Here is a scenario that plays out thousands of times every day across India.
Someone gets a call from a person claiming to be from their bank. The caller knows their name, their bank name, sometimes even their account number. They say there is a suspicious transaction and they need to verify the account urgently. They ask for an OTP or request the victim to enter their UPI PIN to “confirm” their identity. The call sounds professional. The urgency feels real. And within 60 seconds, money is gone.
This is not a story about technology failing. It is a story about human psychology being exploited — and it happens to people who consider themselves tech-savvy, educated, and careful. UPI fraud has surged in India with over 13.4 lakh cases reported in the 2023-24 financial year alone, leading to losses exceeding ₹1,087 crore. The numbers have only grown since.
In March 2026, UPI handled more than 22.6 billion transactions worth ₹29.52 lakh crore across India. With such massive usage, scammers often rely less on hacking and more on panic, trust, and human mistakes to steal money within seconds.
Understanding how these frauds work — in specific, practical detail — is your most powerful defence. This guide covers every major UPI scam method currently active in India, what each one looks like in real life, and exactly what to do to protect yourself and what to do if something goes wrong.
Note: Save and share this post — especially with parents and senior family members who use UPI daily.
Why UPI Fraud Is Different from Other Cybercrime
Most people think of cybercrime as hackers sitting in dark rooms breaking through bank security systems. That is largely fiction. Real UPI fraud in India in 2026 is far simpler and far more effective — and that is precisely why it keeps working.
UPI fraud does not require hackers to breach bank systems. Most frauds arise from social engineering and user mistakes.
Social engineering means manipulating a person into doing something against their own interest — sharing information they should not, approving a transaction they did not intend, installing software that compromises their device. The attacker exploits trust, urgency, fear, or greed. No technical sophistication required.
The UPI system itself is genuinely secure. NPCI and the RBI have built robust protections into the infrastructure. The weak point is almost never the technology — it is the person using it under pressure. Which means the most important security upgrade you can make is not a new app or a new password. It is understanding exactly how these scams work so that when you encounter one, you recognise it before you react to it.
The Most Common UPI Scams in India Right Now
1. The “Enter PIN to Receive Money” Trick
This is the most common UPI scam. The fraudster claims to be sending money and asks you to approve or enter PIN to receive it. In reality, you are authorising a payment, not receiving one.
This works because it exploits a misunderstanding about how UPI works. Many people do not know that you never need to enter your UPI PIN to receive money. The PIN is only ever required to send money from your account. Entering your PIN when someone asks you to “receive” money means you are actually sending them money.
Scammers use this against OLX sellers, people listing items on Facebook Marketplace, and anyone receiving money from an unknown person. They say “I am sending ₹5,000 for the item — please approve the request.” You enter your PIN. ₹5,000 leaves your account.
2. Fake Customer Care Numbers
Fraudsters create fake customer support numbers found in Google search results, WhatsApp, or social media pages.
When someone has a problem with a UPI app or their bank and searches Google for the customer care number, they sometimes find fake numbers placed there by scammers through paid ads or fake business listings. The person calls, believes they are talking to official support, and is walked through steps that ultimately result in them sharing their OTP, PIN, or installing a remote access app on their phone.
The lesson here is simple and worth repeating — never search Google for a customer care number. Always get the helpline number from the official app or the back of your bank card.
3. Screen Sharing and Remote Access Scams
This one is particularly dangerous because it gives the fraudster complete control of your phone. The caller — posing as bank support or a government official — asks you to install an app like AnyDesk, TeamViewer, or Quick Support so they can “fix your account issue.” Once installed and access is granted, they can see everything on your screen including OTPs arriving via SMS, and can operate your phone remotely.
Do not install or use AnyDesk or similar screen sharing apps when asked by someone claiming to be from your bank or any official service. No legitimate bank or government official will ever ask you to install a screen sharing app.
4. Fake UPI Links and Phishing
Fraudsters send links that claim to update your UPI app, install bank security apps, or warn about KYC pending urgently. These links lead to fake websites that look identical to your bank’s real website. You enter your login credentials, and the fraudster captures them instantly.
These links arrive by SMS, WhatsApp, and email. They often use shortened URLs that hide the actual destination. The message creates urgency — “Your account will be blocked in 24 hours if you do not complete KYC” — to push you into clicking without thinking.
5. QR Code Scams
Fraudsters either send a QR code or a request to accept payment on the pretext of purchasing an item listed by the victim. They may even be willing to pay without checking the item. Fraudsters in many cases send a small amount to victims first to gain their trust.
This scam targets people selling items online. The buyer sends a small amount first to establish trust, then sends a QR code and says “scan this to receive the full payment.” Scanning that QR code initiates a payment from your account to theirs, not the other way around.
