QR Code Scam at Shops, Temples, Parking, Events: Verify First

A QR code scam is a payment fraud where a stranger replaces or overlays the genuine merchant QR with their own, so your UPI payment goes to a mule account instead of the shop, temple, or parking operator. The fraud works because most of us never read the payee name on the screen, just type the amount and hit Pay. In India in 2026, the National Crime Records Bureau and state cyber cells together log thousands of these complaints every month, and the average loss is between ₹500 and ₹50,000, small enough that most people never bother to chase the money.

I learned this the painful way at a small temple in my own district. I scanned the QR taped on a tree near the donation box, paid ₹501, and walked away. Three weeks later the priest told me the temple had not received a single online donation in two months because someone had pasted a sticker over their real Bharat QR. By then the receiving account had been frozen by the bank, but my money was already gone. That is the day I started reading the payee name before every single payment, and I have not lost a rupee to a QR swap since.

This guide is the playbook I wish I had that evening. It covers six common variants of the scam, a 30-minute action plan if you have already paid, the evidence you must save in the first hour, the official complaint route through 1930 and NCRP, when to push the local police under the Bharatiya Nyaya Sanhita (BNS) 2024, a ready-to-use sample complaint, ten of the questions readers ask me most often, and the internal and external links you can verify yourself.

The cleanest version of the fraud. A scammer prints a sticker the same size as the merchant QR, walks in pretending to be a customer, and pastes their code on top of the real one. The shopkeeper rarely notices because the merchant QR usually sits behind a counter, on a wall, or on a fuel-pump pillar that nobody inspects daily. Petrol pumps are the worst affected because attendants are busy, queues are long, and customers want to leave fast.

Donation QR codes are printed and stuck around the donation box, on pillars, on collection plates, even on flowers and prasad counters. Devotees in a hurry scan the closest one. A real temple QR is almost always a Bharat QR or a verified UPI ID printed by the trust on a laminated board with the temple seal. A loose sticker on a tree is a warning sign.

The parking-fee scam works on speed. You roll up to the boom barrier, the attendant points at a printed QR, you pay, you leave. If a sticker has been pasted on top, the operator never sees the payment land, you get waved through anyway because the queue is honking, and the fraud is invisible until end-of-shift reconciliation.

Concerts, exhibitions, marathons, and travelling fairs are gold mines for QR fraudsers. The counter is temporary, the staff are new, and a freshly printed fake QR fits right in. The same trick happens at pop-up food stalls, festival book fairs, and registration desks of small conferences.

Here the fraudster is the customer, not the merchant. They hand over a screenshot of a successful UPI payment, pocket the goods, and walk away before the shopkeeper checks the bank SMS. The screenshot is either edited or shows a payment to a different account. Small shopkeepers, vegetable vendors, and street-food sellers lose lakhs every year to this version.

Charity drives, refund offers, and event bookings come through WhatsApp with a QR image attached. The image is a real QR, just pointing at the wrong account. Because the message arrives from someone you trust who themselves received it as a forward, the chain of trust feels intact even though no one has verified the source.

1. Tap the QR, do not just scan-and-pay. Every UPI app shows the payee name on the next screen. Read it.
2. Match the name to the shop or cause. Petrol pump payee should be the pump dealer firm name. Temple payee should be the trust name. Parking payee should be the operator brand. Event payee should be the organiser.
3. Reject vague payee names like “Merchant”, “Shop”, a personal first name, or a generic firm with no place identifier.
4. Cross-check the UPI ID if visible. A real petrol pump usually has a `@hdfcbank` or `@sbi` style handle tied to the dealer. A random `@ybl` or `@paytm` handle attached to a personal name at a fuel pump is suspicious.
5. Look for sticker tampering - corners lifting, bubbles, a second QR layer underneath, a mismatched print quality, a sticker that hides the original printed name plate.
6. Ask the shopkeeper to confirm the name you see on your screen before you press Pay. If they hesitate or shrug, pay cash.
7. Cap your first payment to a new merchant at ₹1. If it lands in the right account, send the rest. Most UPI apps allow a ₹1 test.
8. For temples and donations, prefer the temple's own website, the state endowments department portal, or a national platform with verified receipts.
9. For parking, prefer the boom barrier's machine QR or the official operator app rather than a loose printed sticker.
10. Trust the small voice that says “this feels off”. Stop. Refresh. Use cash. The ₹50 you might overpay in cash is cheaper than a ₹5,000 mule transfer.

