Phishing Attacks Targeting Indian UPI Users: How to Identify Them

Rajesh stared at his phone. Three seconds. That's all it took. One tap on a link that said "SBI Refund: Rs 2,400 pending," and Rs 48,000 left his account before he could blink. He called his bank. Hold music. Twenty minutes of hold music while his savings sat in a stranger's wallet somewhere in Jharkhand.

This isn't a rare horror story. It's Tuesday in India.

The Numbers Don't Lie

UPI processed over 12 billion transactions in January 2026 alone. That's not a typo. Twelve billion. The system handles more real-time digital payments than any other platform on Earth, and fraudsters have noticed. According to data the RBI published in its latest annual report, UPI-related fraud complaints shot up by roughly 340% between 2023 and 2025. The Indian Cyber Crime Coordination Centre logged over 1.2 million UPI fraud complaints in the first nine months of 2025. And those are just the ones people bothered to report.

Here's the thing most people miss: phishing doesn't require technical genius. It requires patience, a cheap bulk SMS gateway, and a population that's still getting used to digital payments. India onboarded something like 300 million new UPI users in under four years. Many of them had never done a digital transaction before 2021. The learning curve is steep. The scammers know this.

Fake Payment Request Links

This is the bread and butter of UPI phishing. You get an SMS or WhatsApp message. It looks official. It might say it's from your bank, from NPCI, from a delivery service, or from an e-commerce platform confirming a refund. The message contains a link. That link takes you to a page that looks exactly like your UPI app's payment interface. You enter your PIN thinking you're confirming a refund. Instead, you've just authorized a debit from your account.

The mechanics are almost embarrassingly simple. Scammers register domains that look close to real ones. Think "sbi-refund-india.com" or "paytm-cashback-offer.in." They slap a UPI deep link into the page. When you tap it, your UPI app opens with a pre-filled payment request — but it's a request to send money, not to receive it. The amount field might say Rs 1 to seem harmless. Or it might say Rs 9,999. Either way, the moment you punch in your PIN, it's gone.

What makes this particularly dangerous in India is the trust people place in SMS. A lot of Indians still treat an SMS from a short code as semi-official communication. Banks send transaction alerts via SMS. The government sends OTPs via SMS. So when a message arrives saying "Dear Customer, your refund of Rs 2,400 is pending, click here to claim," it doesn't feel suspicious. It feels normal.

I've seen variations where the link redirects through three or four URLs before landing on the phishing page, probably to dodge automated URL scanners. Some scammers have started using URL shorteners like bit.ly or Indian alternatives to mask the destination entirely. By the time you realize what's happened, the money's been routed through two or three mule accounts and withdrawn from an ATM in another state.

The Fake Bank SMS Playbook

This one's a step more sophisticated. You receive an SMS that appears to come from your bank's official sender ID. It warns you that your account has been "temporarily blocked" or that "suspicious activity" was detected. The message urges you to call a number or click a link to "verify your identity."

If you call the number, you reach someone who sounds professional. They'll confirm your name, maybe your account number — information they likely scraped from a data leak or social media. Then they'll ask you to "verify" your UPI PIN or share an OTP that just arrived on your phone. That OTP? It's the one generated when they initiated a transaction from your account.

Sender ID spoofing is the engine behind this scam. In India, telecom regulations around sender IDs have gaps. While TRAI's DLT (Distributed Ledger Technology) platform was supposed to fix this by registering all commercial SMS senders, enforcement has been spotty. Scammers register entities with slightly misspelled names or use international gateways that bypass DLT altogether. The result? Messages that look like they're from "SBIBNK" or "HDFCBK" land in the same thread as your real bank alerts.

One particularly nasty variant I've come across involves timing. Scammers send the fake alert right after you've made a legitimate UPI transaction. If you just paid for groceries and then immediately get an SMS saying "suspicious transaction detected on your account," your guard is already down. You're primed to believe something went wrong. That timing isn't coincidence — it suggests they might have access to transaction feeds, possibly through compromised merchant systems or rogue payment intermediaries.

