Understanding UPI Fraud: How Scammers Steal Your Money

Deepak’s Panic Call From Hyderabad

It was a regular Tuesday. I was making chai, the milk was about to boil over, and my cousin Deepak calls me from Hyderabad. He was talking so fast that I had to tell him three times to slow down before I could understand a single sentence. He had listed his old laptop on OLX. Nothing fancy, a three-year-old HP that he wanted to sell for 25,000 rupees. Somebody messaged him within an hour of the listing going up. Agreed to the full price immediately. No bargaining. The thing is, nobody on OLX agrees to the asking price without trying to negotiate. That alone should have been the warning sign, but Deepak was just happy about the quick sale.

The person on the other end said he would send the money through Google Pay. Deepak waited. A notification came in. It looked like a payment. But it was not a payment. It was a collect request for 25,000 rupees. The caller told Deepak to enter his UPI PIN to “accept the payment.” Deepak entered his PIN. And 25,000 rupees left his SBI account. Not in. Out. Gone. The caller’s phone was switched off within seconds. Deepak tried calling back four or five times. Nothing. He sat there in his flat staring at the transaction notification until he called me, and by then his voice was shaking.

I felt guilty. I write about this stuff. I know how collect request scams work. But it never crossed my mind that Deepak (who is a software tester, who uses UPI every single day) did not know the one rule that could have saved him. You do not enter your UPI PIN to receive money. Ever. When someone sends you money via UPI, it just arrives. You get a credit notification. There is no PIN involved. If any app, any person, any process asks you to enter your PIN to “receive” or “accept” a payment, they are taking your money, not giving it to you.

That distinction, between receiving money (no PIN) and sending money (PIN required), is what every single UPI user needs to understand. And a disturbing number of people do not. According to the Reserve Bank of India’s annual report for 2023-24, there were over 30,000 reported UPI fraud cases in the first quarter of 2024 alone. The National Payments Corporation of India (NPCI) published a separate analysis suggesting the real number is much higher, because many victims never file a formal complaint. They feel embarrassed, or they do not know where to report, or they assume nothing can be done. Deepak almost did not report it either. I had to sit on the phone with him for an hour, walking him through every step.

The collect request scam is the most common UPI fraud pattern in India right now. The scammer identifies people who are selling something on OLX, Facebook Marketplace, Quikr, or even in WhatsApp groups. They agree to buy. They send a collect request disguised as a payment. They coach the victim through entering their PIN. And the money goes in the wrong direction. It works because the UPI interface does not make it obvious enough that a collect request is a request to take money from you. The screen looks similar to a payment confirmation, and under pressure, people do not read the fine print.

The QR Code Trick at the Market

I am not going to sit here and pretend I have never been close to falling for one of these myself. About eight months ago, I bought something from a small Instagram shop, one of those home business accounts run by a woman in Pune. The item arrived damaged. I messaged her about a refund. She was apologetic, said she would send the money back right away. Then she sent me a QR code on WhatsApp and said, “Scan this to get your refund of 1,200 rupees.”

I had my phone camera open. I was about to scan it.

Then something stopped me. Scanning a QR code in a UPI app does not receive a payment. It initiates one. The QR code was pre-loaded with her UPI address and the amount, and if I had entered my PIN after scanning, I would have sent her 1,200 rupees. I would have paid her for sending me a broken item. When I pointed this out, she got confused, said her “accountant” had told her that was how refunds work. Maybe she was genuinely mistaken. Maybe she was not. I never found out because she stopped replying after that.

The thing is, QR code scams are not limited to online transactions. They have moved into the physical world too, and that version is harder to catch. Police in Bengaluru, Mumbai, and Delhi have reported cases where scammers paste their own QR code stickers over the legitimate ones at petrol pumps, parking lots, juice shops, and kirana stores. You walk up to a vendor. You scan what you think is their QR code. But the code is a sticker placed on top of the real one, and the money goes to an account controlled by someone you will never meet. The vendor does not get paid. You lose your money. Nobody realises what happened until the vendor checks their account that evening and the numbers do not match.