The first 30 minutes after you realise the payment went to the wrong account are the most valuable window you have. Banks can place a lien on the recipient account if they receive the dispute request before the fraudster has cashed out, and the RBI's three-day reporting rule protects you from liability if you act fast.

1. Open your UPI app and check the transaction status. Note the UTR or RRN number (12-digit reference), the payee VPA, the payee name shown, the amount, and the timestamp.
2. Take a screenshot of the success page. Then take a second screenshot of the bank SMS with the same UTR.
3. Do not delete the UPI app, the SMS, or the screenshot, even if your first reflex is panic.
4. If you used more than one bank account today, check all of them to confirm only this one transaction is affected.

The Indian Cyber Crime Coordination Centre helpline is the fastest route to a bank-level freeze on the recipient account.

1. Dial 1930 from the registered mobile number of the bank account that was debited.
2. Have ready: the UTR, the amount, the payee VPA, the time of payment, the location where you scanned the QR, and a one-line description of the scam.
3. The operator will create a complaint ID. Write it down. Without this number you cannot escalate later.
4. Ask the operator to immediately flag the recipient VPA for a bank-level lien.
5. Our 1930 cyber fraud helpline: the exact 7-minute script page has the word-for-word script you can read out so you do not freeze under pressure.

1. Open cybercrime.gov.in, the National Cyber Crime Reporting Portal.
2. Choose “Report Financial Fraud” and select UPI as the channel.
3. Upload both screenshots, the bank SMS image, the 1930 complaint ID, and a photo of the QR location if you can still go back.
4. You will get an acknowledgement number by email and SMS. Save this carefully - our NCRP acknowledgement and bank lien decoded, citizen guide 2026 guide explains what each status code means and when to escalate.

1. Email the bank's official fraud-reporting address (printed on the back of every debit card and on the bank's website) with: customer ID, account number, UTR, amount, payee VPA, the 1930 complaint ID, and the NCRP acknowledgement.
2. Subject line should literally read: “Unauthorised UPI transaction - request for chargeback and lien - UTR XXXXXXXXXXXX.”
3. Copy the bank's grievance officer and nodal officer.
4. This email is your timestamped proof that you reported within the 3-day window of the RBI Customer Liability Circular DBR.No.Leg.BC.78/2017-18, which makes you zero-liable when the fraud is third-party and you have reported promptly.
5. See Golden-hour zero liability: the exact RBI math for cyber fraud for the exact RBI language banks must honour.

1. Visit your bank branch within 24 hours and hand over a printed copy of the same email with a stamped acknowledgement.
2. File a written complaint at the local police station or the nearest cyber cell if the loss is above ₹10,000 or if you want a formal FIR for insurance or employer reimbursement.
3. For larger losses or repeat offenders, push for invocation of BNS §318 (cheating) and §336 (forgery for purpose of cheating) along with IT Act §66C (identity theft) and §66D (cheating by personation through computer resource).

1. Screenshot of the UPI success page (showing UTR, payee name, payee VPA, amount, time)
2. Screenshot of the bank SMS for the same UTR
3. Photo of the QR sticker at the location, ideally with the surrounding signage in the frame
4. Photo of the shop, temple board, parking gate, or event counter for context
5. 1930 complaint ID (SMS or call-end screenshot)
6. NCRP acknowledgement number (PDF download from the portal)
7. Email to bank fraud-reporting address with delivery receipt
8. Bank branch acknowledgement stamp on the printed email
9. Police or cyber-cell DD entry number, or FIR copy if registered
10. Reply from the bank within 90 days under RBI grievance rules

The 1930 + NCRP route handles most QR-swap losses. But you should push for a formal police FIR under the following conditions:

1. Loss is above ₹10,000 and you want an insurance claim, an employer reimbursement, or a civil-court recovery later.
2. The QR sticker is still on site and could be lifted as physical evidence.
3. Multiple victims have reported the same location (collective complaint is far more powerful).
4. The fraud involved impersonation of a real merchant, a temple trust, or a government counter - that triggers BNS §336 forgery as well as §318 cheating.
5. The receiving account turns out to be a mule pattern (multiple beneficiaries, layered transfers, cash-out within minutes) - that triggers a separate enquiry under the Prevention of Money Laundering Act 2002 reporting framework.
6. The shop or venue refuses to remove the fake sticker after you flag it - that is consent or negligence on their part and a separate consumer cause of action.

