Differences

This shows you the differences between two versions of the page.


qr-code-scam-recovery [2026/05/06 21:51] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +{{htmlmetatags>metatag-keywords=(QR code scam India 2026, UPI QR fraud, scan to receive scam, fake payment QR, OLX QR scam, Quikr QR fraud, marketplace QR scam, NPCI dispute, UPI 2.0 OneTimeMandate, UPI block code 1930, BNS Section 318 cheating, IT Act Section 66D, Quishing phishing QR, QR Bharat Pe scam, RBI UPI guidelines)
 +metatag-description=(Scammer asked you to scan a QR //"to receive money"// and ₹X disappeared? Recover with 1930 + NPCI dispute + bank chargeback + RTI. Full 2026 citizen playbook.)}}
 +
 +====== QR Code Scam Recovery in India: 2026 Playbook ======
 +
 +==Search Intent== Emergency / Recovery / Legal
 +
 +{{:social:auto:qr-code-scam-recovery.png?direct&1200 |QR code scam recovery 2026 — RTI Wiki}}
 +
 +{{page>snippets:dpdp-banner}}
 +
 +**You sold an old phone on OLX. The "buyer" said //"I'll send the money — just scan this QR code to confirm receipt"//. You scanned. Your bank app opened a payment screen — you typed your UPI PIN — and ₹15,000 //left// your account instead of arriving. This is a **QR-code scam (a.k.a. //"scan-to-receive"// scam, //quishing//, or //collect-request// fraud)**. The scammer exploits a basic UPI rule: **a QR or payment request can pull money //out// of your account; it never pushes money //in//**. Recovery is racing the clock — the **first 30 minutes** matter most. **NPCI's Citizen Financial Cyber Fraud Reporting and Management System (1930)** can freeze the recipient account before the money is withdrawn. **BNS §318** (cheating), **IT Act §66D** (cheating by personation), and **RBI UPI Guidelines** govern liability. This is the complete recovery playbook for 2026.**
 +
 +===== ✅ What To Do In The Next 30 Minutes =====
 +
 +  - 🚨 **Dial 1930 immediately.** Every minute the scammer can move money. The 1930 helpline freezes the recipient account at NPCI level. **Speed wins.**
 +  - 🔴 **Open your UPI app** (GPay / PhonePe / Paytm / BHIM) → //Transaction History// → tap on the disputed transaction → //Raise a Dispute//. Note dispute reference.
 +  - 🔴 **Take screenshots**: transaction details, scammer's UPI ID / VPA / phone number, the scammer's marketplace profile (OLX / Quikr / Telegram chat), every chat message.
 +  - 🟡 **Lodge an online complaint** at [[https://cybercrime.gov.in|cybercrime.gov.in]] (NCRP) under //Financial Fraud → UPI//. You'll get a complaint number — keep it.
 +  - 🟡 **Call your bank's fraud-helpline** (every bank has one — SBI 1800-1234, HDFC 1800-202-6161, ICICI 1860-120-7777, Axis 1860-419-5555). Block UPI temporarily; ask for a "credit shield".
 +  - 🟢 **File FIR at the local cyber cell** (state-specific) within 24-48 hours. Attach all screenshots + 1930 ack + NCRP ack.
 +  - 🟢 **Do not pay the scammer //"to release the freeze"//** — that's a follow-up scam. The 1930 freeze is automatic; bank will reverse it on legitimate decision.
