QR Code Swap Merchant Terminal Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: The Rising QR Code Swap Merchant Terminal Scam in India

UPI users and small shopkeepers across India must stay vigilant against a growing threat where fraudsters swap genuine merchant QR codes to steal digital payments.

What Is the QR Code Swap Merchant Terminal Scam?

The QR Code Swap Merchant Terminal Scam is a new fraud pattern affecting primarily small retail shops and consumers who pay or receive payments through UPI (Unified Payments Interface). In this scam, fraudsters impersonate customers or service personnel and physically swap the merchant’s displayed QR code with another one linked to their own bank account. This manipulation redirects payments intended for the shopkeeper to the attacker’s account.

This scam mostly takes place in busy local markets and bazaars in cities and towns across India, where merchants often do not verify QR code details before or after transactions. While exact numbers are hard to quantify, public complaints and reports to police indicate increasing incidents since early 2026. The Reserve Bank of India (RBI) and CERT-In (the Indian Computer Emergency Response Team) have highlighted QR code security as a concern amid the boom of UPI payments, though no scam-specific advisory has yet been released for this tactic.

Because UPI transactions are instant and often irreversible, money lost via these fraudulent QR codes is very difficult to recover, creating high financial risk for victims.

How This Scam Works — Step by Step

1. Initial Contact: A fraudster posing as a regular customer visits a small shop. They engage the merchant with casual conversation and observe the position and type of the merchant’s QR code.

2. Pretext for Swap: On a later visit, the same fraudster returns claiming to be from a payment service provider, bank, or government-related subsidy program. They tell the merchant they are upgrading or temporarily replacing the merchant’s QR code due to new compliance requirements or promotional offers.

3. QR Code Swap: The fraudster discreetly removes the authentic merchant QR code and replaces it with one linked to their own bank account. The replacement looks similar or even uses the same branding to avoid suspicion.

4. Customer Payments Diverted: Unaware of the swap, customers scan the fake QR code to pay for goods and services. The money goes directly to the fraudster’s account instead of the merchant’s.

5. Loss Realized After Delay: The merchant notices missing payments only hours or days later when reconciling accounts or checking bank statements. By then, the fraudster has withdrawn or transferred the money, often through multiple accounts to avoid detection.

6. Difficulty in Recovery: UPI’s real-time nature and limited reversal options mean funds are rarely recovered. Complaints to banks or police sometimes result in lengthy investigations with uncertain outcomes.

Real Warning Signs to Watch For

• A “customer” or “official” suddenly offers to replace or upgrade your QR code without prior notice.
• The new QR code looks different from the original or lacks official branding/stickers.
• The person insisting on the swap refuses to show valid identification or official documents.
• Customers mention payment failures or complaints post-payment despite scanning the QR code.
• The merchant’s bank account shows fewer deposits than expected after busy business days.
• Unusual urgency or pressure tactics to accept the QR code swap immediately.
• Fraudsters asking to cover other charges or requesting OTPs/passwords under false pretenses.

What Happens to Victims

Shopkeepers who fall victim to this scam often face significant financial losses as payments intended for their business go missing. Many small merchants rely heavily on daily digital payments via UPI, and these losses can directly impact their livelihood. Unlike card payments, UPI transactions cannot be reversed easily once completed, so victims often cannot claim refunds from their banks.

Emotionally, victims report frustration and distress over feeling deceived and vulnerable. The added challenge of dealing with police and banking procedures in India amplifies stress. Moreover, if fraudsters combine this scam with SIM swap or Aadhaar misuse, victims risk higher exposure to identity theft and unauthorized banking transactions.

What RBI and CERT-In Say

While there is no RBI advisory specifically naming this new QR code swap fraud, RBI’s guidelines consistently emphasize protecting UPI users by verifying payee details before confirming payments. CERT-In urges merchants and consumers to be cautious of physical device tampering and to report any suspicious activity promptly.

The Government of India’s 1930 cybercrime helpline and cybercrime.gov.in provide channels for victims to report such digital payment frauds. The RBI helpline and bank grievance portals also support dispute resolution but recommend timely reporting within 24 hours of suspected fraud.

How to Protect Yourself

1. Always verify the displayed QR code: Before scanning, check the merchant name that appears on your phone matches the store’s identity.
2. Merchants should secure their QR codes: Attach merchant QR codes permanently and visually inspect them for signs of tampering daily.
3. Never share UPI PIN or OTP: Fraudsters may ask for these during “verification” – keep them confidential.
4. Question anyone requesting QR code changes on the spot: Ask for official proof and contact the payment provider directly before agreeing.
5. Use BharatSecure.app or similar platforms to verify suspicious messages or callers claiming to be officials.
6. Review bank statements and UPI transaction history daily to spot discrepancies early.
7. Report suspected fraud immediately to your bank and cybercrime authorities.

What to Do If You've Been Targeted

• Contact your bank or UPI app’s customer support immediately to block further transactions.
• Lodge a complaint at cybercrime.gov.in or call the 1930 national cybercrime helpline.
• File a police report providing transaction IDs, phone numbers, and any details of the fraudster’s interaction.
• Inform your mobile service provider to secure your SIM and prevent SIM-swap fraud.
• Keep all evidence like WhatsApp messages, SMS, or call patterns related to the fraud.
• Report the incident on BharatSecure.app to warn others and get guidance on next steps.

Frequently Asked Questions

Q: Can I reverse a UPI payment to a swapped QR code?
A: UPI transactions are generally instant and final. Although banks may initiate a refund on their own after investigation, there is no guaranteed or quick reversal, making prevention crucial.

Q: How can I identify if a QR code has been swapped?
A: Look for physical signs like loose stickers, mismatched branding, or changes in merchant details on your UPI app before payment. If in doubt, ask the merchant to confirm or use BharatSecure.app for verification.

Q: What if a caller claims to be from RBI or a government agency asking for QR code changes?
A: Always be skeptical. Official agencies do not call to ask for QR code replacements or PINs. Hang up and report such calls immediately to cybercrime authorities and BharatSecure.app.

Stay alert and protect your payments. Verify any suspicious interactions or changes in your payment QR codes at BharatSecure.app and report fraud early to the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.