For BNS sections, the relevant clauses in 2024+ FIRs are: §318 (cheating), §336 (forgery for purpose of cheating), read with IT Act §66C (identity theft) and §66D (cheating by personation by computer resource). The procedural code is the Bharatiya Nagarik Suraksha Sanhita (BNSS) 2024 - your FIR must be registered under BNSS §173 (replaces old CrPC §154) for cognisable offences and the station house officer cannot refuse.

You can paste the block below into the NCRP free-text field, into the bank fraud-report email, and into a printed letter for the police station. Replace bracketed placeholders with your details.

To
The Station House Officer
[Police station name]
[District, State, PIN]

Subject: Complaint against fraudulent QR code payment of ₹[amount]
on [date] at [location]  -  request for FIR under BNS 2024 §318
and §336 read with IT Act §66C and §66D.

Sir or Madam,

  1. My name is [Name], aged [age], resident of [full address],
     mobile [number], email [email].

  2. On [date] at approximately [time] I made a UPI payment of
     ₹[amount] at [exact location  -  shop name, temple, parking,
     event] by scanning a QR code displayed at the location.

  3. The payment success page showed the payee name as
     "[payee name as displayed]" with UPI ID "[payee VPA]" and
     transaction reference UTR [12-digit UTR]. I have attached
     a screenshot.

  4. The legitimate merchant or operator at the location has
     since confirmed in writing or in person that the displayed
     QR is not theirs and they have not received the payment.
     A photograph of the location and the disputed QR is
     attached.

  5. The QR sticker was placed in a manner intended to impersonate
     the genuine merchant and to deceive customers, which
     constitutes cheating under BNS §318, forgery for purpose
     of cheating under BNS §336, identity theft under IT Act §66C,
     and cheating by personation through a computer resource
     under IT Act §66D.

  6. I have lodged National Cyber Crime helpline 1930 complaint
     ID [number] on [date and time] and NCRP acknowledgement
     [number]. My bank [name] has been intimated by email on
     [date] within the 3-day window of RBI circular
     DBR.No.Leg.BC.78/2017-18.

  7. I request that an FIR be registered under BNSS §173 and that
     the investigating officer obtain KYC details of the recipient
     UPI ID from the relevant Payment System Provider via NPCI,
     and seize the disputed QR sticker from the location as
     physical evidence.

  8. I am ready to give a formal statement, identify the location,
     and produce all supporting documents.

Yours faithfully,
[Signature]
[Name]
[Date and place]

Enclosures:
  a) UPI success page screenshot
  b) Bank SMS screenshot
  c) Photograph of QR location
  d) 1930 complaint ID screenshot
  e) NCRP acknowledgement PDF
  f) Email to bank with delivery receipt

1. NPCI UPI dispute window: customer can raise a chargeback through the issuing bank within T+3 working days for credit-not-received and within T+45 days for unauthorised transactions.
2. RBI Customer Liability Circular DBR.No.Leg.BC.78/2017-18: zero customer liability if the fraud is third-party and reported within 3 working days; limited liability up to ₹25,000 if reported within 4 to 7 working days; full liability only if you delay beyond 7 days without explanation.
3. NPCI's URCS (UPI Resolution and Customer Settlement) routes the dispute through the remitter bank, beneficiary bank, and PSP within prescribed turnaround times.
4. RBI grievance redressal: 30-day window for the bank to respond; if not, escalate to the Banking Ombudsman under the RBI Integrated Ombudsman Scheme 2021 (RBI-IOS 2021) via cms.rbi.org.in.
5. Consumer Protection Act 2019: deficiency of service by the bank or the payment app is actionable at the District Consumer Disputes Redressal Commission via the e-Daakhil portal.

For the chargeback mechanics on cards and UPI, see our standalone guide Cyber-fraud chargeback under Visa, Mastercard and RuPay rules. For the bank-side lien rules and how to lift a freeze on your own account if it is mistakenly held, see Why Banks Freeze Accounts Suddenly in India and Bank Labelled Your Transaction "Suspicious": Lift the Hold.

