DuitNow QR Scams: How Fake QR Codes Are Stealing Money at Malaysian Restaurants and Markets

DuitNow QR has transformed how Malaysians pay. With a single scan, you can pay at restaurants, pasar malams, grocery stores, and even roadside stalls. Bank Negara Malaysia reported over 2 billion DuitNow QR transactions in 2025, cementing it as the country's preferred cashless payment method.

But scammers have found a simple, effective way to exploit this system: swapping legitimate QR codes with their own. The victim pays, the money goes to the scammer, and the merchant never receives a sen.

How the QR Swap Scam Works

The mechanics are devastatingly simple:

1. A scammer visits a restaurant, market stall, or small shop.
2. They place their own DuitNow QR code sticker over the merchant's legitimate QR code.
3. Customers scan the fake QR, see a payment screen, and confirm the transaction.
4. The money goes to the scammer's account instead of the merchant.
5. The merchant only realizes the problem when reconciling payments — sometimes hours or days later.

Why Small Businesses Are the Target

Large retailers use integrated POS systems that generate dynamic QR codes for each transaction. These are nearly impossible to tamper with. But small businesses — mamak stalls, pasar malam vendors, nasi campur shops, and market traders — often use printed static QR codes displayed on laminated cards or stickers. These are easy to cover with a replacement.

Variations of the DuitNow QR Scam

The Overlay Sticker

The most common method. A new QR sticker is placed directly over the original. It is the same size, may have similar branding, and is difficult to notice unless you look closely.

The Stand Swap

Some merchants display QR codes on acrylic stands. Scammers replace the entire stand with an identical one bearing their QR code. The merchant may not notice the swap for days.

The Shared Space Scam

In food courts and hawker centres where multiple vendors share a space, scammers place additional QR codes in areas where they appear to belong to a particular stall. Confused customers scan the wrong code.

The Dynamic QR Redirect

More sophisticated scammers create QR codes that redirect to a phishing page resembling the DuitNow payment interface. Instead of triggering a legitimate bank payment, the fake page captures your banking credentials.

Jak se chránit as a Customer

Before Scanning

Check	What to Look For
QR code condition	Is it a sticker placed on top of another? Are there edges or bumps?
Merchant name	Does the name shown match the business you are paying?
Surroundings	Is the QR code in a secure spot or somewhere easily accessible to anyone?
Multiple QR codes	Are there competing QR codes that could confuse customers?

During Payment

1. Always verify the recipient name that appears on your banking app before confirming. If the restaurant is "Restoran Ali Nasi Kandar" but the DuitNow recipient shows "Ahmad bin X" (a personal name), something is wrong.
2. Check the amount — if the merchant uses a static QR, you enter the amount yourself. A dynamic QR may have a pre-set amount. Either way, verify before confirming.
3. Show the payment confirmation to the merchant — do not just walk away after paying. Let the merchant verify they received the notification.

After Payment

• Save the transaction reference. Your banking app records every DuitNow transaction with a reference number.
• If the merchant says they did not receive payment, do not pay again immediately. Check with your bank first.

How Merchants Can Ochrana Themselves

If you run a small business in Malaysia, take these steps:

Secure Your QR kód

• Laminate your QR code and attach it in a location you can monitor.
• Check your QR code daily — look for overlays or tampering.
• Use a QR stand with a protective cover that makes it harder to swap.
• Consider using dynamic QR codes generated by your POS system for each transaction.

Verify Payments in Real Time

• Enable instant notifications on your business banking app.
• Always check that you receive a payment notification before confirming the transaction to the customer.
• Reconcile payments at the end of each day — gaps between sales records and received payments may indicate QR tampering.

Report Suspicious Activity

• If you discover a tampered QR code, do not remove it yourself — take photos first and report to the police.
• Notify your bank about the fraudulent account receiving payments.
• Alert neighbouring merchants — if your QR was targeted, others may be affected too.

DuitNow QR vs Other Payment Methods: Security Comparison

Method	Risk Level	Notes
DuitNow QR (dynamic)	Low	Amount pre-set, harder to tamper
DuitNow QR (static)	Medium	Relies on customer verifying recipient name
Cash	Medium	Counterfeit risk, no audit trail
Credit/debit card	Low	Chip + PIN authentication
Touch 'n Go eWallet QR	Medium	Similar static QR risks as DuitNow

What Banks and BNM Are Doing

Bank Negara Malaysia and participating banks have implemented several countermeasures:

• Recipient name display — all DuitNow QR payments now show the registered name before confirmation.
• Transaction limits — daily and per-transaction limits help cap potential losses.
• Real-time fraud monitoring — banks flag unusual patterns in DuitNow transactions.
• Merchant verification — registered DuitNow merchants undergo verification that links their QR to their business entity.

However, these measures cannot fully prevent the fundamental vulnerability of static QR codes being physically replaced.

Sdílení Payment Information bezpečně

For businesses that need to share their DuitNow QR or payment details with customers or partners — for deposits, advance payments, or event registrations — sending QR images through WhatsApp groups or social media is risky. Anyone can screenshot and redistribute or modify the QR.

LOCK.PUB offers a more secure approach. Share your payment details through a password-protected link that you control. You can set it to expire after a certain period, ensuring the payment information is only available when you want it to be.

Co dělat If You Have Been Scammed

1. Contact your bank immediately — request a transaction reversal. Time is critical, as the scammer may withdraw the funds quickly.
2. Take a photo of the QR code at the location before it is removed.
3. File a police report — provide the transaction reference, amount, and location.
4. Report to Bank Negara through BNMTELELINK at 1-300-88-5465.
5. Notify the merchant so they can secure their QR code and alert other customers.

Stay Vigilant

DuitNow QR has made cashless payments accessible to even the smallest businesses in Malaysia. That is a good thing. But the convenience of "scan and pay" requires a few seconds of verification. Before you confirm any QR payment, check the recipient name. It takes three seconds and could save you from losing your money.

---

Protect your payment details and sensitive business information. Create secure, expiring links at LOCK.PUB.