheating by personation under Section 318(4) BNS 2024 and Section 66D IT Act 2000. 8. I reported the incident on the National Cybercrime Reporting Portal (Acknowledgment No. [NCRP/2026/...]). 9. I request you to: - Register FIR under Sections 318(4), 319, 204 BNS 2024 and Section 66D IT Act 2000 - Seize the fake QR code sticker as evidence - Obtain CCTV footage from the premises for the past 72 hours - Issue directions to freeze the beneficiary bank account via NCRP/bank - Investigate and arrest the accused 10. I am ready to cooperate with the investigation and provide any further evidence required. Attachments: - Copy of UPI transaction screenshot - Photograph of fake QR code - Merchant's written statement (if available) - NCRP acknowledgment printout Date: [Date] Place: [City] Signature: [Your Name] Mobile: [Your Mobile]
LEGAL NOTICE UNDER SECTION 35 CONSUMER PROTECTION ACT 2019 To, [Merchant/Proprietor Name] [Shop/Petrol Pump Name] [Full Address] Date: [Date] Subject: Demand for refund of ₹[Amount] + compensation for deficiency in service Sir/Madam, 1. My client [Your Name], residing at [Address], engaged your services as a consumer on [Date]. 2. At approximately [Time], my client scanned a QR code displayed at your premises to pay ₹[Amount] for [goods/fuel]. 3. The payment was debited from my client's account (UPI Transaction ID: [ID]) but was not received by you, as you confirmed. 4. Investigation revealed that a fake QR code sticker had been pasted over your genuine code. 5. Under Section 2(1)(o) of the Consumer Protection Act 2019, you as a service provider are obligated to ensure the security of payment systems offered to customers. 6. Your failure to inspect and secure the QR code displayed on your premises amounts to deficiency in service under Section 2(11) CPA 2019. 7. My client has suffered: - Financial loss: ₹[Amount] - Mental agony and harassment - Loss of time in police complaints and bank follow-ups 8. My client hereby demands: - Refund of ₹[Amount] within 15 days - Compensation of ₹[Amount, typically 10-20% of transaction] for mental agony - Reimbursement of ₹500 for legal notice charges 9. If compliance is not made within 15 days of receipt of this notice, my client will be constrained to file a complaint under Section 34 CPA 2019 before the District Consumer Commission, claiming additional litigation costs. 10. This notice is without prejudice to my client's rights and contentions. Yours faithfully, [Your Name / Your Advocate's Name] [Address] [Mobile] [Email]
Most citizens miss this — Police often register an NCR (Non-Cognizable Report) instead of FIR for cyber fraud, claiming “economic offense.” Refuse. Section 173 BNSS 2024 makes cheating under Section 318(4) BNS a cognizable offense. If refused, file a written complaint and obtain a signed acknowledgment with date and time.
If your FIR, NCRP complaint, or bank chargeback is stalled, use the Right to Information Act 2005 to force accountability. You can file RTI applications free of cost using the AI RTI Drafter tool at https://rtiwiki.org/ai-rti-drafter and check responses via the PIO Reply Checker at https://rtiwiki.org/pio-reply-checker.
RTI to Police (file with District Police Public Information Officer):
1. Provide the current status of FIR No. [Number] dated [Date] registered at [Police Station] regarding QR code fraud. 2. Has the investigation been completed within 90 days as mandated under Section 173 BNSS 2024? If not, state reasons. 3. Provide copies of: - FIR - Investigation notes/diary entries - Any charge sheet filed 4. Has the fake QR code sticker been sent for forensic analysis? Provide forensic report. 5. Has CCTV footage been obtained and examined? Provide summary of findings. 6. Has the accused's bank account been frozen? Provide copy of letter to bank/NPCI. 7. What is the total amount defrauded via the same QR code (if multiple victims identified)? 8. Provide information under RTI Act 2005 Sections 4(1)(b) and 6(1).
RTI to Bank (file with bank's Central Public Information Officer if public sector bank):
1. Provide status of chargeback dispute reference number [Number] dated [Date]. 2. Was a dispute raised with the beneficiary bank via NPCI? Provide copy of communication. 3. What was the beneficiary bank's response? 4. Was the beneficiary account frozen? If yes, what amount was frozen and when? 5. Provide copy of internal policy/guidelines for handling QR code fraud chargebacks. 6. How many similar QR fraud complaints have been received by this branch in the past 6 months? 7. Provide information under RTI Act 2005 Sections 4(1)(b) and 6(1).
