← Awareness

QR Code Scanner & Generator for India — Safe UPI QR Checker

Scan any QR code safely before paying. Detect fake UPI QR codes, phishing payment QRs & tampered stickers used in India-wide QR fraud. Also generates safe QR codes free.

India edition · Updated 2026-07-09

Verifying UPI payment QR codes (PhonePe, Google Pay, Paytm) and detecting sticker-swap fraud at petrol pumps, parking lots and small shops across India.

Open the tool →

Common Indian use cases

Why the India variant matters

In UPI, scanning a QR shows only the merchant name — which anyone can forge. PhishGuard decodes the raw QR content so you can see if the UPI ID (vpa) matches the shop name, or if the QR is actually a URL to a phishing page.

UPI QR fraud is a physical-world attack

Most UPI scams do not need to hack anything. A scammer walks into a busy petrol pump or parking lot and pastes their own printed QR sticker over the merchant's real one. Payments go to their UPI ID for hours before anyone notices — the pump owner sees 'no payment' complaints, the customer sees a successful debit, and by evening the mule account is emptied. PhishGuard's QR scanner decodes the raw content on your phone before the payment app opens, so you can read the actual UPI virtual-payment-address and confirm it matches the business name.

What to check in a UPI QR

A payment QR encodes a upi://pay?pa=…&pn=…&cu=INR string. The pa= is the beneficiary VPA — this is what actually receives the money. If the printed name says 'HP Petrol Pump Andheri' and the VPA is randomstring@paytm or a personal @oksbi ID, that's a swap. Legitimate merchants use business VPAs from BharatPe, Paytm-for-Business or bank merchant IDs, not personal handles.

QR codes that aren't payments

Scanners on Indian streets increasingly encode URLs instead of UPI strings — a fake 'parking fee' QR opens a webpage that harvests card details, and 'refund' QRs sent over WhatsApp are actually collect-requests. PhishGuard shows the raw decoded string so you can see whether it's a payment (safe to open in the UPI app, then verify VPA) or a URL (paste into the URL scanner first, never open blindly).

Frequently asked questions

How can I tell if a UPI QR was tampered with?

Compare the decoded VPA (pa= value) with the merchant's business name. Legitimate merchants use business VPAs (@paytm, @ybl for BharatPe) — a personal-looking handle at a busy shop counter is suspect.

Are QR codes on WhatsApp ever safe?

Only from contacts you know and trust for a specific expected payment. Any 'refund' or 'reward' QR forwarded on WhatsApp is almost always a collect-request, not a credit.

Does scanning a QR give the sender my UPI PIN?

No — the PIN is entered on your device inside your UPI app, and never leaves it. But scanning + tapping 'pay' + entering PIN can trigger a debit if the QR is a collect request rather than a payment QR.