The rule is straightforward — scanning a QR code always means you are paying, not receiving. You cannot receive money by scanning a QR code.
6. Digital Arrest Scams
Fraudsters pose as law enforcement officers via phone or video calls, claiming the victim is under digital arrest for money laundering or other crimes and demand payment to resolve the case.
This is one of the most psychologically aggressive scams active in India in 2026 and has claimed victims including educated, senior professionals. The caller is convincing, often has your name and some personal details, uses official-sounding language, and creates extreme panic. No such thing as a “digital arrest” exists in Indian law. Any call claiming you are under digital arrest is fraud, full stop.
7. SIM Swap Fraud
Cybercriminals can fraudulently obtain a victim’s SIM card to intercept OTPs and gain unauthorized access to their UPI account.
This is a more sophisticated attack. The fraudster collects your personal information — name, address, Aadhaar details — through various means, then contacts your mobile operator posing as you and requests a SIM replacement. Once they have a SIM with your number, every OTP sent to your phone goes to them instead. You typically notice when your SIM suddenly stops working — at which point the fraud may already be in progress.
The One Thing Every UPI User Must Understand
Before the protection tips — this single rule eliminates the majority of UPI fraud risk:
You never need to enter your UPI PIN to receive money. Ever.
Your PIN is only required when you are sending money or making a payment. If anyone asks you to enter your PIN for any reason connected to receiving money, it is fraud. If anyone asks you to approve a “collect request” to receive money, do not approve it — a collect request takes money from your account.
You never need a PIN to receive money. A PIN request means money may leave your account.
Read that once more and share it with every family member who uses UPI. This one understanding alone prevents the single most common UPI scam in India.
12 Practical Steps to Protect Your UPI Account
1. Never Share Your UPI PIN or OTP With Anyone
Never share your OTP, UPI PIN, card CVV, password, or Aadhaar details with anyone — not even if the caller claims to be from your bank or police. No legitimate bank employee, no government official, no customer support agent will ever ask for your PIN or OTP over a call. Not once. Not ever. If they do, the call is fraudulent — hang up immediately.
2. Always Verify the Recipient Before Paying
Always verify the recipient’s name and number carefully before approving any UPI payment. Most UPI apps show the registered name of the recipient after you enter their UPI ID or phone number. Verify this name matches who you intend to pay before entering your PIN. A wrong digit in a UPI ID can send money to a completely different person.
3. Never Install Apps From Links in Messages
Always download banking and payment apps from official app stores like Google Play Store or Apple App Store. Do not use links in messages or from other websites. Any link asking you to download a banking app or UPI app outside the official stores leads to a compromised application. Official banks and NPCI never send app download links via SMS or WhatsApp.
4. Check Actual Bank Records — Not Screenshots or Sounds
Always check the payment inside your bank app. Do not trust screenshots, SMS, or sound alerts alone. A fraudster can show you a fake screenshot of a payment made. They can play a fake “payment received” sound. The only reliable confirmation of a received payment is checking your actual bank account or UPI app transaction history directly.
5. Set a UPI Transaction Limit
Most UPI apps and banks allow you to set a daily transaction limit lower than the maximum. Setting this to an amount that matches your typical daily usage — say ₹5,000 to ₹10,000 — means even if someone gains access to your account, the maximum damage is limited. Set transaction limits to minimise potential losses in case of fraud.
6. Enable Biometric Authentication
Set up a strong password or PIN to lock your mobile device and use biometric authentication if available. Enable fingerprint or face unlock for your UPI apps wherever the option exists. This adds a layer of protection that cannot be stolen over a phone call — unlike a PIN.
7. Never Use Public Wi-Fi for UPI Transactions
Public networks are vulnerable to hacking. Use a secure internet connection for UPI payments. A coffee shop Wi-Fi, a mall hotspot, or any public network can be set up by someone specifically to intercept data from connected devices. Use your mobile data — not public Wi-Fi — whenever making any financial transaction.
8. Keep Your UPI Apps Updated
App updates contain security patches that fix vulnerabilities discovered since the last version. An outdated UPI app may have known security weaknesses that attackers exploit. Keep your UPI app updated to benefit from the latest security features. Enable automatic updates for your payment apps specifically.
9. Get Customer Care Numbers From Official Sources Only
Never search for bank helpline numbers on Google. The number on the back of your debit card is official. The number inside your bank’s official app is official. The number on your bank’s official website (type the URL directly — do not click a search result) is official. Everywhere else is potentially compromised.
10. Be Suspicious of Urgency and Fear
Every UPI scam uses urgency or fear as its primary weapon — your account will be blocked, you are under arrest, your KYC will expire. Legitimate banks and government agencies communicate through official letters and registered channels. They do not call you demanding immediate action under threat of consequences. When a call creates panic and demands immediate action — that pressure itself is the red flag.
