QR Sticker Fraud on Shops & Petrol Pumps India (2026)

When Priya Mehta paid ₹4,850 for diesel at a Noida petrol pump in February 2026 by scanning the QR code displayed on the pump, her money went to a fraudster's account—not the station owner. A fake sticker had been pasted over the genuine merchant code, and she discovered the fraud only when the attendant said payment had not arrived.

Citizen Crisis Response Network

This guide is maintained by volunteers who decode official systems so ordinary Indians can respond to fraud, loss, and systemic failure. Not legal advice. When in doubt, consult an advocate enrolled with the Bar Council.

QR sticker fraud occurs when criminals paste fake QR codes over legitimate merchant codes at shops, petrol pumps, and kirana stores. When you scan and pay, money reaches the fraudster's account instead of the merchant. It is prosecuted as cheating and dishonestly inducing delivery of property under Section 318(4) of the Bharatiya Nyaya Sanhita 2023 (imprisonment up to seven years and fine), read with Section 66D of the Information Technology Act 2000 (cheating by personation using a computer resource). Report immediately via https://cybercrime.gov.in or the 1930 helpline, file an FIR under Section 173 BNSS 2023, and raise a fraud dispute with your bank as fast as possible for the best chance of recovery.

• How QR sticker fraud works at petrol pumps and shops
• Legal framework: BNS 2023 sections and penalties
• Step-by-step complaint filing on National Cybercrime Reporting Portal
• Bank chargeback and refund procedure
• How to verify genuine merchant QR codes before paying
• Petrol pump and shop owner liability
• Sample FIR and legal notice templates
• RTI queries to track your complaint
• Myths vs reality table
• FAQ with 8 common questions

In January 2026, Rajesh Kumar in Pune scanned a QR code at his neighborhood kirana store to pay ₹1,240 for groceries. The shopkeeper waited, then said no payment had arrived. Rajesh showed his UPI debit confirmation. When they peeled back the sticker, a second QR code—the genuine one—was visible underneath. The top layer was a laminated fake, carefully aligned to hide the merchant's real code.

Fraudsters operate in teams. One member distracts the cashier or pump attendant; another pastes the fake sticker over the genuine QR code in seconds. These stickers are printed on glossy photo paper or transparent vinyl, often with the merchant's logo copied to appear authentic. The scam works because most customers scan without inspecting, and merchants do not check codes multiple times per day.

At petrol pumps, the fraud scale is larger. A single fake sticker can intercept many high-value fuel payments in a day before anyone notices. Fraudsters monitor incoming payments via SMS alerts and remove the sticker before closing time or when suspicious activity is noticed. By then, several customers have been defrauded.

The fake QR code links to a personal UPI ID or a mule account—often opened using forged KYC documents or a stolen identity. Money is immediately transferred to wallets, other accounts, or withdrawn via ATM. By the time victims realize, the trail is cold.

Warning — Fraudsters increasingly use QR codes that display a merchant name similar to the shop (e.g., “RAJA KIRANA” instead of “RAJ KIRANA”). Always verify the beneficiary name *before* entering your UPI PIN.

Section 318(4) of the Bharatiya Nyaya Sanhita 2023 is the primary provision. It punishes cheating and dishonestly inducing the deceived person to deliver property with imprisonment up to seven years and fine. Pasting a fake QR code dishonestly induces the customer to part with money, so the offence squarely fits this section. (Section 318 of the BNS replaces the cheating offences of the old Indian Penal Code, including Section 420 IPC.)

Section 319 BNS 2023 covers cheating by personation—pretending to be someone else, here the genuine merchant—and is punishable with imprisonment up to five years, or fine, or both. The “use of a computer resource” element of QR/UPI fraud is captured separately by Section 66D of the IT Act (below).

Where fraudsters peel off and destroy the fake sticker to defeat investigation, that conduct can amount to causing disappearance of evidence under Section 238 BNS 2023; the punishment is graded according to the offence being screened.

Section 173 of the Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS) governs registration of the FIR and gives statutory backing to the Zero FIR—you can lodge your FIR at *any* police station regardless of where the offence occurred, and it is then transferred to the station with territorial jurisdiction. This matters because QR fraud often crosses city and state lines.

Section 193 BNSS 2023 sets the timeline for completion of investigation and filing of the police report. For an offence such as this (punishable with imprisonment of less than ten years), the report is to be filed within sixty days of the FIR. Insist on these timelines in writing.

