Someone calls saying they're from your bank. They know your name, your registered mobile number, and sometimes even your approximate account balance. They tell you there's been suspicious activity, and they need to verify your identity. All you have to do is share an OTP — just to confirm it's really you. It sounds plausible. It feels urgent. And for a lot of people, that's enough.
UPI fraud doesn't usually announce itself. It arrives dressed as urgency, familiarity, or a small technical problem that needs your help to fix. Understanding what these patterns actually look like is the first line of defence — not a PIN, not a setting, not a helpline number you'll only look up after it's happened.
Why UPI Fraud Has Grown Alongside UPI Usage
UPI processes billions of transactions every month across India. That scale is precisely what makes it attractive to fraudsters. The more people use a payment system without fully understanding how it works, the more opportunities exist to exploit that gap.
The mechanics of UPI are actually quite secure. NPCI's (National Payments Corporation of India) two-factor authentication, device binding, and MPIN requirements create multiple barriers. But none of those barriers protect against a user who is socially engineered into bypassing them voluntarily.
That's the key insight: most UPI fraud prevention failures aren't technical — they're behavioural.
Fake UPI Payment Scams — The Collect Request Trick
This one catches people who aren't paying close attention. A fraudster sends a UPI collect request — which looks almost identical to a payment confirmation — and tells the victim they're "sending" money. The victim enters their MPIN to approve it. They've just authorised a debit, not a credit. The money leaves their account.
The rule here is simple and non-negotiable: entering your MPIN always means money is leaving your account. There is no scenario where you need your MPIN to receive a payment.
UPI OTP Frauds — The Fake Verification Call
A caller impersonates a bank representative, NPCI officer, or even a government official. They create a plausible reason for needing an OTP — account verification, KYC (Know Your Customer) update, fraud reversal. The OTP they're asking for is the one that links your bank account to a UPI app on their device.
No legitimate institution will ever ask for your OTP over a phone call. Not once. Not under any circumstances.
UPI Phishing Attacks — Fake Apps and Links
Messages arrive via SMS or WhatsApp with links to what appears to be a bank portal or UPI app. The page looks genuine. You enter your UPI ID, MPIN, or debit card details. That information goes directly to the fraudster. If you notice unusual battery drain, data usage, or unknown apps on your device, run a security scan immediately.
The safe habit: never open payment-related links from messages. Go directly to the official app or website every time.
QR Code Scams — The Reversal Fraud That Targets Sellers
Someone buying something from you — a second-hand item, a small service — offers to send payment via QR code. They share a code and ask you to scan it. Scanning a QR code in UPI can initiate a payment from your account, not to it. Some fraudsters generate collect-request QR codes specifically for this.
If someone is paying you, they scan your QR code. You never need to scan anything to receive money. That distinction is worth remembering.
Fake UPI IDs — How to Spot a Lookalike Handle Before Confirming Payment
Fraudsters sometimes create UPI IDs that closely resemble legitimate ones — swapping letters, adding numbers, or mimicking official handles. Before confirming any payment, check the name that appears on the confirmation screen. If it doesn't match the person or business you're paying, stop before authenticating.
Common patterns include substituting the letter 'O' for the numeral '0', adding a hyphen to an official handle, or appending 'support' or 'help' to a legitimate brand name — such as '@help' or '@npci-support'.
A Practical Self-Check
Run through these before any UPI transaction you feel uncertain about.
Are you being asked to enter your MPIN to receive money? Stop. That's not how UPI works.
Did someone send you a link to complete a payment? Don't click it. Go directly to your app.
Is there urgency in the request — "do it now or your account will be blocked"? That pressure is deliberate. Slow down.
Does the UPI ID on the confirmation screen match who you think you're paying? If not, cancel.
Is someone on the phone asking for an OTP while you're on the call? End the call. Call your bank directly from the number on their official website.
Where Users Go Wrong
The most common error is assuming that because they've used UPI for years without incident, they'll recognise a scam when it comes. Fraudsters specifically target people who feel confident. The scripts are designed to feel familiar.
The second mistake is acting under time pressure. Scams almost always include an artificial deadline — your account will be frozen, the payment will expire, the offer ends in minutes. That urgency is manufactured. A legitimate transaction will wait.
And some users share screenshots of their payment apps when troubleshooting with strangers online. Screenshots sometimes contain UPI IDs, account details, or reference numbers that are enough to initiate follow-up fraud. Be careful what you share, even in help forums.