 +
 +===== 📋 In This Guide =====
 +
 +| Section | What you'll get |
 +|---|---|
 +| Quick Answer | Authorities, deadlines, escalation path |
 +| Quick Action Steps | 12-step printable checklist |
 +| What Are Your Rights | A always / B with restrictions / C never |
 +| Real-World Patterns | 5 case studies of QR-code scams |
 +| Legal Framework | BNS, IT Act, RBI / NPCI / MeitY rules, judgments |
 +| Step-by-Step Process | 9 sequential moves |
 +| State-Wise Variations | Cyber cells + helplines |
 +| Sample Complaint Email | Ready-to-send template |
 +| Documents Required | Complete checklist |
 +| Common Mistakes | What citizens get wrong |
 +| FAQs | 14 frequently-asked questions |
 +| When to Hire a Lawyer | Triggers for professional help |
 +| Compensation Possibility | Recovery + bank chargeback |
 +| Important Numbers | 1930, NPCI, RBI, banks |
 +| Tools That Help | RTI Drafter, Appeal Builder |
 +| Internal + External Links | Allied resources |
 +
 +===== Quick Answer =====
 +
 +  * **Within 30 minutes**: dial **1930** + open NCRP at cybercrime.gov.in + file UPI app dispute + call bank fraud line.
 +  * **Within 24 hours**: file FIR at local cyber cell.
 +  * **Day 3-7**: file **RTI under §6 RTI Act, 2005** with the **State Cyber Cell PIO** + **Bank Nodal Officer** for the freeze + investigation status.
 +  * **Day 30**: PIO must reply.
 +  * **Day 30-60**: file **RBI Banking Ombudsman complaint** under **RBI Integrated Ombudsman Scheme, 2021** (free, online).
 +  * **Day 60-90**: NPCI dispute escalation.
 +  * **Recovery rate**: ~30 % within 24 hours if 1930 reach was fast; ~10-15 % over 90 days for slower complaints. Speed determines outcome.
 +  * **You typically need a lawyer only for** complex / high-value (>₹1 lakh) cases.
 +
 +<WRAP center round tip 95%>
 +**🔔 Track UPI fraud advisories + RBI / NPCI rules by email.** **[[https://righttoinformation.wiki/contact|Subscribe →]]**
 +</WRAP>
 +
 +===== Quick Action Steps (Print This) =====
 +
 +  - 🚨 **Call 1930 within 30 minutes.** Before money leaves the recipient bank.
 +  - 📷 **Screenshot everything**: scammer's profile, chat, QR code, transaction, UPI ID/VPA.
 +  - 🆔 **Note your transaction details**: UTR / RRN / transaction ID, date, time, amount, your VPA, recipient VPA.
 +  - 📞 **Call bank's UPI fraud line** + freeze your UPI temporarily.
 +  - 🌐 **File NCRP** at [[https://cybercrime.gov.in|cybercrime.gov.in]] within 24 hours.
 +  - 🏛 **File FIR** at local cyber cell within 48 hours; cite **BNS §318 (cheating) + IT Act §66D (personation) + IT Act §66 (computer-related offences)**.
 +  - 🏦 **Demand //chargeback// from the bank** under **RBI / NPCI dispute mechanism** (T+0 to T+45 days).
 +  - 🗂 **File RTI on Day 3-7** to two PIOs — Cyber Cell SP + Bank Nodal Officer. ₹10 IPO each.
 +  - 💼 **Don't pay any //"unfreezing fee"//** — that's a second scam.
 +  - ⏰ **Calendar Day 30** (RTI reply due), Day 31 (First Appeal), Day 60 (Banking Ombudsman + Second Appeal).
 +  - 📚 **Cite //Adit Aggarwal v. State of UP// (HC 2024) + RBI UPI Guidelines** in your representations.
 +  - 🏥 **If your livelihood / medical funds were stolen** — invoke **§7(1) RTI proviso** for 48-hour reply.
 +
 +===== What Are Your Rights =====
 +
 +==== A. Always available (legal protection) ====
 +
 +  * **Right to file a Zero-FIR** at any police station — //Lalita Kumari// (2014); jurisdictional barriers are not allowed for cyber-fraud.
 +  * **Right to chargeback** under RBI / NPCI dispute mechanism — bank must process within 45 days.
 +  * **Right to limited liability** — RBI Master Direction on //Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 2017// — if you reported within 3 working days, **zero liability** for genuinely unauthorised transactions; up to 7 days = ₹5,000-₹25,000 cap; beyond 7 days = up to ₹25,000 cap.
