Lost money by scanning a QR code?
Follow these steps immediately for funds
New Delhi, May 28, 2026
Victims may get a solution if they promptly alert banks and cybercrime authorities
Using a fake QR code to transfer money can empty your bank account within seconds. Many people do not realise that the first few minutes after discovering the fraud may decide whether the money can still be recovered.
With UPI-based frauds continuing to rise across India, cybercrime officials, banks and the National Payments Corporation of India (NPCI) are repeatedly warning users against fake QR codes, fraudulent payment requests and impersonation scams. Experts say most cases are not technical hacks but social engineering frauds where users are tricked into authorising payments themselves.
The biggest mistake, officials say, is assuming that scanning a QR code is harmless.
QR code scams explained
Fraudsters typically send QR codes claiming they are needed to “receive” money, process refunds, collect cashback, claim prizes or complete delivery payments. In reality, scanning the code initiates a payment request from the victim’s account.
The fraud succeeds when users enter their UPI PIN without checking the beneficiary details displayed on the app.
NPCI and banks have repeatedly clarified that QR codes are primarily meant for making payments. Users generally do not need to scan a QR code to receive money from another person.
These scams are commonly reported on online marketplaces, social media platforms, courier transactions and even at physical shops where scammers replace genuine merchant QR codes with fake ones.
Cyber awareness campaigns run by banks and government agencies have also highlighted another key risk: Fraudsters often create urgency or panic to prevent users from verifying details carefully.
What to do immediately after discovering fraud
Cybersecurity officials say the “golden hour” after the transaction is critical. If the money is still lying in the fraudster’s account, banks may be able to freeze or reverse the transaction before the funds are withdrawn or transferred further.
Victims should act immediately instead of waiting for customer support emails or delayed responses.
Step 1: Contact your bank or UPI app
Users should immediately call their bank or UPI app customer care and request that the transaction be flagged as fraudulent. Most banks and payment apps including PhonePe, Google Pay, Paytm and major private and public sector banks operate 24x7 fraud helplines.
Keep the following details ready:
• Transaction ID
• Amount transferred
• Date and time of payment
• Beneficiary name and UPI ID
• Screenshots of the transaction or QR code
Banks may temporarily freeze the account or initiate a dispute process depending on how quickly the complaint is filed.
Step 2: Call the national cybercrime helpline
Victims should immediately dial 1930, the national cybercrime financial fraud helpline.
The helpline coordinates with banks and payment intermediaries to try freezing the funds before they move out of the fraudster’s account. Officials say quicker reporting significantly improves the possibility of partial or full recovery.
Step 3: File a complaint online
Users should also register the complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in under the financial fraud section.
The complaint number generated on the portal should be saved carefully for follow-up with banks and investigators.
Can you actually recover the money?
Recovery is possible in some cases, but there is no guarantee.
Under the Reserve Bank of India’s customer liability framework for unauthorised digital banking transactions, customers may have limited or zero liability if fraud is reported promptly. However, recovery depends on several factors:
• How quickly the fraud is reported
• Whether the money is still available in the recipient account
• Coordination between banks through NPCI systems
• Whether the scammer has already transferred or withdrawn the funds
Banking officials say complaints made within the first few hours generally have a better chance of recovery than those reported days later.
In some cases, banks may process what is informally known as a “shadow reversal” if the funds can be blocked before further movement.
However, many fraud victims either recover only part of the money or receive nothing if the amount has already been layered across multiple accounts.
The most common UPI scam patterns
Apart from fake QR code frauds, cybercrime agencies are seeing several other recurring patterns:
Fake collect requests
Fraudsters send “collect money” requests disguised as refunds, cashback offers or customer care payments. Users unknowingly approve them.
Impersonation calls
Scammers pose as bank staff, police officers or customer support executives and pressure users into making “verification” payments.
Screen-sharing scams
Victims are asked to download remote-access apps under the pretext of troubleshooting. Fraudsters then gain control of the device and approve transactions.
Fake links and apps
Users receive phone text messages or WhatsApp links for KYC updates, rewards or refunds that redirect them to fake payment pages or malicious applications.
SIM-swap frauds
Fraudsters illegally obtain duplicate SIM cards to intercept OTPs and reset banking credentials.
How to protect yourself
NPCI and banks advise users to follow a few basic precautions:
• Never scan QR codes sent by strangers
• Never enter UPI PIN to receive money
• Always verify the beneficiary name before approving payments
• Reject unknown collect requests
• Do not share OTPs or UPI PINs
• Avoid downloading apps suggested by unknown callers
• Use only official banking and UPI applications
• Set lower transaction limits for daily use
• Enable instant transaction alerts
The core message from cybercrime authorities remains that the UPI itself is secure, but fraudsters exploit human error.
For users, that means awareness, not technology, is often the strongest defence against losing money online.
[The Business Standard]