The Information Technology Act 2000, specifically Section 66D (punishment for cheating by personation by using a computer resource), continues in force alongside the BNS. Penalties: imprisonment up to three years and fine up to ₹1,00,000. Use both provisions in your FIR to maximize prosecution options.

Most citizens miss this — Filing only a cybercrime complaint on the NCRP portal is *not* the same as an FIR. An FIR is a separate, mandatory step that triggers a formal police investigation under Section 173 BNSS 2023. Do both.

The National Cybercrime Reporting Portal (NCRP) managed by the Ministry of Home Affairs at https://cybercrime.gov.in is your first digital touchpoint.

Step 1: Visit https://cybercrime.gov.in and click “Report Cyber Crime.” Anonymous reporting is possible, but logged-in reporting (via mobile OTP) allows complaint tracking.

Step 2: Select complaint category: “Financial Fraud” → “Debit/Credit Card / UPI Fraud.”

Step 3: Enter incident details:

• Date and time of transaction
• Petrol pump or shop name and full address
• Transaction amount
• UPI transaction ID (the reference number in your bank SMS)
• Beneficiary UPI ID or account number visible in transaction history

Step 4: Upload:

• Screenshot of UPI debit message
• Photo of QR code (if still present)
• Photo of transaction in your UPI app showing beneficiary name
• Video of merchant confirming non-receipt (if available)

Step 5: Submit. You will receive an acknowledgment number. Save it.

Step 6: The complaint is forwarded to the concerned State Cyber Cell or district police. Track status under “Track Your Complaint” using the acknowledgment number.

Step 7: If there is no action, escalate via the grievance tab on the NCRP portal.

The portal also alerts the bank linked to the fraudulent account so that suspicious funds can be put on hold under the financial-fraud reporting mechanism.

Do this immediately — Screenshot your UPI transaction within minutes. Save the screenshot, SMS, and email notification in three separate locations: phone, cloud, and an email sent to yourself.

UPI transactions are generally irrevocable, but reporting fraud fast gives your bank a narrow window to act through the NPCI dispute-resolution system and the framework under the Payment and Settlement Systems Act 2007. Act as quickly as you can—ideally within hours.

1. Call your bank's customer care (number on back of debit card) and say: “I need to raise a dispute for a fraudulent UPI transaction due to QR code substitution.”
2. Note the complaint reference number.
3. Send a written email to the bank's grievance officer (listed on the bank website under “Customer Grievances”). Use subject line: “Chargeback Request – Fraudulent QR Code Transaction – [Your Account Number].”

Email must include:

• Transaction date, time, and UPI ID
• NCRP acknowledgment number
• FIR number (if filed)
• Merchant confirmation that payment was not received (photograph or written statement)
• Your statement: “I scanned what I believed to be the merchant's genuine QR code. I did not authorize payment to [beneficiary name]. This is a case of QR code substitution fraud.”

What banks do:

Your bank raises the dispute with the fraudster's bank (the beneficiary bank) through NPCI's dispute-resolution process. If the beneficiary account is flagged as suspicious or put on hold and funds remain, a reversal may be possible. Recovery is far more likely while the money is still sitting in the mule account, so speed matters more than anything else—once funds are withdrawn or layered, the chance of recovery falls sharply.

Fallback: File a complaint with the RBI Ombudsman at https://cms.rbi.org.in if the bank does not resolve your grievance within 30 days or rejects it. Under the Reserve Bank – Integrated Ombudsman Scheme 2021, the Ombudsman can award compensation for consequential loss up to ₹20,00,000, plus up to ₹1,00,000 for time lost, expenses, and harassment.

Citizen tip — If your bank refuses citing “customer authorized transaction,” reply in writing: “Authorization was obtained by fraud. This is QR code substitution fraud punishable under Section 318(4) BNS 2023 and Section 66D IT Act 2000. Please provide a written rejection with reasons.” This forces a documented response you can use in further escalation, including before the RBI Ombudsman.

Prevention is easier than recovery. Follow this 5-second verification habit:

1. Ask the merchant to show payment arrival: After scanning, wait 3 seconds and ask, “Payment aaya?” (Payment received?). Genuine merchants check their phone instantly. Fraudsters have no notification.

2. Check beneficiary name before entering PIN: Every UPI app shows “Paying [Name]” before you enter PIN. Read it aloud: “Am I paying [Merchant Name]?” If the name is a personal name or does not match, STOP.

3. Inspect sticker edges: Run your fingernail along the QR code edge. A double-layer sticker will have a raised edge or air bubble. Genuine codes are usually printed directly on standees or laminated flush.