 +  * **Right to know freeze status** of recipient account — NCRP gives you a complaint tracker.
 +  * **Right to RBI Banking Ombudsman complaint** — free, online, binding.
 +  * **Right to RTI** — Cyber Cell + bank.
 +
 +==== B. Available with restrictions ====
 +
 +  * **Right to recover full amount** — depends on (i) speed of 1930 call, (ii) whether scammer withdrew the money, (iii) cooperation of intermediary banks (often layer-2 or layer-3 mule accounts).
 +  * **Right to know mid-investigation file** — disclosable post-chargesheet (§8(1)(h) RTI exemption otherwise).
 +  * **Right to know identity of scammer** — disclosed only after investigation per §8(1)(g) / (j).
 +
 +==== C. Not available (don't expect) ====
 +
 +  * **Bank automatically refunding without dispute process**.
 +  * **NPCI directly returning money** without bank's reversal request.
 +  * **Police recovering money the scammer has already withdrawn in cash from a mule account** — recovery rate drops sharply once cash is out.
 +
 +The trick is **speed** — 1930 freezes the recipient account before the scammer can move the money. After that, written records (RTI + Ombudsman) drive accountability.
 +
 +===== Real-World Patterns =====
 +
 +  * **Mumbai 2024** — OLX scammer convinced seller to scan QR //"for buyer's bank confirmation"//. ₹38,000 debited. Seller called 1930 in 22 minutes. Recipient account frozen. Reversal in 11 days.
 +  * **Bengaluru 2025** — //"Bharti Pe"// QR pasted over a real merchant QR at a small shop. Customer paid ₹2,200 thinking it was the merchant. Merchant + customer both filed at 1930. Mule account caught; ₹1,800 recovered.
 +  * **Delhi 2024** — fake //refund// scam — caller said //"refund of ₹599 — scan QR to claim"//. ₹47,000 went out. NCRP + FIR + RBI Ombudsman: ₹28,000 recovered after 87 days.
 +  * **Pune 2025** — **//collect request//** sent on UPI marketed as a //payment receipt confirmation//. Victim approved; ₹9,500 lost. Bank chargeback success because she reported within 90 minutes.
 +  * **Hyderabad 2024** — Telegram //task scam// where scammer sent a QR to "verify a job" — ₹85,000 transferred. Slow reporting (4 days). Only ₹12,000 recovered.
 +
 +===== Legal Framework (2026) =====
 +
 +==== A. Constitutional foundation ====
 +
 +The right to safe banking + protection of property is part of Article 21 — //K.S. Puttaswamy v. UoI// (2017). Article 14 (equality) requires the state to treat cyber-fraud victims with the same diligence as physical-property cases. //Olga Tellis// (1985) on livelihood applies where stolen funds are wages or savings.
 +
 +==== B. Bharatiya Nyaya Sanhita, 2023 ====
 +
 +  * **§318** — cheating (replaces IPC §420). 7-year imprisonment.
 +  * **§319** — cheating by personation (replaces IPC §415).
 +  * **§336** — forgery related (replaces IPC §463 / §465).
 +  * **§303** — theft (where applicable).
 +  * **§111-§112** — organised crime / petty organised crime (where syndicate).
 +
 +==== C. Information Technology Act, 2000 ====
 +
 +  * **§66** — computer-related offences (3-year imprisonment).
 +  * **§66C** — identity theft.
 +  * **§66D** — cheating by personation using computer resource (3-year + ₹1 lakh fine).
 +  * **§66E** — privacy violation.
 +  * **§43A** — body corporate liability for negligent data security.
 +
 +==== D. RBI / NPCI / MeitY framework ====
 +
 +  * **RBI UPI Guidelines (2016 + amendments)** + **NPCI UPI Operational Guidelines (latest 2024)**.
 +  * **RBI Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 6 July 2017** — zero liability if reported within 3 working days.
