Decode any QR code and instantly check the embedded URL for phishing threats before you visit it. Detect fake UPI payment QR codes and malicious QRishing attacks.
QRishing is phishing via malicious QR codes. Attackers place fake QR codes on payment terminals, posters, or WhatsApp messages claiming to be UPI refunds or cashback. Always decode and scan before visiting.
Never scan QR codes claiming to be "receive ₹500 cashback." Legitimate UPI payments only require you to pay, not scan to receive. Verify UPI QR codes show the correct merchant name before paying.
Everything about QR code safety, UPI QR fraud, QRishing attacks in India, and how to check any QR code before scanning it.
QRishing is a phishing attack that uses QR codes as the delivery vector instead of email links or SMS. Attackers create a QR code containing a malicious URL and place it where a legitimate QR code is expected — on a payment counter, notice board, or in a WhatsApp message. In India, QRishing primarily targets UPI payments by replacing real merchant QR codes with fake ones.
Upload the QR code image to PhishGuard's QR Scanner tool. It decodes the hidden URL inside the QR code and runs it through 55+ security checks — including domain age verification, SSL certificate analysis, and brand impersonation detection — before your camera app automatically follows the link. This takes under 5 seconds and protects you from QRishing attacks.
Yes, increasingly so. CERT-In and multiple Indian cybercrime cells have reported sharp rises in QR-based UPI fraud between 2023 and 2025. Common scenarios include fake QR stickers at petrol pumps and shops, fake cashback QR codes on WhatsApp, and counterfeit payment QR codes at religious places, markets, and restaurants across India.
Scammers visit petrol stations, restaurants, kirana stores, and market stalls and physically stick a fake QR code sticker over the merchant's real payment QR code. When a customer scans the fake sticker, the payment goes to the scammer's UPI account. The merchant's genuine QR code is hidden underneath and the scam often goes undetected for days.
Look for: (1) A sticker edge or peeling corner that suggests it was placed over another QR code. (2) Different paper texture or print quality compared to the surrounding signage. (3) Misalignment with the design around it. If anything looks off, ask the shopkeeper to show you the QR code on their phone screen directly, or pay by cash or UPI ID entry instead.
UPI apps validate the merchant's VPA (Virtual Payment Address) and display the registered merchant name before you confirm payment. However, they cannot detect if a physical QR sticker was replaced, and they cannot inspect the URL hidden in a QR code before decoding it. Always verify that the merchant name shown in the payment confirmation screen matches the business you are at.
Act immediately: (1) Do not enter any OTP or PIN on any resulting website. (2) Screenshot the transaction reference number and UPI ID shown. (3) Contact your bank's 24x7 helpline and report an unauthorised transaction. (4) Call the National Cyber Crime Helpline at 1930. (5) File a complaint at cybercrime.gov.in within 24 hours to maximise recovery chances.
QR codes in unexpected WhatsApp messages or emails are very high risk. Scammers send PDFs that look like official documents — invoices, delivery notifications, government letters — containing malicious QR codes. Legitimate banks, government agencies, and businesses never send QR codes via WhatsApp asking you to scan and pay. Always decode and check with PhishGuard before scanning.
This is critical to understand: you only scan a QR code to MAKE a payment to someone else. There is no such thing as a QR code you need to scan to RECEIVE money. If anyone — in person or on WhatsApp — sends you a QR code and says 'scan this to receive your refund or cashback,' it is 100% a scam. Scanning it will cause money to be deducted from your account, not added.
Seasonal QR scams include: fake Diwali cashback QR codes on WhatsApp promising ₹500–₹5,000 rewards, counterfeit IPL ticket booking QR codes, fake charity QR codes at religious events and fundraisers, and fraudulent e-commerce 'festival sale' QR codes. Scammers register new domains and create new QR campaigns specifically targeting the weeks before major Indian festivals.
Yes — this is exactly what PhishGuard's QR Tools is designed for. Upload a screenshot or photo of the QR code, paste an image URL, or use your device camera through the browser. PhishGuard decodes the QR code server-side to extract the hidden URL, then runs a full safety check without your phone's camera app ever following the link automatically.
Fraudulent job offers sent via email or Telegram often include a QR code to 'register' or 'complete your application.' Scanning the code takes you to a phishing page that collects your Aadhaar number, bank account details, and advance registration fees. Legitimate employers in India never require you to scan a QR code as part of an application process.
Found a suspicious link? Scan it free with PhishGuard or report to India's national cyber crime helpline: 1930 · cybercrime.gov.in