Google Ads Phishing — The One People Don't Talk About Enough

This is, in my opinion, the most underreported variant. You search for something on Google — "PhonePe customer care number" or "GPay support" or "how to reset UPI PIN." The first result that appears is an ad. It looks legitimate. It says "PhonePe Official Support" or something similar. You click it. You're taken to a page with a phone number. You call that number.

The person on the other end doesn't work for PhonePe.

Google Ads allows anyone to buy ad space for almost any keyword. Scammers have been purchasing ads for banking and UPI-related searches in India for years now. Google's review process catches some of them, but new ads pop up faster than they're taken down. A 2025 investigation by a Bangalore-based cybersecurity firm found that at any given time, there were between 15 and 40 active fraudulent Google Ads targeting Indian UPI users across major search terms.

The scam itself follows the same pattern: the fake support agent asks you to install a screen-sharing app like AnyDesk or TeamViewer, or asks you to share an OTP. Sometimes they'll send you a "collect request" on UPI and tell you to approve it to "complete the verification process." It's alarmingly effective because the victim initiated the contact. They went looking for help. They called the number voluntarily. That psychological dynamic — feeling like you're in control — makes you less suspicious.

Google has taken some steps to address this, particularly after CERT-In flagged the issue in mid-2025. But the problem persists. If you're searching for customer support for any financial service, the safest approach is to open the app itself and find the help section there. Never trust a phone number from a search result, especially not a sponsored one.

WhatsApp Phishing: Where Trust Gets Weaponized

WhatsApp has over 500 million users in India. It's where families coordinate, businesses operate, and — unfortunately — where phishing thrives. The attacks here are varied. Some come as messages from unknown numbers pretending to be bank executives. Others arrive in group chats, shared by someone whose phone was compromised. And some are forwarded by friends or family members who genuinely believe they're sharing a legitimate offer.

One common format: you receive a WhatsApp message with a "KYC update" notice. It claims your bank or UPI app requires you to complete KYC verification or your account will be frozen within 24 hours. The message includes a link to a form that asks for your name, account number, Aadhaar number, and UPI PIN. The 24-hour deadline creates panic. Panic creates mistakes.

Another variant involves fake cashback or rewards. "Congratulations! You've won Rs 500 cashback from Google Pay. Click to claim." The link leads to a page that asks you to "verify" your UPI ID and PIN to receive the reward. The design mimics Google Pay's interface closely enough to fool most people scanning it quickly on a small phone screen.

WhatsApp's end-to-end encryption, ironically, makes these scams harder to detect at scale. Because WhatsApp can't read message content, it can't automatically flag phishing links the way email providers do. The platform relies on user reports and metadata patterns to identify suspicious accounts, but by the time an account gets banned, the scammer has already moved to a new number.

I'd estimate that roughly half the UPI phishing victims I've spoken with were first contacted through WhatsApp. The platform's familiarity and personal feel make it a perfect hunting ground.

Identifying the Red Flags

So how do you tell a real message from a phishing attempt? It's not always obvious, but certain signals should make you pause.

First, urgency. Any message that demands immediate action — "verify now," "account will be blocked in 2 hours," "last chance to claim" — is almost certainly a scam. Banks and NPCI don't operate on countdown timers. They send notices. They give you weeks, not hours.

Second, requests for sensitive information. No legitimate entity will ever ask for your UPI PIN. Not your bank. Not NPCI. Not Google Pay or PhonePe. Your PIN is entered only on your own device, in your own app, to authorize a transaction you initiated. If anyone asks for it verbally, in a form, or via message, that's a scam. Full stop.

Third, collect requests from unknown UPI IDs. If you receive a collect request you didn't expect, decline it. Don't approve it to see "what happens." What happens is your money leaves.

Fourth, links in messages. Be deeply suspicious of any link sent via SMS or WhatsApp that relates to money, banking, or UPI. If your bank genuinely needs you to take action, you can always open the banking app directly or visit the official website by typing the URL yourself.