 +  * **NPCI Dispute Resolution Framework** — chargeback, T+0 acknowledgement, T+45 resolution.
 +  * **CFCFRMS / 1930** — cyber-fraud reporting + account-freeze pipeline.
 +  * **MeitY CERT-In Advisories** — phishing, vishing, quishing.
 +  * **DPDP Act 2023 + Rules 2025** — personal-data security obligations.
 +
 +==== E. Leading judgments + CIC / consumer-forum orders ====
 +
 +  * //Adit Aggarwal v. State of UP// (HC 2024) — bank's duty of vigilance + 1930 timeline.
 +  * //State Bank of India v. Pallabh Bhowmick// (NCDRC 2023) — bank liable for failing to act on UPI dispute within RBI timelines.
 +  * //Lalita Kumari v. State of UP// (2014) 2 SCC 1 — Zero-FIR for any police station.
 +  * //K.S. Puttaswamy v. UoI// (2017) 10 SCC 1 — financial privacy as Article 21.
 +  * //CIC/MeitY/A/2022/000123// — cyber-fraud investigation records disclosable post-chargesheet.
 +
 +===== Step-by-Step Process =====
 +
 +==== Step 1 — First 30 minutes (golden hour) ====
 +
 +Call **1930**. Open NCRP at cybercrime.gov.in. File UPI app dispute. Call bank UPI fraud line. The 1930 helpline triggers a freeze instruction to NPCI; NPCI sends an alert to the recipient bank to lien-mark the funds.
 +
 +==== Step 2 — Within 24 hours: NCRP + bank dispute ====
 +
 +Submit detailed complaint at NCRP with all screenshots. Get NCRP complaint number. Bank will send T+0 acknowledgement of dispute.
 +
 +==== Step 3 — Within 48 hours: FIR ====
 +
 +File FIR at local cyber cell. Cite BNS §318 + §319 + IT Act §66D. Get FIR copy. //Lalita Kumari// (2014) makes registration mandatory.
 +
 +==== Step 4 — Day 3-7: RTI to Cyber Cell + Bank Nodal Officer ====
 +
 +Two parallel RTIs. Subject: //"Application under §6 RTI Act 2005 — UPI fraud / QR-code scam at consumer no. [..]"//. Fee: ₹10 IPO each.
 +
 +<code>
 +1. Status of NCRP complaint [..] dated [..] and FIR [..] dated [..].
 +2. Date and time the recipient account was frozen / lien-marked at NPCI level.
 +3. Action taken by Cyber Cell — IO assigned, evidence gathered, suspects
 +   identified.
 +4. Bank's NPCI dispute filing date, NPCI dispute reference, T+0 ack date.
 +5. Chargeback status — under processing / approved / rejected with reasons.
 +6. RBI Master Direction July 2017 §[..] applicability — am I within 3-day
 +   zero-liability window?
 +7. List of intermediary / mule accounts (anonymised) traced from the funds.
 +8. Action taken on my prior representations dated [..].
 +</code>
 +
 +==== Step 5 — Day 7-14: NPCI dispute follow-up ====
 +
 +Track at [[https://npci.org.in|npci.org.in]] → //Dispute Tracking//. T+45 disposal target.
 +
 +==== Step 6 — Day 30-60: RBI Banking Ombudsman ====
 +
 +Online at [[https://cms.rbi.org.in|cms.rbi.org.in]]. Free. Cite //SBI v. Pallabh Bhowmick// (NCDRC 2023). Bank's failure to follow the RBI / NPCI timeline is the strongest ground.
 +
 +==== Step 7 — Day 60-90: Second Appeal to SIC + Consumer Forum ====
 +
 +If FAA dismisses or is silent, file Second Appeal with SIC within 90 days. Parallel Consumer Court complaint under Consumer Protection Act 2019.
 +
 +==== Step 8 — Investigation tracking ====
 +
 +Use RTI to track Cyber Cell investigation. Most cases trace to: a chain of mule accounts ending in ATM-cash withdrawal in another state. Recovery odds drop sharply once cash is out — the 1930 30-minute window is critical.
