Digital payment scams using fake QR codes are very likely to remain widespread in cities and towns across India this year
This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 29 January 2025.
- Such scams are becoming increasingly prevalent, according to recent local media reports and anecdotal evidence
- We have seen no signs that criminals are specifically targeting locations frequented by foreigners; most incidents seem to be opportunistic
Digital payment scams featuring the use of fake QR codes are likely to be common in India in 2025. Such incidents involve criminals using spurious QR codes to redirect users to fraudulent payment gateways or websites. This is to facilitate theft, harvest credentials or gain access to the user’s phone. A usually reliable local media outlet has recently reported a rise in such incidents since 2022. While firms and travellers to India will probably encounter such scams, criminals do not seem to be specifically targeting places frequently attended by foreigners such as airports and hotels.
Cybercriminals globally have also reportedly incorporated the tactic in phishing campaigns against corporate firms. And while there is no official data on such cases in India, we assess that firms operating there are also at risk of being affected. Law enforcement will probably struggle to contain such incidents as small, seemingly independent, criminal gangs appear to be behind this. And such scams also seem to be relatively easy to conduct, especially due to the widespread adoption of digital payment mechanisms in India.
Scams involving fake QR codes increasingly prevalent
The incidence of digital payment scams involving fake QR codes appears to be rising in India. There is no recent comprehensive official data on the issue. But a usually credible local media outlet recently reported that the number of such scams has doubled between 2023-2024 to 40,000 compared with the same period a year prior. It cited a parliamentary reply behind this data. India-based security practitioners also highlighted to us the rising frequency of such scams throughout 2024.
The authorities also appear to be concerned about the issue. Both federal and various state authorities have repeatedly warned of QR code scams over the last year through public advisories. Most recently, the Uttar Pradesh (UP) police on 5 January issued an advisory for a large religious gathering in the state. Scammers have previously used such events to target people, notably during the consecration of a Hindu temple in Ayodhya, UP, last year.
Criminals generally use the following approaches, based on local media reporting and statements by the local authorities:
- Replace QR codes at commercial establishments or public places (such as parking lots) with fake ones
- Deliver fake missed delivery slips including fake QR codes. When the recipients access the code to find out more about the package, they are redirected to fraudulent websites requesting payment
- Pose as e-commerce vendors and send payment links containing fake QR codes for purchases, usually on WhatsApp or Instagram
- Pose as buyers on online marketplaces – such as OLX – and sending fake QR codes to sellers of used goods
- Use of fake QR codes for ‘cash on delivery’ payments by criminals employed by legitimate businesses (such as food and laundry delivery services)
These are in no particular order.
No signs of foreigners being specifically targeted
Most scams involving fake QR codes tend to be opportunistic and indiscriminate. Local media reports indicate such incidents are rife in major cities such as Mumbai and Bengaluru as well as smaller ones like Lucknow. But there does not seem to be a geographic pattern to such scams, based on our analysis of open-source monitoring. And we have seen no signs that criminals are specifically placing fake QR codes in places often frequented by foreigners such as airports or international hotels.
Still, business travellers in Indian cities such as New Delhi will likely be exposed to fake QR codes when trying to pay for items at local marketplaces. There have been hundreds of cases in cities such as Hyderabad in the last two years, where scammers have stuck fake QR codes over real ones. Earlier this month, scammers targeted a dozen shops in this manner in Khajuraho, Madhya Pradesh state, a popular destination for foreign tourists. But there are no signs that scammers have been able to manipulate QR codes in restricted areas such as international airports.
Businesses operating in India at risk of being targeted
Cybercriminals will probably target corporations in India by using fake QR codes in phishing campaigns over the coming year. There is no official data on this type of case in India. But cybercriminals globally seem to increasingly target businesses and executives with these scams; a UK-based news outlet reported last year that executives globally faced 42 times more QR code phishing attacks in 2023 than other employees. The report cited data from a prominent cybersecurity firm, adding that the energy and retail sectors appear to be particularly affected.
Cybercriminals seem to be developing new tactics to make QR code scams more believable and able to avoid detection. For example, they embed fake QR codes in multi-factor authentication requests, according to recent research by an Israel-based cybersecurity company. Other common tactics include conditional routing, where the malicious link adapts by customising itself to the operating system, device, and company in question. This makes it easier for the attack to bypass security checks and more likely to succeed.
Proliferation of scams likely to continue unchecked
Phishing scams involving QR codes will very likely remain common in India in the coming year. That the perpetrators operate as part of disparate small gangs will probably make it difficult for the police to identify them. And widespread proliferation of digital payment mechanisms across India also creates opportunities for criminals making it relatively easy to deploy malicious QR codes.
We assess that the authorities’ measures against scammers will probably prove to be insufficient. Financial institutions have introduced several initiatives to limit the impact of QR code scams over the last three years, including daily transaction limits and fraud reporting mechanisms. But aside from efforts to limit losses, there is little by way of deterrence. And the use of digital payments seems to be outpacing awareness of digital security among the populace, based on assessments by cybersecurity providers and government officials.
Image: In this picture taken on 15 December 2021, shoppers stand in front of a store where QR codes for Paytm (C), an Indian cellphone-based digital payment platform, are displayed in Mumbai. Photo by Punit Paranjpe/AFP via Getty Images.