The only reliable defence here is to look at the name displayed on your UPI app after you scan the code and before you enter your PIN. If you are paying at “Sharma Kirana Store” but your phone shows the payee as “Ravi Kumar Personal,” stop. Do not complete the transaction. Ask the vendor if the name is right. If they say it should show their business name and it does not, that QR code has been tampered with.

My aunt in Lucknow almost lost 3,500 rupees at a parking lot this way. The attendant’s QR code had been covered by a sticker. She noticed the wrong name on her PhonePe screen only because her daughter had told her about this specific scam the previous week. That is how thin the margin is. One conversation. One piece of information passed along at the right time. That is the difference between catching it and not catching it.

There is a related trick that uses screen sharing. Someone calls and says they are from HDFC Bank, or SBI, or whichever bank you use. They say there is a problem with your account. They ask you to install AnyDesk or TeamViewer on your phone so they can “help” you fix the issue. If you install it and give them the access code, they can see your screen in real time. They watch you type your PIN. Some of them take remote control of your phone and move money out of your account while you are still on the call, confused about what is happening. My friend Nisha’s mother lost 80,000 rupees through this method. The caller identified himself as an HDFC Bank security officer. He had her mother’s name, her account type, and the branch where she had opened the account. All of that information is available from data leaks and social engineering. None of it proved he was actually from the bank. But when someone recites your details back to you on a phone call, it feels real. That is what makes it work.

SIM Swap: The One That Scares Me Most

Of every UPI fraud method I have read about, talked about, or heard about from people I know, SIM swap is the one that genuinely frightens me. Because with most other scams, you have to do something wrong. You have to enter your PIN when you should not have, or share your OTP with a stranger, or scan a fake QR code. With SIM swap, you can do everything right and still lose your money if the telecom company makes a mistake on their end.

The mechanics are not complicated. A scammer collects your personal details. Your name, date of birth, address, the last four digits of your Aadhaar. Sometimes they get this from a data breach. Sometimes they pull it from your social media profiles. Sometimes they call you weeks before the actual fraud, pretending to be from your bank or your telecom provider, and ask a few innocent-sounding questions that fill in the gaps. With enough details in hand, they walk into a telecom retail store — or call customer care — and request a replacement SIM for your number. They claim they lost their phone, or the SIM is damaged, or they need a nano SIM for a new handset.

If the store or customer care agent does not verify carefully enough — and the track record of telecom companies on this front is not good — they issue the new SIM. The moment that SIM activates on the scammer’s phone, your phone goes dead. No signal. No calls. No texts. No data.

Most people who see “No Signal” on their phone assume it is a network outage. They wait. They restart the phone. They try again in twenty minutes. That is exactly the window the scammer needs. With your phone number now on their device, they request a UPI PIN reset. The OTP goes to them. They set a new PIN. They link your bank account if it is not already linked. And then they transfer money out. A fraud ring busted by the Hyderabad Cyber Crime police in early 2024 had drained 47 lakh rupees from 14 victims using SIM swap, all within a span of three weeks. The average time from SIM activation to account emptying was under 40 minutes.

If your phone suddenly loses signal and does not come back within 15 minutes, do not assume it is the network. Borrow someone else’s phone and call your telecom provider’s customer care. Ask specifically whether a SIM replacement or SIM swap has been initiated for your number. If the answer is yes and you did not request it, ask them to block the new SIM immediately. Then call your bank and ask them to freeze your account. Then go to the nearest telecom store with your photo ID to reclaim your number.

To reduce the risk of SIM swap in the first place: set a SIM lock PIN on your phone (this is different from your screen lock and prevents anyone from using your SIM in another device without the PIN), stop posting your birthday and phone number on social media, and wherever possible, switch from SMS-based two-factor authentication to app-based authentication using Google Authenticator or Microsoft Authenticator. SMS OTPs can be intercepted through SIM swap. App-based codes cannot, because they are generated on the physical device and do not travel through the telecom network at all.