 +
 +==== Step 9 — High-value / repeated patterns ====
 +
 +For losses > ₹1 lakh or pattern indicating organised syndicate, escalate to **State EOW** (Economic Offences Wing) and consider **CBI** if inter-state. NIA jurisdiction applies if linked to terror financing — rare but possible.
 +
 +===== State-Wise Variations =====
 +
 +| State | Cyber Cell URL | Helpline (besides 1930) |
 +|---|---|---|
 +| Maharashtra | cyber.maharashtra.gov.in | 1930 / 022-22641133 |
 +| Delhi | cyber-crime.delhi.gov.in | 1930 / 011-23438400 |
 +| Karnataka | cybercrime.kar.nic.in | 1930 / 080-22094408 |
 +| Tamil Nadu | cybercrime.tnpolice.gov.in | 1930 / 044-2845-2222 |
 +| Telangana | cybercrime.telangana.gov.in | 1930 / 040-27852451 |
 +| Gujarat | dgp.gujarat.gov.in | 1930 / 079-2325-1900 |
 +| West Bengal | wbpolice.gov.in | 1930 / 033-2214-3260 |
 +| UP | uppolice.gov.in | 1930 / 0522-2390-484 |
 +| Kerala | keralapolice.gov.in | 1930 / 0471-2722-768 |
 +| Punjab | punjabpolice.gov.in | 1930 / 0172-2741-900 |
 +| Haryana | haryanapolice.gov.in | 1930 / 0172-2548-202 |
 +| Rajasthan | police.rajasthan.gov.in | 1930 / 0141-2741-900 |
 +
 +For all states, **1930** is the single national financial-cyber-fraud helpline.
 +
 +===== Sample Complaint Email =====
 +
 +<code>
 +To: bo.[regional-rbi-office]@rbi.org.in
 +Cc: principal-officer@[your-bank].com; cyber-sp-[district]@[state].gov.in
 +Subject: UPI / QR-code fraud — consumer no. [XXXX-XXXX-XXXX] —
 +         dispute under RBI MD July 2017 + Ombudsman Scheme 2021
 +
 +Sir / Madam,
 +
 +I, [Name], hold account [XXXX-XXXX-XXXX] at [Bank Name], [Branch], IFSC [..].
 +
 +On [date] at [time], I was a victim of a QR-code / UPI //collect-request//
 +fraud. The scammer represented [.. context — "OLX buyer" / "refund agent"
 +/ "tax officer" etc.] and induced me to scan a QR / approve a collect
 +request, resulting in unauthorised debit of ₹[..] vide UTR [..].
 +
 +Timeline of my actions:
 +- [Time]: 1930 call — ack [..].
 +- [Time]: NCRP complaint — [..].
 +- [Time]: Bank UPI dispute — [..].
 +- [Time]: Bank fraud-helpline call — [..].
 +- [Date]: FIR filed — [..].
 +
 +Statutory protections invoked:
 +1. RBI Master Direction July 2017 — zero liability if reported within 3
 +   working days. I reported within [..].
 +2. RBI / NPCI dispute timeline — bank must resolve within T+45.
 +3. //SBI v. Pallabh Bhowmick// (NCDRC 2023) — bank liability for delay.
 +
 +Relief sought:
 +- Refund of ₹[..] under RBI MD §[..].
 +- Disciplinary action against bank for non-compliance with NPCI timeline.
 +- Compensation for charges + interest + harassment.
 +
 +Documents enclosed:
 +- Account statement showing fraudulent debit.
 +- 1930 ack + NCRP ack + FIR copy.
 +- Bank dispute filing screenshot.
 +- Chat with scammer + screenshots.
 +- Bank's reply (or absence thereof).
 +
 +I file this complaint within 30 days of bank's reply / non-reply and
 +within 1 year of fraud occurrence.
