14 March 2024

QR Phishing, A Rough Patch On The Rise Of UPI

S.S. Rana & Co. Advocates


S.S. Rana & Co. is a Full-Service Law Firm with an emphasis on IPR, having its corporate office in New Delhi and branch offices in Mumbai, Bangalore, Chennai, Chandigarh, and Kolkata. The Firm is dedicated to its vision of proactively assisting its Fortune 500 clients worldwide as well as grassroot innovators, with highest quality legal services.
With the rapid advancement of technology, the digital landscape has become a breeding ground for cyber threats, and one of the most prevalent among them is phishing.
India Criminal Law
To print this article, all you need is to be registered or login on

With the rapid advancement of technology, the digital landscape has become a breeding ground for cyber threats, and one of the most prevalent among them is phishing. Phishing scams have seen a significant rise in India in recent years, posing a threat to individuals, businesses and organizations alike.

Phishing, as the name may somewhat vaguely imply, is the act of contacting various people through email, telephone or text, in order to lure them into providing their sensitive information or personal data1. These deceptive communications often appear legitimate, exploiting trust and familiarity to manipulate victims into taking actions that compromise their security. These miscreants prey on the victim's vulnerability in trusting a particular website and/or service and willingness to provide information for the same.

There are multiple types of phishing techniques and means used for the same. Take for instance, Vishing (It stands for the use of a voice to convince the victim into providing details), smishing (phishing via the use of SMS messages) and Quishing (QR Phishing).

QR Phishing or Quishing poses a major challenge in the present day and age in countries like India, wherein a high number of transactions are done via the use of QR codes as a result of UPI. To understand the magnitude of the same, we must firstly go over the use of UPI and its popularity in the present day and age via QR codes.

QR Codes: The present and future of payments in India:

Quick response codes, also called QR codes, were developed in Japan in the mid-nineties. After their inception, not many people understood the role that it would play in initiating payments until the introduction of UPI or the Unified Payments Interface2.

In India, the UPI system processed over 74 billion transactions in 2022 and this amounted to over INR 126 trillion. There has been an increase in such payments in FY 2023 as the number of QR based UPI payments skyrocketed to over 84 billion transactions while amounting to 139 trillion INR3.

The main driver behind the growth of UPI and these transactions is the adoption of the QR code system. There were 237 million QR code transactions in the December of 2022 as opposed to 152 million in January of 2022. In addition to this, the number of QR codes in India rose to over 237 million, thus registering an increase of 65% compared to December 20214.

QR codes: a perfect tool for scammers?

QR phishing scams have unfortunately been on the rise in India. Recent reports state that the number of UPI frauds had increased from 15,000 cases in 2022 to a staggering 30,000 cases in 20235. This is only exacerbated by the fact that QR payments, as discussed before, are on a steady rise in India.

Quishing via UPI is seen as the perfect means to scam due to the following reasons:

  1. Instantaneous: UPI or the Unified Payments Interface, is instantaneous and this is something that works in the favor of the scammers concerned6. They use the fact that these transactions are instantaneous and so, the money will be deposited quickly in their accounts.
  2. Scope for use: In the present day and age, UPI is used almost everywhere and this is something that works to the advantage of the scammer. The scammer can easily generate these QR codes and send them to a vast number of people via social media and emails7.
  3. Lack of bank interference: As the transaction is completed via a QR code, there is no need to alert anyone as the entire transaction is between the person in charge of the particular UPI ID and the miscreant concerned, as opposed to gift cards and cheques, which are used quite frequently by scammers to scam victims out of their money, there is no chance that a bank employee or any other employee could prevent the victim form sending money in this manner and this leads to a higher success rate for these phishing scams8.

How Quishing scams are committed in India:

Quishing scams are committed in a multitude of ways in India. Some of the methods used are as follows:

  1. Use of a fraudulent QR code to specifically scam the victims via a payment notification: Many a times, some of the simplest techniques are what work best. In Light of these, there have been reports of miscreants creating their own QR codes to send victims via physical or digital means. Via these QR codes, these miscreants either pose as reputed executives of various companies or pose to be family members in desperate need of cash. By convincing the victim of their scam, they extort money via this fraudulently generated QR code9.
  2. Using the QR codes as a platform to encourage further scams: There have also been multiple instances of miscreants posing to be executives of reputed companies or providing these QRs via digital means. Once this QR is scanned by the victim, they are then taken to a website to complete the scam. This website, usually a fraudulent phishing website, would take in the personal information and banking information of the victim in exchange for either a fraudulent offer or service.
  3. Using the QR to infect, track and threaten the system of the victim: There have also been multiple instances wherein quishing is used to simply install malware or target a particular system. This is usually done to gain access to personal information or to initiate authentication bypass attacks.