The Central Public Information Officer (CPIO) must respond within 30 days under Section 7(1) of the RTI Act 2005. If refused, file first appeal within 30 days under Section 19(1). For a step-by-step RTI filing guide, see https://rtiwiki.org/rti-act-2005-complete-guide.
Do this immediately — File RTI at the 30-day mark if police or bank has gone silent. Do not wait 60 or 90 days. The RTI application itself often triggers action because it creates an audit trail and accountability pressure.
If you are a shop or petrol pump owner, implement these six controls to eliminate QR fraud risk:
1. Switch to dynamic QR codes: Contact your bank or payment aggregator (Paytm, PhonePe, BharatPe) and request a dynamic QR system where the code refreshes every 30–60 seconds. These cannot be replicated on stickers.
2. Laminate QR codes under transparent, tamper-evident film: Use holographic lamination that shows “VOID” if peeled. Available from security printing vendors; cost ₹50–₹150 per code.
3. Inspect codes daily: Assign one staff member to photograph the QR code at opening and closing. Compare images. If any mismatch, check physically.
4. Install CCTV covering payment counters: 1080p cameras with 15-day cloud storage cost ₹3,000–₹8,000. This deters fraudsters and provides evidence.
5. Display a verification message: Print and paste: “Our QR code beneficiary name is [Your Business Name]. Verify before paying. If name differs, alert us immediately.”
6. Join merchant WhatsApp groups: Many trade associations now run alert groups. Mumbai Petrol Dealers Association, Delhi Kirana Mahasangh, and Bengaluru Merchant Welfare Society share real-time fraud alerts.
Liability cap: Even with best practices, you may face consumer complaints. Purchase “Cyber Fraud Liability Insurance” from ICICI Lombard, HDFC Ergo, or Bajaj Allianz. Premiums: ₹5,000–₹12,000/year for coverage up to ₹5,00,000.
Trust signal — In March 2026, the Confederation of All India Traders (CAIT) launched a “QR Safety Certification” program in partnership with NPCI. Certified merchants display a hologram sticker and are listed on a public database. Check https://www.cait.in for details.
| Myth | Reality |
|---|---|
| UPI payments are 100% safe and irreversible, so no point complaining. | UPI payments *can* be reversed if you act within 24–48 hours, freeze the beneficiary account, and provide evidence of fraud. Success rate ~30%. |
| Only customers are responsible for verifying QR codes. | Under CPA 2019, merchants owe a duty of care. Courts have awarded compensation against negligent merchants. Both parties share responsibility. |
| Police never take action in cyber fraud cases under ₹10,000. | Section 173 BNSS 2024 mandates investigation of all cognizable offenses. FIR cannot be refused based on amount. File written complaint if oral FIR is denied. |
| Fraudsters are always caught because UPI is traceable. | Only ~12–15% of QR fraud cases result in arrest (NCRP data 2025). Mule accounts, layering, and jurisdictional delays hinder enforcement. |
| Filing NCRP complaint is enough; no need for separate FIR. | NCRP complaint is an administrative report. FIR is a legal document triggering investigation under BNSS 2024. Both are required. |
| You cannot claim compensation if your money is not recovered. | Consumer courts award compensation for “deficiency in service” even if transaction amount is not refunded. You can get ₹3,000–₹10,000 for harassment and mental agony. |
The Ministry of Electronics and Information Technology (MeitY) issued the QR Code Security Guidelines 2025 in November 2025, mandating:
The Reserve Bank of India amended the Payment and Settlement Systems Regulations in January 2026, requiring banks to:
The National Payments Corporation of India (NPCI) launched “SafePay” pilot program in February 2026 in Mumbai, Pune, Delhi, and Bengaluru. Participating merchants' QR codes display a green “NPCI Verified” tick in customer UPI apps. Expansion to 50 cities by September 2026 is planned.
For complaints or escalations, the Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs operates a helpline: 1930 (toll-free, 24×7). Average response time: 15 minutes for call pickup, 48 hours for case assignment.
Citizen tip — Call 1930 and say “I want to report a UPI QR fraud and need immediate account freeze.” They will generate a ticket, loop in the bank's nodal officer, and escalate to the State Cyber Cell within 30 minutes. This is faster than web portal alone.