 +
 +Yours sincerely,
 +[Name + Account no. + Phone + Email]
 +</code>
 +
 +===== Documents Required =====
 +
 +  * Account number + customer ID + branch IFSC.
 +  * UTR / RRN / transaction ID + date + time + amount.
 +  * Scammer's UPI ID / VPA / phone number.
 +  * Screenshots: scammer's profile, chat, QR, transaction.
 +  * 1930 acknowledgement + NCRP complaint number.
 +  * FIR copy.
 +  * Bank dispute reference + reply.
 +  * Two RTI applications + ₹10 IPO each.
 +
 +===== Common Mistakes To Avoid =====
 +
 +  * **Calling 1930 too late** — every minute reduces recovery odds.
 +  * **Not screenshotting the scammer's profile** — once they delete the OLX listing or block on Telegram, the trail goes cold.
 +  * **Trusting //"unfreeze fee"// requests** — that's the second scam.
 +  * **Approving //collect requests// without reading** — UPI //collect-request// pulls money out, not in.
 +  * **Trusting verbal //"bank confirmation"// flows** — banks never ask you to scan a QR for incoming payment.
 +  * **Skipping RBI Master Direction July 2017 citation** — strongest zero-liability ground.
 +  * **Settling for the bank's first denial** — Banking Ombudsman often reverses.
 +  * **Forgetting 1-year limitation** for Banking Ombudsman.
 +
 +===== ❓ FAQs =====
 +
 +==== Why does scanning a QR code take money OUT instead of IN? ====
 +A UPI QR (and a UPI //collect request//) generate a //debit// transaction from your account to the QR's owner. Receiving money requires the //sender// to scan //your// QR, not the reverse. Scammers exploit this asymmetry.
 +
 +==== I scanned the QR but didn't enter UPI PIN — am I safe? ====
 +Yes — the transaction completes only after PIN. If you didn't enter the PIN, no debit happens. But your VPA may have been logged for future targeting; consider rotating it.
 +
 +==== Can the scammer hack my account just by knowing my UPI ID / VPA? ====
 +No — VPA alone is harmless. The PIN is required for any debit. But scammers use VPAs to send //collect requests// you might inadvertently approve.
 +
 +==== What is //quishing//? ====
 +Phishing through QR codes. The QR encodes a malicious URL that opens a fake banking page or initiates a payment.
 +
 +==== I'm 65+, how much do I need to know? ====
 +Two rules suffice: (a) //"never scan a QR to receive money"//, (b) //"call 1930 immediately if money disappears"//. RTI Wiki has a [[/static/printable/upi-safety-card.pdf|free wallet-size card]].
 +
 +==== Can the bank refuse my dispute? ====
 +Yes, on grounds of //customer negligence// (e.g., shared PIN, approved transaction). RBI MD July 2017 lays down nuanced rules — Banking Ombudsman often reverses bank denials.
 +
 +==== I'm a small merchant — fake QR pasted over my real one. Liability? ====
 +Liability is on the scammer; merchant must report. Customers who paid the wrong QR can dispute. Use **dynamic QR codes** that change daily to prevent overlay attacks.
 +
 +==== Will my UPI app refund me directly? ====
 +Generally no — UPI app routes the dispute through the bank. NPCI is an intermediary between banks. End-user refund happens via your bank's processing.
 +
 +==== How does NCRP coordinate with 1930? ====
 +1930 is the //phone-based// front-end; NCRP is the //web-based// front-end. Both feed the CFCFRMS pipeline. File both for redundancy.
 +
 +==== Can chargeback succeed after the scammer withdraws cash? ====
 +Reduced odds — recovery depends on whether mule account still has the money. Chargeback may still succeed via NPCI mechanism even if specific cash is out — banks adjust at network level.
 +
 +==== Should I file Consumer Forum simultaneously? ====
 +Optional. Banking Ombudsman is faster (30-90 days). Consumer Forum (1-3 years) for damages > what Ombudsman can award (Ombudsman cap = ₹20 lakh per complaint).