My uncle in Nagpur had his SIM swapped in September last year. He lost 1,12,000 rupees across two bank accounts before he realised what was happening. He thought his phone was broken. He drove to the Airtel store to get it fixed. By the time the store employee told him someone had requested a SIM swap an hour earlier, the damage was done. He filed an FIR, reported to cybercrime.gov.in, and filed with Airtel’s nodal officer. As of the last time I asked him, about four months after the incident, he had recovered roughly 60,000 through the bank’s fraud resolution process. The rest, he was told, had already been moved to a wallet and cashed out. Gone.

Fake Customer Care on Google

My mother called me on a Saturday afternoon a few months back, very upset. She had been trying to file a complaint about her Paytm account because some transaction had been charged twice. She went to Google and searched for “Paytm customer care number.” The first result she clicked was not Paytm. It was a scam website, designed to look like an official Paytm support page, with a phone number prominently displayed. She called the number. A man answered, very polite, very professional. He said he was from Paytm support and that he would resolve her issue right away.

He asked her to open her Paytm app. He asked her to share her screen via a link he sent on WhatsApp. She did. He could now see her phone screen in real time. He told her he needed to “verify her account” and asked her to open her UPI settings. She did. Then he said, “Ma’am, I am going to initiate a refund test of 1 rupee, please enter your PIN to confirm.” She entered her PIN. The transaction was for 15,000 rupees, not 1 rupee. He had changed the amount on his end through the screen-sharing session. By the time she looked at the debit notification, he had hung up.

She lost 15,000 rupees. To a number she found on Google.

The thing is, this is a well-known scam pattern, and Google has been slow to address it. Scammers buy ads or create SEO-optimised pages that show up when people search for customer care numbers of banks, payment apps, and telecom companies. The numbers lead to call centres that impersonate the real company. They sound professional. They know the right terminology. They follow scripts designed to build trust quickly and then extract money or information.

When I looked into it after my mother’s experience, I found dozens of these fake pages. Searching for “SBI customer care number” on Google brought up a sponsored result that listed a mobile number. SBI’s actual helpline is 1800-11-2211 (toll-free) or 1800-425-3800. It is not a ten-digit mobile number. But for someone who is frustrated and looking for quick help, that distinction gets lost. The scammer’s page looked clean, had SBI’s logo, and listed the number in a large, easy-to-read font. Everything about it was designed to be clicked on and called in a hurry.

The safe approach is to get customer care numbers only from the official app or the official website. For Paytm, open the Paytm app, go to Help, and use the in-app chat or the number listed there. For SBI, go to sbi.co.in. For HDFC Bank, go to hdfcbank.com. For Google Pay, go to pay.google.com. Never trust a phone number from a Google search result, even if the page looks official. Scammers pay money to make their pages rank high. That is their business model. A few thousand rupees spent on Google Ads or SEO can bring in lakhs from victims who call the fake number.

Collect Requests and Fake UPI Links

I want to come back to collect requests because Deepak’s story is just one version of this scam. There are others, and some of them are more subtle than a stranger on OLX telling you to enter your PIN.

A friend of mine (I will call her Rashmi because she asked me not to use her real name) received a WhatsApp message from someone claiming to be from IRCTC. The message said she was eligible for a refund of 890 rupees for a train ticket she had cancelled two weeks earlier. The message included a link. She tapped it. It opened what looked like an IRCTC page, which asked her to enter her UPI ID to receive the refund. She entered her PhonePe UPI ID. A minute later, she got a collect request on PhonePe for 890 rupees. The request came from a UPI address that said “IRCTC-Refund” in the display name. She approved it without thinking twice, because she was expecting a refund and the amount matched.

890 rupees gone. Not a life-changing amount, but that is part of the strategy. The scammers keep the individual amounts relatively low (500, 800, 1,200, 2,000 rupees) because people are less likely to go through the hassle of reporting a small loss. But the scammers run this operation at scale, sending thousands of these messages per day. If even 2% of recipients fall for it, the daily take is substantial.