4. Look for the bank/UPI branding: Authentic merchant QR codes issued by banks and payment apps carry the issuer's branding (BHIM/UPI/the app logo). A bare, hastily printed code with no branding is a red flag.

5. Use your app's merchant-verification cue: Several UPI apps display a “verified merchant” indicator for registered businesses. If it is absent on a code that should belong to an established shop or pump, be cautious.

6. Demand a printed bill with QR code: Some merchants print QR codes on thermal bills. This eliminates substitution risk.

For petrol pumps specifically: Prefer pumps and merchants that use dynamic QR codes—codes that refresh frequently and cannot be copied onto a sticker. Static printed codes are easier targets. Ask whether your pump uses a dynamic code.

Trust signal — Many fuel retailers and large merchants are moving to dynamic QR codes after a rise in sticker-substitution complaints. If your regular pump still uses a static printed code, ask the owner to switch.

Can you sue the merchant for negligence? Possibly, under the Consumer Protection Act 2019. A service provider must exercise reasonable care, and a failure to secure the payment QR code displayed on the premises can be argued as a deficiency in service. Outcomes depend on the facts and on whether the merchant took reasonable precautions.

Merchant's defense: “I am also a victim.” This is often accepted where the merchant:

1. Files a police complaint immediately
2. Cooperates with investigation
3. Shows evidence of periodic QR code verification (e.g., daily photographs)

Your consumer case steps:

1. Send a legal notice within 15 days demanding refund + compensation (template below). 2. If there is no satisfactory response, file a complaint in the District Consumer Disputes Redressal Commission under Section 35 of the Consumer Protection Act 2019. 3. Pay the prescribed filing fee for your claim slab (modest for small claims). 4. Disposal time varies by commission and pendency.

A consumer commission can direct removal of the deficiency in service (a refund) and award compensation for loss or injury suffered, including for mental agony where proved.

Warning — Do not accept a merchant's offer to “settle” by partial refund without a written agreement. Verbal settlements are hard to enforce. Insist on a signed settlement letter stating “full and final settlement of claim arising from QR fraud incident dated [Date].”

To,
The Station House Officer,
[Police Station Name],
[City, State]

Subject: FIR under Sections 318(4) and 319 BNS 2023 and Section 66D IT Act 2000 – QR Code Fraud

Sir/Madam,

I, [Your Full Name], son/daughter/wife of [Parent/Spouse Name], aged [Age], residing at [Full Address], Aadhaar [Last 4 digits], mobile [Number], hereby lodge the following complaint:

1. On [Date] at approximately [Time], I visited [Shop/Petrol Pump Name], located at [Full Address], [City].

2. I scanned a QR code displayed at the payment counter/petrol pump to pay ₹[Amount] via UPI.

3. UPI transaction ID [reference number] debited my account [Bank Name, Account Number].

4. The merchant informed me that no payment was received.

5. Upon inspection, we discovered a fake QR code sticker pasted over the genuine merchant code.

6. The beneficiary account name shown in my UPI app was "[Fraudster Name/UPI ID]", not the merchant's name.

7. This is a case of cheating and cheating by personation under Sections 318(4) and 319 BNS 2023 read with Section 66D IT Act 2000.

8. I reported the incident on the National Cybercrime Reporting Portal (Acknowledgment No. [........]).

9. I request you to:
   - Register an FIR under Sections 318(4), 319 BNS 2023 and Section 66D IT Act 2000 (and Section 238 BNS 2023 if the sticker was removed/destroyed)
   - Seize the fake QR code sticker as evidence
   - Obtain CCTV footage from the premises
   - Issue directions to put the beneficiary bank account on hold via NCRP/the bank
   - Investigate and arrest the accused

10. I am ready to cooperate with the investigation and provide any further evidence required.

Attachments:
- Copy of UPI transaction screenshot
- Photograph of fake QR code
- Merchant's written statement (if available)
- NCRP acknowledgment printout

Date: [Date]
Place: [City]

Signature:
[Your Name]
Mobile: [Your Mobile]

LEGAL NOTICE UNDER THE CONSUMER PROTECTION ACT 2019

To,
[Merchant/Proprietor Name]
[Shop/Petrol Pump Name]
[Full Address]

Date: [Date]

Subject: Demand for refund of ₹[Amount] + compensation for deficiency in service

Sir/Madam,

1. My client [Your Name], residing at [Address], engaged your services as a consumer on [Date].

2. At approximately [Time], my client scanned a QR code displayed at your premises to pay ₹[Amount] for [goods/fuel].

3. The payment was debited from my client's account (UPI Transaction ID: [ID]) but was not received by you, as you confirmed.