1. Deleting the UPI app, the SMS, or the screenshot in panic. Without the UTR you have no case.
2. Calling the bank's general customer-care number instead of the fraud-reporting line; the routing is different and the timestamp matters.
3. Filing NCRP first and dialling 1930 second. The freeze comes faster through 1930.
4. Forgetting to write down the 1930 complaint ID at the end of the call.
5. Reporting after 3 working days and losing the RBI zero-liability protection.
6. Filing under wrong sections; old IPC §420 references in a 2024+ FIR will be rejected - use BNS §318 and §336 instead.
7. Skipping the bank branch visit. The stamped paper acknowledgement is your evidence in any later consumer or ombudsman case.
8. Not photographing the fake sticker. If the venue removes it before police arrive, you lose physical evidence.
9. Believing the WhatsApp message that says “send ₹1 to verify and we will credit ₹10,000”. That is a separate scam called the credit-bait variant.
10. Paying again to a “refund executive” who calls back claiming to reverse the first payment. That is the secondary-scam loop and accounts for nearly a third of total losses in NCRP data.

Tap the QR before you press Pay, and read the payee name on the next screen. Match it to the shop, temple, parking operator, or event organiser. If the name is generic (“Merchant”, a personal first name, or a firm with no place identifier), if the UPI ID handle does not fit a business account, or if the printed sticker looks lifted, mismatched, or bubbled, walk away or pay cash.

Save the screenshot of the success page and the bank SMS, dial 1930 within minutes, and write down the complaint ID. Then file on cybercrime.gov.in and email your bank's fraud-reporting address the same hour. The first 30 minutes are when banks can still place a lien on the recipient mule account.

Yes if you have reported within 3 working days of the unauthorised debit, under the RBI Customer Liability Circular DBR.No.Leg.BC.78/2017-18. Banks are required to credit the disputed amount within 10 working days of receiving your complaint pending investigation. Keep a printed acknowledgement of your email and your branch visit.

For offences after 1 July 2024, India uses the Bharatiya Nyaya Sanhita (BNS) 2024. The relevant sections are §318 (cheating) and §336 (forgery for purpose of cheating), read with the IT Act 2000 §66C (identity theft) and §66D (cheating by personation by computer resource). The FIR procedure is under BNSS 2024 §173 (the section that replaces the old CrPC §154).

Under BNSS §173, for any cognisable offence the SHO must register a zero-FIR if the offence happened in another jurisdiction or a regular FIR if local. If refused, escalate in writing to the Superintendent of Police (SP) under BNSS §173(4), and if still refused, file a complaint to the Magistrate under BNSS §175. Most cyber fraud cases above ₹10,000 are cognisable and the FIR cannot be lawfully refused.

You cannot get the recipient's name directly from the bank under the RTI Act because banks treat KYC as third-party personal information under §8(1)(j). But you can file RTI to NPCI asking for the dispute resolution timeline applied to your UTR, to your bank's nodal officer asking for the action taken on your fraud report, and to RBI asking for compliance data on the 3-day reporting circular. Police can pull the KYC under BNSS §94 (production order). See our Cyber-fraud RTI bundle: 3 parallel RTIs to RBI, NPCI and bank, citizen guide 2026 guide for the exact letter templates.

This is the customer-side variant of the same scam. As a shopkeeper, never accept a screenshot as proof; the only proof is the bank SMS or the in-app notification on your own phone. If you have lost goods this way, the route is identical: 1930, NCRP, bank email, and police FIR under BNS §318 plus IT Act §66D.

Look for a printed boom-barrier plate with the operator's brand, a phone number with an STD code, and a GST number. The QR should sit inside that plate, not on a loose sticker. If the operator has an app (most malls now do), pay through the app, not the wall QR. If the queue is rushing you, pay cash to the attendant and request a printed receipt.

Some bank-linked debit-card insurance covers unauthorised UPI losses up to a sub-limit (commonly ₹50,000 to ₹2 lakh). You need the FIR copy, the 1930 complaint ID, the NCRP acknowledgement, the bank's denial letter or chargeback rejection, and the policy schedule. Standalone cyber insurance (sold by general insurers under IRDAI) has wider coverage; check the policy wording for a “social engineering fraud” clause.

