Nepal Rastra Bank Urges Public to Practice Caution in Digital Payments

24th October 2025, Kathmandu

The rapid rise of Quick Response (QR) code payments has been a revolutionary leap for Nepal’s digital economy, offering unparalleled convenience for transactions from the largest supermarket to the smallest tea stall.

Practising Caution in Digital Payments

However, this growth has also introduced a new frontier for fraudsters, giving rise to sophisticated scams that exploit the user’s trust in a simple scan.

In response, the nation’s central bank, Nepal Rastra Bank (NRB), has issued a critical public notice as part of its financial awareness drive for October 2025. The core message is a direct and definitive instruction: Do not scan an unknown QR code, especially when you are expecting to receive money. This campaign, summarized by the mantra, “Be vigilant, stay safe, secure digital transactions”, is a call to action for every digital user in Nepal to become an active guardian of their own financial security.

Unmasking the “Quishing” Threat: The Mechanism of QR Scams

The term “Quishing,” a blend of “QR” and “phishing,” describes the deceptive practice of using malicious QR codes to trick users. Scammers manipulate the convenience of QR technology to bypass traditional security measures.

The Misleading Scammer Tactic: Why the NRB Warning is Critical

The most effective QR code scam works by exploiting a fundamental misunderstanding of the payment process, specifically the difference between sending and receiving money.

The Fraudulent Request: A scammer, often impersonating a customer or a well-known entity, contacts a victim (e.g., a merchant or a user selling an item) and claims they need to send a payment.

The Deceptive Instruction: The scammer then sends the victim a QR code—a QR code which, unbeknownst to the victim, is actually generated for sending money (a debit transaction), not for receiving it. The scammer might claim the victim needs to “scan the code to approve the receipt of funds,” “verify their account,” or “receive a refund.”

The Theft: When the victim scans the malicious QR code and enters their PIN or password, they are not receiving money; they are authorizing a transfer of funds out of their account and into the scammer’s account. The scammer uses social engineering to create a false sense of urgency and trust, making the victim overlook the final confirmation screen, which clearly shows the amount being debited.

The Two Golden Rules for QR Code Security

NRB’s advice simplifies digital safety into two golden, non-negotiable rules:

Scan Only to Send (Pay): You should only scan a QR code when you are the payer and are sending money to a merchant or another person. The QR code should be displayed by the recipient.

Generate to Receive: If you are the recipient (the one getting paid), you should never scan a QR code. Instead, you must generate your own static or dynamic QR code from your payment application and share that with the payer.

Beyond the Scan: Comprehensive Digital Payment Safety Strategies

While the QR code warning is paramount, NRB’s campaign encompasses broader digital payment security, urging vigilance against all forms of online fraud, including a secondary QR threat where malicious codes are physically pasted over legitimate ones in public places.

1. Adopt a “Never Share” Policy
The human element is the weakest link in any security system. No bank, financial institution, or payment service provider will ever ask for your full security credentials via any communication channel.

Action: Never share your PIN, OTP (One-Time Password), full Card Number, or Mobile Banking Password with anyone, under any circumstances. If you receive a call or message asking for this information, it is a scam.

2. Practice Source Verification for QR Codes
Before scanning any code, apply a simple three-step verification process to prevent falling victim to physical tampering or deceptive digital codes.

Examine the Code: If the QR code is printed, look for signs of tampering, stickers, or overlays placed over the original code.

Verify the Merchant: After scanning (and before confirming the payment), the final transaction screen on your mobile app must display the correct merchant name and the exact amount you intend to pay. If the name is generic or the amount is zero/incorrect, cancel the transaction.

Use Trusted Apps: Only use official, updated mobile banking apps or Payment Service Provider (PSP) apps downloaded directly from the official Google Play Store or Apple App Store.

3. Monitor Your Accounts Religiously
Proactive monitoring is the best defense against unauthorized transactions.

Action: Enable SMS or in-app notifications for every single transaction. Review your account statements regularly. If you spot any suspicious or unauthorized transaction, contact your bank or PSP immediately to freeze the account and report the fraud.

4. Maintain a Secure Digital Environment
The security of your device is the foundation of digital payment safety.

Action: Use a strong, unique password or biometric authentication to lock your smartphone. Keep your mobile banking application and operating system (OS) updated to ensure all known security vulnerabilities are patched. Avoid performing sensitive financial transactions on public Wi-Fi networks, as they are often unsecured.

By internalizing and practicing these fundamental principles, especially the difference between scanning to send and generating to receive, Nepali citizens can collectively strengthen the digital payment ecosystem, making it safer for all and fulfilling NRB’s vision of a secure and vigilant digital future for the nation. The responsibility rests with every individual user: Be vigilant, stay safe.

For More: Practising Caution in Digital Payments