11. Lock Your SIM With a PIN
Enable SIM card lock on your phone — this requires a PIN every time the SIM is inserted into a new device. It does not prevent SIM swap at the operator level but adds a layer of protection against physical phone theft being used for UPI fraud.
12. Check Your Bank Statement Weekly
Regular monitoring means you catch any unauthorised transaction quickly. Refund eligibility depends on how quickly the issue is reported. Within 3 days the bank must provide a full refund for the unauthorised transaction. The faster you report, the better your chances of recovery. A weekly check of your bank statement takes five minutes and dramatically improves your ability to respond to fraud quickly.
Red Flags — Stop Immediately If You Notice These
Keep this list somewhere accessible. Any of these signals means stop what you are doing and verify before proceeding:
- Someone asks you to enter your UPI PIN to receive money
- A caller asks for your OTP, UPI PIN, Aadhaar number, or CVV
- Someone asks you to install a screen sharing app
- A message asks you to click a link to update your UPI app or complete KYC
- Someone sends you a QR code and says scan it to receive payment
- A caller claims you are under “digital arrest” or legal action
- Someone sends you a small amount first and then asks for your PIN to send the rest
- A collect request appears from an unknown UPI ID
- Your SIM suddenly stops working without explanation
What to Do If You Have Been Defrauded
If you realise fraud has occurred — act immediately. Every minute matters.
Step 1 — Call your bank helpline instantly. Report the transaction and request a freeze on further transactions. Ask them to initiate a fraud reversal. Inform your bank immediately about the fraudulent charge.
Step 2 — Block your UPI access. Log into your UPI app and deregister your UPI ID if possible, or contact NPCI. Changing your UPI PIN immediately prevents further unauthorized transactions.
Step 3 — Call the National Cybercrime Helpline. Call 1930 for the India Cyber Crime Helpline. This is a dedicated government helpline for financial cybercrime. Report the fraud with all transaction details — amount, time, UPI ID of the recipient if known.
Step 4 — File a complaint online. Visit cybercrime.gov.in to file a report. Document everything — screenshots of transaction history, the phone number that called you, any messages or links you received. The complaint reference number is important for follow-up.
Step 5 — File a police complaint. Visit your nearest police station and file an FIR. Mention it is a cybercrime and reference your complaint number from cybercrime.gov.in. This creates an official record that supports your bank’s fraud investigation.
Your Rights as a UPI Fraud Victim in India
Many people do not know they have legally protected rights when UPI fraud occurs — and banks are not always upfront about this.
The Reserve Bank of India has set clear guidelines to protect customers from unauthorised digital transactions including UPI frauds. Within 3 days the bank must provide a full refund for the unauthorised transaction. Within 4 to 7 days customer liability is limited ranging between ₹5,000 to ₹25,000 depending on the transaction type. After 7 days refund eligibility is based on the bank’s policy and the customer may have to bear the loss.
This means reporting speed directly determines your legal protection. A fraud reported within 3 days of occurrence has the strongest case for full recovery. Waiting two weeks dramatically reduces your options.
Understanding your rights and knowing the exact steps to take immediately can transform this daunting situation into a manageable one, significantly improving your chances of recovering funds.
If your bank refuses to process your complaint or dismisses it without investigation, you can escalate to the RBI Ombudsman through the RBI’s Integrated Ombudsman Scheme — a free service specifically designed for bank-related consumer grievances.
Final Thoughts
UPI has genuinely transformed how India handles money. The convenience is real and the system is solid. But with hundreds of millions of users and billions of transactions every month, it has also become the largest target for financial fraud in the country.
The protection is not complicated. It comes down to one understanding — no one legitimate will ever ask for your PIN or OTP — and a set of habits that take seconds each but eliminate the vast majority of risk. Verify before you pay. Confirm in your app before you trust a screenshot. Never install apps from links. Never act on urgency created by a stranger on the phone.
Share this post with your parents and grandparents specifically. Older adults are disproportionately targeted by UPI fraud because scammers know they may be less familiar with how the technology actually works. The most valuable thing you can do after reading this is make sure the people around you understand the one rule that prevents most frauds — you never need your PIN to receive money.
Key Takeaway
The most important thing to know about UPI fraud: you never need to enter your UPI PIN to receive money — only to send it. Fraudsters exploit urgency and trust, not technology. Never share your PIN or OTP with anyone, never install apps from SMS links, never scan QR codes sent by strangers to “receive” money, and never trust screenshots as payment confirmation — always check inside your bank app. If fraud occurs, call 1930 and your bank immediately — reporting within 3 days gives you the strongest legal right to a full refund under RBI guidelines.
