Fake QRIS QR Code Scams in Indonesia: How to Spot and Avoid Them
Learn how scammers replace legitimate QRIS codes with fake ones at restaurants, parking lots, and donation boxes in Indonesia, and how to verify before you scan.
Fake QRIS QR Code Scams in Indonesia: How to Spot and Avoid Them
QRIS (Quick Response Code Indonesian Standard) has transformed how Indonesians pay for everything — from nasi goreng at a street stall to parking at a mall. Developed by Bank Indonesia, QRIS provides a unified QR payment system that works across GoPay, OVO, DANA, ShopeePay, LinkAja, and bank mobile apps.
But the simplicity that makes QRIS convenient also makes it exploitable. Scammers have found a devastatingly simple method: replace the legitimate QR code with their own. When you scan and pay, the money goes directly to the fraudster instead of the merchant.
How Fake QRIS Scams Work
The Overlay Method
The most common technique is physically placing a fake QR code sticker over the legitimate one. This happens at:
- Restaurants and cafes — A sticker placed over the payment standee
- Parking lots — Fake QR codes on parking meters or payment signs
- Donation boxes at mosques — Fraudsters target religious charity collections
- Street vendors — Replacing the QR code during busy hours
- Vending machines — Stickers placed over the original payment QR
The scammer prints a QRIS code linked to their own merchant account (often registered under a fake business name) and sticks it over the real one. The visual difference is nearly impossible to detect at a glance.
The Digital Method
In online transactions, scammers send a QRIS image via WhatsApp or social media, claiming it is the payment code for a product or service. The buyer scans and pays, but the QRIS belongs to the scammer.
The Swap-and-Return Method
A more sophisticated version involves the scammer visiting a business, discreetly swapping the QRIS standee, collecting payments for a few days, and then the fraud is only discovered when the legitimate merchant notices missing revenue.
Real-World Cases in Indonesia
Fake QRIS scams have been reported across the country:
| Location Type | Method | Impact |
|---|---|---|
| Mosques (nationwide) | Sticker overlays on donation boxes | Charity funds diverted to scammers |
| Jakarta restaurants | QR standee swaps during peak hours | Days of revenue lost by merchants |
| Mall parking | Fake QR on parking payment signs | Individual losses of Rp 50,000-100,000 |
| Online sellers | Fake QRIS sent via WhatsApp | Product payments stolen |
| Public events | Temporary QR codes for food stalls replaced | Vendors lose full-day revenue |
How to Verify a QRIS Code Before Paying
Follow this verification checklist every time you scan a QRIS code:
Step 1: Check the Physical QR Code
- Look for sticker overlays — Feel the surface. Is there a sticker on top of another sticker?
- Check the edges — Is the QR code cleanly printed or does it look like a pasted-on addition?
- Compare with nearby codes — If the venue has multiple QR codes, do they all look consistent?
Step 2: Verify the Merchant Name
This is the most important step. After scanning, your payment app will display the merchant name before you confirm the payment.
| What You Should See | Red Flag |
|---|---|
| Business name matching the actual store | Generic name like "Toko Online" or "Payment Gateway" |
| Merchant name displayed clearly | Name that does not match the establishment |
| Consistent with signage at the location | Personal name instead of business name |
Always read the merchant name before confirming payment. If you are at "Warung Makan Sari Rasa" but the payment screen shows "Toko Berkah Jaya," do not proceed.
Step 3: Confirm the Amount
- Verify the payment amount matches the bill
- Be suspicious if the QR code has a pre-set amount that differs from your purchase
Step 4: Ask the Merchant
When in doubt, ask the staff to confirm the merchant name that should appear when you scan their QRIS code. Legitimate businesses will know this.
A Quick Verification Checklist
| Check | Action | Pass/Fail |
|---|---|---|
| Physical inspection | No sticker overlay or tampering visible | Must pass |
| Merchant name | Matches the actual business name | Must pass |
| Payment amount | Matches your bill | Must pass |
| QR code quality | Clearly printed, not a pasted label | Should pass |
| Staff confirmation | Staff can verify the merchant name | Recommended |
What Merchants Should Do
If you run a business that accepts QRIS payments, protect yourself and your customers:
- Laminate your QRIS code — This makes it harder for scammers to place stickers over it
- Check your QR code daily — Physically inspect it before opening for business
- Mount it securely — Use a frame or mount that is difficult to tamper with
- Monitor your transaction records — If you notice a drop in QRIS payments while foot traffic remains steady, check for tampering
- Display the merchant name visibly — Tell customers what name they should see when scanning
- Use dynamic QR codes — Some payment providers offer dynamically generated codes for each transaction, which cannot be overlaid
Sharing QRIS Codes Securely
Merchants who need to share their QRIS code with remote customers or delivery partners face a challenge: once you send a QR code image via WhatsApp or social media, it can be saved, modified, and redistributed.
LOCK.PUB offers a secure alternative. You can share your QRIS code through a password-protected link that you share only with intended recipients. This prevents your payment QR from being intercepted, modified, or misused. The link can be set to expire after a certain period, reducing the window for potential tampering.
What to Do If You Paid a Fake QRIS
- Screenshot everything — Capture the payment confirmation, including the merchant name and transaction ID
- Contact your payment app — Report the fraudulent transaction through GoPay, OVO, DANA, or your bank app
- Alert the establishment — The legitimate merchant needs to know their QRIS has been compromised
- File a police report — Bring your transaction evidence to the nearest Polsek
- Report to Bank Indonesia — Contact BI at 131 or through bi.go.id
The Bigger Picture
QRIS is a remarkable achievement in financial inclusion — it has brought millions of Indonesian small businesses into the digital payment ecosystem. The solution to fake QRIS scams is not to avoid QR payments but to develop the habit of verification.
That 3-second check of the merchant name before confirming payment is the most effective defense available. Combined with physical awareness of tampered QR codes and tools like LOCK.PUB for sharing payment information securely, you can continue enjoying the convenience of QRIS with confidence.
Scan smart. Verify always. Pay safely.
Keywords
You might also like
Mobile Payment Fraud Prevention — Keep Apple Pay & Google Pay Safe
Mobile payment fraud is rising fast. Learn how to protect your Apple Pay, Google Pay, and Venmo accounts from unauthorized charges, phishing, and account takeovers.
Side Hustle Scams — How Fake Job Offers on Social Media Steal Your Money
Social media is flooded with fake side hustle offers promising easy money. Learn how these scams work, the warning signs, and how to protect yourself.
Boleto Fraud in Brazil: How to Spot Fake Boletos Before You Pay
Learn how scammers create fake boletos in Brazil and how to verify legitimate payment slips. Complete checklist to protect yourself from boleto bancario fraud.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free