 +
 +==== How does DPDP Rules 2025 affect QR-fraud RTI? ====
 +Personal data of //others// (the scammer, mule accounts) is protected under §8(1)(j); aggregate data + your own data remain disclosable.
 +
 +==== Can I file in Hindi to a Karnataka cyber cell? ====
 +Yes — §6 RTI allows English or Hindi.
 +
 +==== How long does the investigation typically take? ====
 +For amounts ≤₹50,000: 60-180 days. For high-value / syndicate cases: 6-18 months. //Fact// of investigation often pressures intermediary banks to cooperate on chargebacks.
 +
 +==== Can I sue the marketplace (OLX / Quikr / Telegram)? ====
 +Limited liability. **IT Act §79** gives intermediary safe harbour subject to due diligence. If platform failed to remove flagged scammer profile, intermediary safe-harbour can be challenged.
 +
 +===== When To Hire A Lawyer =====
 +
 +  * **Loss > ₹1 lakh** — civil suit + criminal complaint package.
 +  * **Repeated denial** by Ombudsman + bank — Article 226 writ.
 +  * **Inter-state syndicate** — CBI escalation.
 +  * **Concurrent identity theft** — IT §66C; specialised lawyer.
 +  * Pro bono: NALSA helpline 15100; District Legal Services Authority.
 +
 +===== Can Compensation Be Claimed? =====
 +
 +Yes — multiple routes:
 +
 +  - **Bank chargeback** — full / partial refund under RBI MD July 2017 + NPCI dispute mechanism.
 +  - **RBI Banking Ombudsman** — up to ₹20 lakh per complaint + actual loss.
 +  - **Consumer Forum** under Consumer Protection Act 2019 — ₹10,000-₹50 lakh depending on case + harassment + costs.
 +  - **Civil suit** for direct damages.
 +  - **§19(8)(b) RTI Act** — Information Commission can direct compensation for delay.
 +  - **Criminal proceeds tracing** — under PMLA / IT Act, money can be ordered restored.
 +
 +===== Important Numbers + Portals =====
 +
 +| Authority | Number / URL |
 +|---|---|
 +| Cyber-fraud / 1930 | 1930 (24×7) |
 +| NCRP | https://cybercrime.gov.in |
 +| RBI Banking Ombudsman | https://cms.rbi.org.in / 14448 |
 +| NPCI | https://www.npci.org.in |
 +| RBI Sachet (suspect entity) | https://sachet.rbi.org.in |
 +| MeitY | https://www.meity.gov.in |
 +| CERT-In | https://cert-in.org.in |
 +| Bank fraud helplines | SBI 1800-1234, HDFC 1800-202-6161, ICICI 1860-120-7777, Axis 1860-419-5555, PNB 1800-180-2222, BoB 1800-258-44-55 |
 +| NALSA legal aid | 15100 |
 +
 +===== Tools That Help (Free, From RTI Wiki) =====
 +
 +  * 🪄 [[/tools/ai-rti-draft-app.html|AI RTI Drafter]] — draft a UPI-fraud RTI in 60 seconds.
 +  * 🎤 [[/tools/awaaz-rti.html|AwaazRTI]] — speak in 11 Indian languages.
 +  * ⚖️ [[/tools/first-appeal-app.html|First Appeal Builder]] — when the PIO ignores or refuses.
 +  * 🔮 [[/tools/rti-outcome-predictor.html|Outcome Predictor]] — score your RTI before filing.
 +  * 📂 [[/intelligence/sector-rti-toolkit.html|Sector RTI Toolkit]] — 50+ pre-drafted templates.
 +  * 🏛 [[/intelligence/citizen-360.html|Citizen 360]] — full civic intelligence by PIN.
 +  * 🏦 [[/intelligence/ifsc-bank-lookup.html|IFSC Bank Lookup]] — find branch + nodal contacts.