What to Do in Each Situation: A Quick-Reference Guide to UPI Scams
The Shriram One App handles utility bill payments, LPG cylinder bookings, and other routine transactions through BBPS, the government-regulated bill payment network. Every transaction is logged, traceable, and processed through a verified infrastructure. You're not responding to a collect request from an unknown handle. You're initiating a payment on your own terms, to a biller you've selected.
What Your UPI App Should Offer to Keep You Protected
The Shriram UPI security benefits come partly from the underlying UPI standard and partly from the account-level visibility the platform provides. Every transaction requires MPIN authentication. Alerts are generated for each payment. And because your loan account and payment history sit in one place, an unfamiliar transaction is easier to notice against a familiar backdrop.
Blocking fraudulent UPI transactions quickly is the most effective recovery step. The faster you act — contacting your bank and filing a complaint — the higher the chance of a hold being placed on the funds before they're transferred out.
What to Do Immediately After a Fraud
The RBI's framework on customer liability in unauthorised electronic banking transactions — established under its 2017 circular — sets specific reporting windows that determine how much financial protection you retain. These are your actual rights. They're worth knowing precisely.
If you report the unauthorised transaction to your bank within three working days, your liability is zero. The full loss is the bank's responsibility, provided the fraud wasn't caused by your own negligence.
If you report between four and seven working days, your liability is capped — between ₹5,000 and ₹25,000 depending on your account type and the transaction value. You absorb that portion; the bank covers the rest.
Beyond seven working days, your liability depends on the bank's own policy. The RBI framework doesn't guarantee protection after that window, though a formal complaint still creates a record and may support partial recovery.
Three working days is the threshold that matters most. That's still not a long time — but it's meaningfully different from "24 hours," and a reader who misses the first day shouldn't conclude the case is closed.
The sequence to follow:
First, call your bank's fraud helpline and ask them to formally log the unauthorised transaction. Get a complaint reference number. The timestamp of this call is what the three-day window is measured against — not when you noticed the fraud, but when you reported it to the bank.
Second, file a complaint on the NPCI dispute portal or call the UPI fraud helpline at 1800-120-1740. This creates a parallel record within the UPI ecosystem and initiates NPCI's own dispute process.
Third, file a cybercrime complaint at cybercrime.gov.in or at your nearest police station. This is required for any formal investigation and supports the RBI's liability framework applying in your favour during a bank dispute.
Keep every transaction reference number, screenshot, bank complaint acknowledgement, and call record. These establish both the nature of the fraud and the timing of your report — both matter when liability is being assessed.
UPI Is Secure — Your Awareness Is What Makes the Difference
The tell is almost always the same: urgency, a request for your MPIN or OTP, and a situation that doesn't quite add up if you slow down for ten seconds.
If this article has prompted you to think about where your regular payments actually happen — and whether those channels are ones you'd chosen deliberately or simply defaulted into — it's worth considering consolidating them.
Download the Shriram One App or visit shriramfinance.in to set up your routine payments. It takes a few minutes and removes one category of risk from your digital payment habits entirely.
FAQs
1. What is a fake UPI payment scam?
A fake UPI payment scam typically involves a fraudster sending a UPI collect request — which looks like a payment notification — and convincing the victim that approving it will deposit money into their account. In reality, approving a collect request authorises a debit. The victim enters their MPIN thinking they're confirming receipt; they're actually sending money. Variants of this scam also include fabricated payment screenshots shared over WhatsApp to "prove" a transfer was made, when no actual transaction has occurred. If someone claims to have paid you, verify it in your bank statement — not by looking at a screenshot they've sent.
2. How do I report UPI fraud?
Report as quickly as possible through three channels simultaneously if you can. Call your bank's 24-hour fraud helpline to flag the transaction and request a hold. File a complaint on the NPCI portal or call 1800-120-1740, the dedicated UPI fraud helpline number. Then file a cybercrime complaint at cybercrime.gov.in. Keep your transaction reference number, the fraudster's UPI ID or phone number, and any messages or call records as evidence. The RBI guidelines on UPI safety give you the right to raise a dispute — but acting within 24 hours significantly improves your chances of recovery.
3. Can I get my money back after UPI fraud?
It depends on how quickly you report and the specific circumstances of the fraud. UPI transactions are immediate and irreversible at the technical level — the money moves in seconds. However, if you report quickly, your bank can flag the recipient account and request a hold pending investigation. If the fraudster hasn't withdrawn the funds yet, a reversal through the UPI payment reversal process is possible. NPCI's dispute resolution mechanism handles these cases, though outcomes vary. There's no guarantee — which is why prevention matters far more than recovery.