Impact of Quishing in India:

In recent years, India has witnessed a surge in a new form of cybercrime known as "quishing". The proliferation of quishing scams in India can be attributed to several factors, including the widespread availability of mobile phones, the increasing adoption of digital payment systems, and the lack of awareness among the populace regarding cybersecurity best practices.

As per reports, there are over 300 million people in India who are vulnerable to Phishing attacks in some way or another. Out of this, 5 lakh people fall victim to these phishing attacks in India.

Another report suggests that India is the third most targeted country for phishing attacks in the world.

As per reports, between 2017 and 31 May 2023, there were over 20,000 QR phishing cases registered in Bengaluru alone10. These Phishing scams result in horrific losses to the parties concerned and also slow down the rate of digitalization in India and thereby the growth in India as the fear of these types of scams grows to the levels of paranoia.

Take for instance the story of a 30 year old professor from the Indian Institute of Science in Bengaluru. This person sought to sell a washing machine online and when he received a QR code from a supposed customer containing the payment for the same. He unwittingly scanned the same and this resulted in 63,000 being syphoned from his account. This is only one of many such instances wherein QR scams harm the populace concerned11.

Laws regarding Quishing in India:

There exist provisions with regards to phishing in India in the IT Act, 2000. Some of the provisions that deal with this matter range from section 43 of the IT Act, which specifically targets a person who introduces or disrupts a computer system. Section 66 of the IT Act specifies the penalties for the interference or disruption of a computer system. Section 66C of the IT Act specifically prohibits people from engaging in identity theft and this is something that is once again done by the miscreants who seek to scam the victims into availing a fraudulent offer or service. Lastly, Section 66D provides punishments for cheating or personation via a computer resource12.

The definition and the consequences for phishing primarily come from the case of national Association of Software and Service Companies vs Ajay Sood & Others. In this case, the term Phishing was defined thoroughly and recognized as a fraudulent act as per the IT Act of 2000. In this judgement, it was held that phishing was a type of internet fraud and that the impersonation of a particular person or entity via a computer system goes against the provisions of the IT Act 2000 and the perpetrators were punished accordingly.

Some latest examples of the scale of QR Phishing:

The ease of using UPI for the purpose of conducting these types of phishing attacks is clearly elaborated in the Hyderabad investment fraud case. In this scheme, Chinese miscreants from Dubai duped Indian investors for an amount exceeding INR 7.12 billion. The investigating authorities uncovered that some of the funds from this operation were being syphoned to Hezbollah under their very own "Hezbollah wallet". This sheds light on the use of QR codes for these types of scams and the financing of unlawful entities via QR code transactions13.

Exploiting religious sentiments to hatch these scams seems to have become a trend and recently, the Ayodhya Ram temple scam has become the latest example of a quishing scam in India and the amount raised via the fraudulent QR codes that were circulated by a miscreant group on various social media websites and on their own website has not been discovered.

As per the Vishwa Hindu Parishad (VHP) spokesperson, Vinod Bansal, some miscreants had created a fake social media page titled "Shri Ram Janmabhoomi Teerth Chhetra Ayodhya, Uttar Pradesh". Under this social media page, a QR code was made available to people who were willing to donate to the cause of the construction of the Ram temple in Ayodhya and this scam was only brought to light after multiple people flagged the same.

Steps that can be taken to combat Quishing:

On December 11, 2023, the US Federal Trade Commission warned against the use of QR codes to scam people. In their statement, they specifically talked about how QR codes are being sent via text or email messages and a "false sense of urgency" is being created to ensure compliance to the scam14. The FTC warned against the same and stated that the populace must check the authenticity of the QR and the authority concerned before proceeding with a payment. New Delhi Cyber cell officials have also warned against the same and recommended the use of "preview features" before making a payment via UPI to an unknown source15.

To mitigate the risk of falling prey to quishing scams, one must take preventive measures such as:

  1. Always verify the authenticity of callers claiming to represent banks, government agencies or companies by cross-checking their credentials through official channel;
  2. Refrain from sharing any personal or sensitive information, such as bank account details, OTP, Aadhar Number, etc.
  3. Install reputable antivirus and antimalware software on your devices to detect and prevent malicious threats
  4. Report any instances of quishing or suspected fraudulent activity to the relevant authorities.


With the growth of UPI, it is only natural for the number of scams surrounding this technology would increase. However, there seems to be a lack of awareness with regards to the same and herein lies the problem. To combat these scams, the awareness of these scams must permeate across every form of media in India and this would ensure that the populace does not fall prey to these predatory scams while also ensuring the growth of UPI and digital payments in India.

Akshay Krishna P, Assessment Intern at S.S. Rana & Co. has assisted in the research of this Article.

















Related Posts

TYPOSCAMS! PHISHING! TYPOSQUATTING in light of COVID-19 – Watch what you read!

For further information please contact at S.S Rana & Co. email: or call at (+91- 11 4012 3000). Our website can be accessed at

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More