4. Investigation revealed that a fake QR code sticker had been pasted over your genuine code.

5. As a service provider under the Consumer Protection Act 2019, you owe a duty to take reasonable care over the payment systems offered to customers on your premises.

6. The failure to inspect and secure the QR code displayed on your premises is alleged to amount to a deficiency in service.

7. My client has suffered:
   - Financial loss: ₹[Amount]
   - Mental agony and harassment
   - Loss of time in police complaints and bank follow-ups

8. My client hereby demands:
   - Refund of ₹[Amount] within 15 days
   - Reasonable compensation for mental agony and harassment
   - Reimbursement of ₹500 for legal notice charges

9. If compliance is not made within 15 days of receipt of this notice, my client will be constrained to file a complaint under Section 35 of the Consumer Protection Act 2019 before the District Consumer Commission, claiming additional litigation costs.

10. This notice is without prejudice to my client's rights and contentions.

Yours faithfully,

[Your Name / Your Advocate's Name]
[Address]
[Mobile]
[Email]

Most citizens miss this — Police sometimes try to register an NCR (Non-Cognizable Report) instead of an FIR for cyber fraud. Cheating under Section 318(4) BNS 2023 is a cognizable offence, so an FIR can be registered. If refused, file a written complaint and obtain a signed acknowledgment with date and time, and approach the Superintendent of Police.

If your FIR, NCRP complaint, or bank dispute is stalled, use the Right to Information Act 2005 to force accountability. You can draft RTI applications free of cost using the RTI Assistant tool at https://righttoinformation.wiki/tools/rti-assistant and check responses via the PIO Reply Checker at https://righttoinformation.wiki/tools/pio-reply-checker.

RTI to Police (file with District Police Public Information Officer):

1. Provide the current status of FIR No. [Number] dated [Date] registered at [Police Station] regarding QR code fraud.

2. Has the investigation been completed within the timeline under Section 193 BNSS 2023? If not, state reasons.

3. Provide copies of:
   - FIR
   - Investigation notes/diary entries
   - Any charge sheet filed

4. Has the fake QR code sticker been sent for forensic analysis? Provide forensic report.

5. Has CCTV footage been obtained and examined? Provide summary of findings.

6. Has the accused's bank account been put on hold? Provide copy of letter to bank/NPCI.

7. What is the total amount defrauded via the same QR code (if multiple victims identified)?

8. Provide information under RTI Act 2005 Sections 4(1)(b) and 6(1).

RTI to Bank (file with the bank's Central Public Information Officer if a public sector bank):

1. Provide status of dispute reference number [Number] dated [Date].

2. Was a dispute raised with the beneficiary bank via NPCI? Provide copy of communication.

3. What was the beneficiary bank's response?

4. Was the beneficiary account put on hold? If yes, what amount was held and when?

5. Provide copy of internal policy/guidelines for handling QR code fraud disputes.

6. How many similar QR fraud complaints have been received by this branch in the past 6 months?

7. Provide information under RTI Act 2005 Sections 4(1)(b) and 6(1).

The Central Public Information Officer (CPIO) must respond within 30 days under Section 7(1) of the RTI Act 2005. If refused, file a first appeal within 30 days under Section 19(1). For a step-by-step RTI filing guide, see https://righttoinformation.wiki/rti-act-2005-complete-guide.

Do this immediately — File RTI at the 30-day mark if police or bank has gone silent. The RTI application itself often triggers action because it creates an audit trail and accountability pressure.

If you are a shop or petrol pump owner, these controls reduce QR fraud risk:

1. Switch to dynamic QR codes: Ask your bank or payment aggregator (Paytm, PhonePe, BharatPe) for a dynamic QR system where the code refreshes frequently. These cannot be copied onto a sticker.

2. Laminate QR codes under transparent, tamper-evident film: Use tamper-evident lamination that shows damage if peeled. These are available from security-printing vendors at low cost.

3. Inspect codes daily: Assign one staff member to photograph the QR code at opening and closing. Compare images. If any mismatch, check physically.

4. Install CCTV covering payment counters: Cameras at the payment point deter fraudsters and provide evidence.

5. Display a verification message: Print and paste: “Our QR code beneficiary name is [Your Business Name]. Verify before paying. If the name differs, alert us immediately.”

