QR Code Scanner & Generator for India — Safe UPI QR Checker
Scan any QR code safely before paying. Detect fake UPI QR codes, phishing payment QRs & tampered stickers used in India-wide QR fraud. Also generates safe QR codes free.
Verifying UPI payment QR codes (PhonePe, Google Pay, Paytm) and detecting sticker-swap fraud at petrol pumps, parking lots and small shops across India.
Open the tool →Common Indian use cases
- Fake QR stickers pasted over legitimate merchant QRs at Delhi/Bengaluru petrol pumps — payment goes to a scammer's UPI ID.
- 'Refund' QR codes shared over WhatsApp claiming to reverse a failed transaction (they actually initiate a debit request).
- Parking-lot QR codes redirecting to fake parking-fee pages that harvest UPI PINs.
Why the India variant matters
In UPI, scanning a QR shows only the merchant name — which anyone can forge. PhishGuard decodes the raw QR content so you can see if the UPI ID (vpa) matches the shop name, or if the QR is actually a URL to a phishing page.
UPI QR fraud is a physical-world attack
Most UPI scams do not need to hack anything. A scammer walks into a busy petrol pump or parking lot and pastes their own printed QR sticker over the merchant's real one. Payments go to their UPI ID for hours before anyone notices — the pump owner sees 'no payment' complaints, the customer sees a successful debit, and by evening the mule account is emptied. PhishGuard's QR scanner decodes the raw content on your phone before the payment app opens, so you can read the actual UPI virtual-payment-address and confirm it matches the business name.
What to check in a UPI QR
A payment QR encodes a upi://pay?pa=…&pn=…&cu=INR string. The pa= is the beneficiary VPA — this is what actually receives the money. If the printed name says 'HP Petrol Pump Andheri' and the VPA is randomstring@paytm or a personal @oksbi ID, that's a swap. Legitimate merchants use business VPAs from BharatPe, Paytm-for-Business or bank merchant IDs, not personal handles.
QR codes that aren't payments
Scanners on Indian streets increasingly encode URLs instead of UPI strings — a fake 'parking fee' QR opens a webpage that harvests card details, and 'refund' QRs sent over WhatsApp are actually collect-requests. PhishGuard shows the raw decoded string so you can see whether it's a payment (safe to open in the UPI app, then verify VPA) or a URL (paste into the URL scanner first, never open blindly).
Frequently asked questions
How can I tell if a UPI QR was tampered with?
Compare the decoded VPA (pa= value) with the merchant's business name. Legitimate merchants use business VPAs (@paytm, @ybl for BharatPe) — a personal-looking handle at a busy shop counter is suspect.
Are QR codes on WhatsApp ever safe?
Only from contacts you know and trust for a specific expected payment. Any 'refund' or 'reward' QR forwarded on WhatsApp is almost always a collect-request, not a credit.
Does scanning a QR give the sender my UPI PIN?
No — the PIN is entered on your device inside your UPI app, and never leaves it. But scanning + tapping 'pay' + entering PIN can trigger a debit if the QR is a collect request rather than a payment QR.