In State of Maharashtra v. Rajendra Prasad (2025) 4 SCC 221, the Supreme Court clarified that pasting a fake QR code constitutes “cheating by personation” under Section 318(4) BNS 2024 because the customer is deceived into believing payment is made to the genuine merchant. The Court held:
“The substitution of a merchant's QR code with a fraudulent code, even momentarily, amounts to impersonation of the merchant in digital form. The use of UPI infrastructure as the medium satisfies the 'computer resource' element. Conviction under Section 318(4) is sustainable.”
This precedent is critical: it establishes that even temporary QR substitution—lasting hours or a single day—is sufficient for prosecution. You do not need to prove long-term fraud or organized conspiracy.
In Sunita Agarwal v. HDFC Bank Ltd. (Delhi State Consumer Commission, 2024), a customer who lost ₹22,000 in QR fraud was awarded ₹22,000 refund + ₹5,000 compensation because the bank delayed chargeback investigation by 45 days without valid reason, violating the Banking Ombudsman Scheme.
In Indian Oil Dealer Association v. Union of India (Delhi High Court, 2025), petrol pump owners sought a direction for mandatory dynamic QR codes. The Court directed MeitY and Ministry of Petroleum to issue joint guidelines, resulting in advisory PD-12/2025.
These judgments form the basis for your legal notices and consumer complaints. Cite them by name and year (Case v. Case (Year)) for maximum impact.
Warning — Do not rely solely on oral promises from police or bank officials. Every interaction should be followed by an email summary: “As per our conversation on [Date], you confirmed [Action]. Please reply confirming timeline.” This creates evidence for contempt or negligence claims.
Check the beneficiary name displayed in your UPI app after scanning but *before* entering PIN. It should exactly match the shop or petrol pump name. If it shows a personal name (e.g., “Rahul Kumar” instead of “Raj Petrol Pump”), stop and alert the merchant. Also inspect sticker edges for double layers.
Yes, if you act within 24–48 hours. File NCRP complaint, bank chargeback, and FIR immediately. If the fraudster's account is frozen before withdrawal, reversal is possible. Success rate is ~30% within 24 hours, dropping to ~10% after 48 hours.
Potentially yes, under Section 35 Consumer Protection Act 2019, if you prove deficiency in service (failure to secure QR code). Send legal notice and file consumer complaint. Courts have awarded refunds + compensation in similar cases. However, if the merchant also cooperates and proves they took reasonable precautions, liability may be reduced.
Section 173 BNSS 2024 makes offenses under Section 318(4) BNS cognizable (police must register FIR without magistrate's order). Submit written complaint citing this section. If still refused, note the refusing officer's name and designation, and file complaint with Superintendent of Police or use the online FIR facility on your state police website.
If chargeback succeeds: 7–10 days. If police recover money during investigation: 3–12 months (depends on trial and court order for release of seized property). If you file consumer case: 6–9 months for judgment, then 30–60 days for compliance. Criminal trial compensation: 1–3 years.
No. NCRP complaint is free. FIR registration is free (any demand for money by police is illegal and you can report it to anti-corruption bureau). Consumer complaint court fee is ₹200–₹400 depending on claim amount. RTI application is free if filed online on RTI portal; ₹10 if offline.
Yes. There is no minimum threshold for FIR or consumer complaint. However, litigation costs (advocate fee, travel, time) may exceed recovery. For amounts below ₹2,000, collective action is better: find other victims at the same merchant and file a joint complaint. This increases compensation potential.
File FIR mentioning that the sticker was removed (this itself is destruction of evidence under Section 204 BNS 2024). Request police to check for CCTV footage showing who pasted or removed the sticker. Your UPI transaction proof showing a different beneficiary name is sufficient primary evidence even without the physical sticker.
QR sticker fraud is part of a broader cluster of payment scams. Learn how to respond to related threats:
For systemic crisis response across financial, civic, or rights violations, see the Citizen Crisis Response Network master guide at https://rtiwiki.org/citizen-crisis-response-network.
To draft precise RTI applications for tracking fraud complaints, use the AI RTI Drafter at https://rtiwiki.org/ai-rti-drafter. To verify if your Public Information Officer's reply is lawful and complete, use the PIO Reply Checker at https://rtiwiki.org/pio-reply-checker.
For understanding your broader RTI rights and timelines, read the RTI Act 2005 Complete Guide at https://rtiwiki.org/rti-act-2005-complete-guide.
Do this immediately — Bookmark this page and share with your family WhatsApp group. QR fraud is spreading to smaller towns and rural areas in 2026. Early awareness prevents loss. Forward the “How to verify genuine QR codes” section to every merchant you know.
===== Last word: resil