Three habits, drilled once a week for a month: (1) always tap the QR and read the payee name out loud, (2) cap every new merchant payment at ₹1 first, (3) install Sanchar Saathi Chakshu and the NCRP Suspect Repository lookup, and check any new UPI VPA against the database before you pay it. The pattern that gets people into trouble is the rush - the queue, the phone call, the WhatsApp forward. Slowing down for the 60 seconds it takes to verify is the entire defence.

1. National Cyber Crime Reporting Portal (NCRP) - cybercrime.gov.in
2. Cyber Crime Helpline 1930 - Indian Cyber Crime Coordination Centre, Ministry of Home Affairs
3. RBI Customer Liability Circular DBR.No.Leg.BC.78/2017-18 - limiting liability of customers in unauthorised electronic banking transactions
4. RBI Integrated Ombudsman Scheme 2021 (RBI-IOS 2021) - cms.rbi.org.in
5. NPCI UPI Dispute Redressal Mechanism (URCS) - npci.org.in
6. Sanchar Saathi Chakshu - Department of Telecommunications portal for reporting suspected fraud communications
7. Information Technology Act 2000 - §66C (identity theft) and §66D (cheating by personation by computer resource)
8. Bharatiya Nyaya Sanhita 2024 - §318 (cheating) and §336 (forgery for purpose of cheating)
9. Bharatiya Nagarik Suraksha Sanhita 2024 - §173 (registration of FIR), §175 (magistrate complaint), §94 (production order)
10. Consumer Protection Act 2019 and the e-Daakhil portal for consumer commissions
11. Prevention of Money Laundering Act 2002 - reporting framework for mule-account patterns

1. UPI Money Deducted but Not Received: First 10-Minute Action Plan - first 24 hours after a UPI debit with no credit confirmation
2. How to recover money lost to UPI fraud — complete 2026 guide - full recovery playbook beyond the 3-day window
3. 1930 cyber fraud helpline: the exact 7-minute script - word-for-word call script for the 1930 helpline
4. Golden-hour zero liability: the exact RBI math for cyber fraud - RBI 3-day circular explained
5. Why Banks Freeze Accounts Suddenly in India - what to do if your account is itself frozen
6. Cyber-fraud chargeback under Visa, Mastercard and RuPay rules - chargeback rules across card networks and UPI
7. NCRP acknowledgement and bank lien decoded, citizen guide 2026 - reading the NCRP status codes
8. Cyber-fraud RTI bundle: 3 parallel RTIs to RBI, NPCI and bank, citizen guide 2026 - RTI letters to RBI, NPCI, and your bank
9. QR Sticker Fraud on Shops & Petrol Pumps India (2026) - sibling guide on petrol-pump and shop QR swaps
10. QR Code Scam Recovery in India: 2026 Playbook - older recovery walkthrough for QR-based losses
11. Bank Labelled Your Transaction "Suspicious": Lift the Hold - when the bank holds your account
12. Citizen RTI playbook — file, escalate, win (2026) - general RTI tactics for citizen grievances
13. Middle-class scam defence India: complete hub 2026 - pattern-recognition for the most common everyday frauds

For the social card at /data/media/social/auto/qr-code-scam-shops-temples-parking-events-india.png (1200×630): A clean editorial illustration in a flat-vector style. Foreground: a hand holding a smartphone with the UPI payment screen open, the payee name field highlighted in a warm amber. Behind the phone, a layered QR sticker is shown half-peeled with a second, fraudulent QR underneath in a contrasting red. Background elements arranged in three vertical bands: a small shop counter on the left with a Bharat QR plate, a temple hundi in the centre with a laminated steel donation QR, and a parking boom barrier on the right with a printed operator QR. Indian visual cues - a marigold garland near the temple band, a rupee symbol on the phone screen. Palette: deep indigo, saffron, soft cream. No real brand logos, no real human faces. Add a 20-pixel safe-area margin for social-card cropping.

This article is general guidance for Indian citizens and is not legal advice. Statutes and circulars cited are current as of 2026-05-16. For loss above ₹1,00,000, for repeat fraud, or for any matter involving an open FIR, consult a qualified lawyer in your jurisdiction. The RTI Wiki editorial team updates this page when central rules, RBI circulars, or NPCI procedures change.