The other variation is the fake UPI payment link. These show up as SMS messages or WhatsApp messages with a URL that looks like it belongs to a bank or a payment platform. Something like “pay.sbi-refund.in/claim” or “gpay-cashback.co.in/verify.” Neither of these is a real URL belonging to SBI or Google Pay. But they look plausible enough on a small phone screen. Tapping the link opens a page that asks you to select your UPI app and enter your PIN to “claim” the money. The moment you enter your PIN, you are authorising an outgoing payment.

I have started telling everyone in my family one simple rule: if any link, message, or notification asks you to enter your UPI PIN, and you are supposed to be receiving money, something is wrong. Stop. Do not enter the PIN. Close the app. Check your bank account through the official app. If someone genuinely sent you money, it will already be there.

The RBI and NPCI have both run awareness campaigns about this. Paytm, PhonePe, and Google Pay have added warnings that display on screen when you are about to approve a collect request. But the warnings are small, the text is easy to miss when you are in a hurry, and most users have trained themselves to tap through confirmation dialogs without reading them. The interface design is getting better, but it is not keeping pace with the volume of fraud attempts.

After It Happens: Reporting and Recovery

If you are reading this because you have already lost money, I am sorry. Genuinely. These people are professionals. They do this all day, every day, and thousands of smart, educated, careful people fall for their schemes every month. It is not a reflection of your intelligence.

But speed matters now. The faster you act, the better your chances of recovery.

First: open the UPI app where the fraudulent transaction happened. Go to your transaction history. Find the transaction. Tap on it and look for “Report” or “Raise Dispute.” On Google Pay, it is under the transaction details. On PhonePe, tap the transaction and then “Need Help.” On Paytm, go to Passbook, find the transaction, and select “Raise Issue.” This flags the transaction with NPCI, which can sometimes freeze the recipient’s account before the money is moved further. The sooner you do this, the better. Within the first hour is ideal. After 24 hours, the money has almost certainly been moved to other accounts or withdrawn as cash.

Second: call your bank’s fraud helpline. The number is on the back of your debit card. For SBI, it is 1800-11-2211. For HDFC Bank, 1800-1600. For ICICI Bank, 1800-1080. For Axis Bank, 1860-500-5555. Tell them you have been a victim of UPI fraud. Give them the transaction ID, the amount, the date and time, and the recipient’s UPI ID or phone number. Ask for a complaint reference number and write it down. You will need it later.

Third: go to cybercrime.gov.in or call 1930. The 1930 helpline is operated by the Indian Cyber Crime Coordination Centre (I4C) and is available 24 hours a day, 7 days a week. It is specifically designed for financial fraud. Give them the transaction details. They will generate a complaint number. Keep this number safe. If you file online at cybercrime.gov.in, upload screenshots of the transaction, any messages or calls from the scammer, and the UPI ID or phone number used.

Fourth: file an FIR at your local police station. Some police stations will try to direct you to the online portal instead. Do not accept this unless you have already filed online and are satisfied with the response. An FIR is a formal record of the crime, and you may need it for your bank’s fraud resolution process or for insurance claims. If the police refuse to file an FIR, you can approach the Superintendent of Police or file a complaint with the local magistrate under Section 156(3) of the Code of Criminal Procedure.

Under RBI guidelines, banks have 30 days to resolve a fraud complaint where the customer reports the fraud within 3 working days. If the bank determines that the fraud was not due to your negligence, you are entitled to a full refund. If the bank does not respond within 30 days, or if you are unsatisfied with their response, escalate to the RBI Ombudsman at cms.rbi.org.in. The Ombudsman process is free and does not require a lawyer.

Keep a record of everything. Every call, every reference number, every email, every screenshot. Write the dates down. Note the names of the people you spoke to, if they give them. Having an organised paper trail is, in my experience from helping family members through this process, the single biggest factor that separates people who get their money back from people who do not. It is tedious. I know. But it works.

I still think about Deepak’s voice on that call. He got most of his money back, eventually. Took three months and a lot of paperwork. But that panic in his voice, the way he kept saying “I do not know how it happened” — that sticks with you. Anyway, be careful out there. Talk to your parents about this stuff. They will not Google it themselves.