Quishing: How a Fake QR Code Empties Your Bank Account

Imagine a stranger walks up and says, "I owe you a refund — just scan this QR code and you'll get the money." It sounds harmless. It is also the single most common lie in India's fastest-growing payment scam. Quishing — short for QR code phishing — weaponises the very thing that made UPI feel effortless: the little square you scan without thinking. This guide explains exactly how it works, the local variants you'll actually run into, and the one unbreakable rule that defeats almost all of it.

What Quishing Actually Is

Quishing is phishing delivered through a QR code instead of a clickable link. Hidden inside that pattern of squares is a web address or a payment instruction your eyes simply cannot read. When you scan, your phone opens it — a fake bank login page, a malicious app download, or a UPI collect request dressed up as a refund.

The genius of the trick is psychological. We have been trained to scan QR codes at restaurants, parking lots and shop counters dozens of times without a second thought. The scammer borrows that reflex. By the time the screen loads, you're already half-committed.

There is a second, technical reason it spreads. A QR code is an image, so the link inside it sails straight past the spam filters that scan emails and SMS for suspicious text URLs. On a small phone screen, even when the address does appear, a lookalike domain like sbi-refund-verify.com is easy to miss.

The Lie at the Heart of Every QR Money Scam

Here is the fact that, once internalised, makes you nearly immune. You never scan a QR code to receive money. On UPI, scanning a payment QR can only ever start a payment out of your account. To receive money, you do nothing — the sender pushes it to your UPI ID or number.

Likewise, your UPI PIN is a send-only key. You enter it to authorise money leaving your account, never to collect it. Any message that says "enter your PIN to get the refund" is, without exception, an attempt to make you pay them.

Scammers blur this with urgency and confusion. They send a collect request — a legitimate UPI feature that asks you to approve a payment — and label it "Cashback" or "Refund ₹5,000". If you tap approve and enter your PIN, you have just sent them money while believing you received it.

The India-Specific Variants You'll Actually Meet

Quishing isn't theoretical. It has localised into a handful of recognisable cons:

• The sticker swap. A fraudster pastes their own QR over the genuine one at a parking lot, petrol pump, EV charger, temple donation box or roadside stall. You pay; the real merchant never sees a paisa, and you've funded a stranger.
• The marketplace buyer. On OLX, Facebook Marketplace or Quikr, a "buyer" for your sofa or bike insists on sending an advance and shares a QR "to confirm". Scanning and approving it sends your money to them.
• The fake e-challan or bill. An SMS warns of an unpaid traffic challan or an imminent electricity disconnection, with a QR or short link to "pay now". It leads to a cloned portal that harvests your card and UPI details.
• The fake refund desk. Posing as Amazon, IRCTC, a food-delivery app or your bank, an "agent" walks you through scanning a QR to process a return — narrating each step so you don't stop to think.
• The KYC or reward poster. A printed QR promising a free gift, lottery, or 'KYC update' routes you to a credential-stealing page or a malicious APK you're asked to install.

The common thread: a QR arrives from someone who contacted you, attached to a reason to hurry.

Why This Is Spreading Now

India processes the largest volume of real-time digital payments on earth, and QR acceptance is everywhere — from a vegetable cart to a five-star hotel. That ubiquity is exactly what scammers exploit; the attack surface is the entire economy.

QR also lowers the criminal's effort. Printing a sticker costs almost nothing, requires no hacking skill, and can be slapped onto a public surface in seconds. Unlike a phishing email blast, it needs no infrastructure — just a busy footpath.

And because the payment rails themselves are secure, the fraud has migrated to the only reliably exploitable part of the system: human attention. You are the firewall now, and quishing is engineered to slip past you while you're distracted, rushed or hopeful about a refund.

A Five-Step Defence That Works

You don't need technical skills — just a short checklist before any scan:

1. Treat "scan to receive" as a guaranteed scam. No legitimate refund, cashback, prize or sale payment ever requires you to scan or enter a PIN to get money.
2. Read the next screen, not the QR. After scanning, your UPI app shows the payee's name and the amount. If it says you're paying when you expect to be paid, or the name looks unrelated, cancel immediately.
3. Inspect physical QR codes. At counters, parking and pumps, check for a sticker pasted over another, a peeling edge, or a name that doesn't match the shop. When unsure, ask the staff to confirm the payee name on your screen.
4. Distrust QR codes that arrive in messages. A QR or link in an SMS, WhatsApp, email or pop-up about challans, bills, KYC or deliveries is high-risk. Go to the official app or website directly instead of scanning.
5. Never install an app from a scanned link. Genuine banks and brands never push an APK via QR. Download only from official app stores.

A useful habit: set a small daily UPI limit and keep a separate low-balance account for scan-and-pay, so a single mistake can't empty your savings.

If You've Already Been Hit

Speed decides everything. Funds can sometimes be frozen mid-transfer if you act inside the golden hour.

• Call your bank at once and ask to freeze the account or block the UPI ID.
• Report the fraud on the national cyber-fraud helpline 1930 or at cybercrime.gov.in, keeping screenshots, the UPI transaction ID and the scammer's number.
• Change your UPI and banking passwords, and review recent transactions for anything else unauthorised.

Don't let embarrassment cause delay — these cons are professionally designed, and even careful, tech-savvy people fall for the well-timed ones. The faster you report, the better the odds.

The One-Line Takeaway

Quishing thrives on a single confusion: that a QR code can bring money in. It cannot. Burn that into memory — scanning and your PIN only ever send money out — and the most polished QR scam in the country loses its grip on you. The square is convenient, but convenience is exactly what the fraudster is counting on. Slow down for the two seconds it takes to read the payment screen, and you've already won.