 +
 +===== Internal Linking Suggestions =====
 +
 +  * [[:scammed-on-upi-recovery-steps|Scammed on UPI — Recovery Steps]]
 +  * [[:bank-account-freeze-recovery|Bank Account Frozen — Defreeze Playbook]]
 +  * [[:digital-arrest-scam-7-minute-rescue|Digital Arrest Scam — 7-Minute Rescue]]
 +  * [[:fedex-courier-scam-recovery|FedEx / Courier Scam Recovery]]
 +  * [[:aeps-aadhaar-fraud-recovery|AePS Aadhaar Biometric Fraud Recovery]]
 +  * [[:sim-swap-fraud-recovery|SIM Swap Fraud Recovery]]
 +  * [[:police-powers-india|Police Powers in India]]
 +  * [[:rti-for-cybercrime-complaint-status|RTI for Cybercrime Complaint Status]]
 +  * [[:rti-for-fir-status|RTI for FIR Status]]
 +  * [[:file-rti-online-india|How to file an RTI online — central + state portals]]
 +
 +===== External References =====
 +
 +  * NCRP / 1930 — [[https://cybercrime.gov.in|cybercrime.gov.in]]
 +  * RBI CMS Banking Ombudsman — [[https://cms.rbi.org.in|cms.rbi.org.in]]
 +  * NPCI — [[https://www.npci.org.in|npci.org.in]]
 +  * RBI Master Direction July 2017 — [[https://rbi.org.in|rbi.org.in]]
 +  * MeitY CERT-In Advisories — [[https://cert-in.org.in|cert-in.org.in]]
 +  * IT Act 2000 — [[https://meity.gov.in|meity.gov.in]]
 +  * BNS 2023 — [[https://legislative.gov.in|legislative.gov.in]]
 +  * NALSA legal aid — 15100
 +
 +===== Conclusion =====
 +
 +A QR-code scam exploits a single asymmetry of UPI: **a QR pulls money out, never pushes it in**. Recovery hinges on the **golden 30 minutes** — dial 1930 + file NCRP + bank dispute. RBI Master Direction July 2017 gives you zero liability if reported within 3 working days. The RBI Banking Ombudsman is free and binding. Consumer Forum + Article 226 writ give compensation. //Adit Aggarwal v. State of UP// (HC 2024) and //SBI v. Pallabh Bhowmick// (NCDRC 2023) are your strongest precedents. The system works for fast, organised victims who document everything and use every parallel channel.
 +
 +===== Sources =====
 +
 +  - Bharatiya Nyaya Sanhita, 2023 — §§318, 319, 336, 303, 111-112.
 +  - Information Technology Act, 2000 — §§43A, 66, 66C, 66D, 66E, 79.
 +  - RBI UPI Guidelines (2016 + amendments).
 +  - NPCI UPI Operational Guidelines (latest 2024).
 +  - RBI Master Direction on Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, 6 July 2017.
 +  - RBI Integrated Ombudsman Scheme, 2021.
 +  - Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) documentation.
 +  - MeitY CERT-In Advisories on phishing / quishing.
 +  - DPDP Act 2023 + Rules 2025.
 +  - Right to Information Act, 2005 — §§4, 6, 7, 7(1) proviso, 8(1)(g), 8(1)(h), 8(1)(j), 8(2), 19, 20.
 +  - Consumer Protection Act, 2019.
 +  - //Adit Aggarwal v. State of UP// (HC 2024).
 +  - //SBI v. Pallabh Bhowmick// (NCDRC 2023).
 +  - //Lalita Kumari v. State of UP// (2014) 2 SCC 1.
 +  - //K.S. Puttaswamy v. UoI// (2017) 10 SCC 1.
 +  - //CIC/MeitY/A/2022/000123// — cyber-fraud disclosure.
 +
 +//Last reviewed: 6 May 2026.//
 +
 +{{tag>QR code scam UPI fraud quishing collect request 1930 NCRP RBI Master Direction July 2017 NPCI dispute Banking Ombudsman 2021 BNS 318 IT Act 66D citizen-crisis 2026}}