6. Join merchant/trade-association alert groups: Many local trade associations run alert groups that share real-time fraud warnings.

Trust signal — Trade associations and payment networks increasingly run merchant-awareness drives on QR safety. Ask your local association whether it has an alert group you can join.

Across 2025–26, regulators and payment networks have pushed several measures against payment fraud:

1. Payment aggregators are being encouraged to offer dynamic QR codes and tamper-resistant codes to merchants, and to verify a merchant's business credentials before issuing a QR code.
2. The Reserve Bank of India and the National Payments Corporation of India (NPCI) have tightened rules around UPI safety, beneficiary-name display, and faster handling of fraud complaints, and continue to run customer-awareness campaigns.
3. The government's cyber-fraud reporting infrastructure routes complaints to banks for putting suspicious funds on hold.

Check official sources—https://rbi.org.in, https://www.npci.org.in, and https://cybercrime.gov.in—for the current rules and advisories, as these change frequently.

For complaints or escalations, the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs operates a helpline: 1930 (toll-free). Call early.

Citizen tip — Call 1930 and say “I want to report a UPI QR fraud and need the beneficiary account put on hold.” They will generate a ticket, loop in the bank's nodal officer, and escalate to the State Cyber Cell. This is faster than the web portal alone.

Check the beneficiary name displayed in your UPI app after scanning but *before* entering PIN. It should match the shop or petrol pump name. If it shows a personal name (e.g., “Rahul Kumar” instead of “Raj Petrol Pump”), stop and alert the merchant. Also inspect sticker edges for double layers.

Sometimes, if you act very fast. File an NCRP complaint, call 1930, raise a bank dispute, and file an FIR immediately. If the fraudster's account is put on hold before the money is withdrawn, a reversal may be possible. Recovery becomes much harder once the funds are moved out.

Possibly, under the Consumer Protection Act 2019, if you can show a deficiency in service (failure to secure the QR code). Send a legal notice and file a consumer complaint. However, if the merchant also cooperates and shows they took reasonable precautions, liability may be reduced.

Cheating under Section 318(4) BNS 2023 is a cognizable offence, so police can register an FIR without a magistrate's order. Submit a written complaint citing this. If still refused, note the refusing officer's name and designation, and approach the Superintendent of Police or use the online FIR facility on your state police website.

There is no fixed timeline. A successful bank dispute may resolve in days; recovery through investigation can take months and depends on court orders for release of seized property; a consumer case takes several months to a judgment. Treat fast reporting—not any promised timeline—as your best lever.

No. NCRP complaints are free. FIR registration is free (any demand for money by police is illegal and can be reported to the anti-corruption bureau). The consumer-complaint filing fee depends on the claim slab. An RTI application is free to file online; ₹10 if filed offline.

Yes. There is no minimum threshold for an FIR or a consumer complaint. However, litigation costs (advocate fee, travel, time) may exceed recovery. For very small amounts, collective action is better: find other victims at the same merchant and file a joint complaint.

File an FIR mentioning that the sticker was removed (causing disappearance of evidence can itself be an offence under Section 238 BNS 2023). Request police to check for CCTV footage showing who pasted or removed the sticker. Your UPI transaction proof showing a different beneficiary name is strong primary evidence even without the physical sticker.

Yes—UPI itself is safe; the weak point is a tampered physical sticker. Build the habit of reading the beneficiary name before entering your PIN, prefer dynamic QR codes, and confirm “payment received?” with the merchant.

QR sticker fraud is part of a broader cluster of payment scams. For a related threat, see how to respond to the Digital arrest scam at https://righttoinformation.wiki/digital-arrest-scam-india.

For systemic crisis response across financial, civic, or rights violations, see the Citizen Crisis Response Network master guide at https://righttoinformation.wiki/citizen-crisis-response-network.

To draft precise RTI applications for tracking fraud complaints, use the RTI Assistant at https://righttoinformation.wiki/tools/rti-assistant. To verify if your Public Information Officer's reply is lawful and complete, use the PIO Reply Checker at https://righttoinformation.wiki/tools/pio-reply-checker.

For understanding your broader RTI rights and timelines, read the RTI Act 2005 Complete Guide at https://righttoinformation.wiki/rti-act-2005-complete-guide.

Do this immediately — Bookmark this page and share it with your family WhatsApp group. QR fraud is spreading to smaller towns and rural areas. Early awareness prevents loss. Forward the “How to verify genuine QR codes” section to every merchant you know.