Cyberkiz
HIGH THREAT

QR Code Payment Scam — Fake DuitNow & Touch 'n Go QR Codes

phishing· cases· losses·Updated 22 Jun 2026

As QR code payments become the default at hawker stalls, restaurants, and retail shops across Malaysia, scammers have found ways to exploit this convenience. Fake QR codes are placed over legitimate ones, redirecting payments to scammer-controlled accounts. DuitNow QR and Touch 'n Go eWallet are the most commonly targeted systems.

The simplicity that makes QR payments convenient — just scan and pay — is exactly what makes them vulnerable. Most people never verify the recipient name before confirming a transaction.

The most common method is physical tampering. Scammers print their own QR code stickers and place them over the merchant's legitimate QR code at food courts, parking metres, or shop counters. When a customer scans and pays, the money goes to the scammer instead of the merchant.

A second method involves sending fake invoices or payment requests via WhatsApp or email that include a QR code. Scanning the code initiates a payment to the scammer's account.

A third variant targets online marketplaces. Sellers provide QR codes for "direct payment at a discount" to bypass platform protections, then disappear after receiving payment.

How do I know if a QR code has been tampered with?

Look for stickers placed over the original QR code, uneven edges, or differences in printing quality. Always verify the recipient name on your screen matches the merchant before paying.

Can I get my money back from a QR code scam?

Contact your e-wallet provider or bank immediately. DuitNow and Touch 'n Go have dispute processes, but recovery depends on how quickly you report the fraud.

Red Flags

  • !QR code sticker placed over another — look for edges, bubbles, or signs of tampering on physical QR codes
  • !Recipient name does not match the merchant — always check the name displayed after scanning before confirming payment
  • !QR codes sent via messaging apps — be cautious of QR codes in WhatsApp or email from unknown senders
  • !"Discount for direct payment" — sellers asking you to bypass e-commerce platform payment systems
  • !QR codes in public spaces — unattended posters or flyers with QR codes for "free WiFi" or "lucky draws"

🛡 How to Protect Yourself

  1. 1Always verify the recipient name displayed on your screen before confirming any QR payment
  2. 2If you notice a tampered QR code sticker, alert the merchant immediately
  3. 3For online purchases, only pay through the platform's official payment system
  4. 4If you paid a scammer, contact your e-wallet provider immediately to dispute the transaction

📞 How to Report

  1. 1Call 997 (National Scam Response Centre) for assistance
  2. 2Lodge a police report at your nearest station

Want to learn more?

Book a scam awareness workshop for your family, community group, or organisation.

View Anti-Scam Programme