Fifth, too-good-to-be-true offers. Cashback of Rs 500 for clicking a link. A lottery you never entered. A refund for an order you don't remember. If it sounds like free money, it probably isn't.

Subtle Signs Most Guides Won't Mention

Look at the language. Many phishing messages contain small grammatical errors or odd phrasing. "Dear Customer your account is been blocked" — that "is been" is a giveaway. Legitimate corporate communications go through copywriters and compliance teams. Scam messages go through Google Translate or overworked freelancers who don't care about grammar.

Check the URL carefully. If you've already clicked a link, look at the address bar. Is it "sbi.co.in" or "sbi-secure-login.com"? The official State Bank of India domain is onlinesbi.sbi. Anything else is fake. Similarly, Google Pay's official domain is pay.google.com, not "gpay-rewards-india.in."

Notice the timing. Scam messages often arrive during festivals (Diwali, Holi), shopping sales (Flipkart Big Billion Days), or right after major government announcements about subsidies or refunds. Scammers exploit the noise. When everyone's talking about cashbacks and offers, one more "offer" doesn't raise eyebrows.

What To Do When You've Been Hit

Speed matters. The first 30 minutes after a UPI fraud are the most important. Here's what to do, in order.

Call your bank's fraud helpline immediately. Not the general customer care number — the fraud-specific one. For SBI, that's 1800-111-109. For HDFC, 1800-266-4332. Most banks have dedicated fraud response teams that can attempt to freeze the recipient's account before the money is withdrawn.

File a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in. You can also call 1930, the national cybercrime helpline. This creates an official record and triggers a process where the receiving bank is notified.

Report the fraud through your UPI app. Google Pay, PhonePe, and Paytm all have in-app fraud reporting features. This helps the platform flag the scammer's UPI ID and merchant account.

File an FIR at your local police station. Many victims skip this step because they assume the police can't help with digital fraud. That's increasingly untrue. Most states now have cyber cells, and an FIR is often required for insurance claims or bank refund processes.

Under RBI's 2017 circular on unauthorized electronic banking transactions, if you report the fraud within three working days, your liability is capped at Rs 25,000 for transactions above Rs 5 lakh (and less for smaller amounts). If you report within 24 hours, you might have zero liability. The clock starts ticking from the moment the unauthorized transaction occurs, not from when you notice it. So check your transaction alerts regularly.

NPCI and RBI — Are They Doing Enough?

NPCI, the organization that operates UPI, has rolled out several anti-fraud measures over the past couple of years. There's a daily transaction limit (Rs 1 lakh for most banks), a cooling period for new device registrations, and device binding that ties your UPI ID to a specific phone. In late 2025, NPCI introduced a machine-learning-based fraud detection system that flags suspicious transaction patterns in near real-time.

RBI, for its part, has mandated two-factor authentication for UPI transactions (device binding plus PIN), required banks to set up dedicated fraud monitoring units, and published consumer awareness campaigns. The "RBI Kehta Hai" initiative, which sends periodic awareness messages through banks, has probably reached hundreds of millions of people.

But is it enough? Honestly, it's hard to say. The fraud numbers keep climbing even as countermeasures improve. Part of the problem is that UPI's greatest strength — instant, irreversible transfers — is also its greatest vulnerability. Once money leaves your account, there's no "undo" button. The system was designed for speed, and speed doesn't pair well with deliberation.

There's also a coordination gap. Phishing operations often span multiple states, multiple banks, and multiple telecom providers. A scammer in Jamtara (Bihar's infamous cybercrime hub) uses a SIM card from Rajasthan, a bank account opened in Uttar Pradesh with fake documents, and targets victims in Tamil Nadu. Investigating this requires cooperation between state police forces, banks, telecom companies, and NPCI. That coordination exists on paper. In practice, it's slow and fragmented.

Some experts have called for a centralized UPI fraud database that all banks and apps can query in real time. If a UPI ID or bank account has been reported multiple times, incoming transactions to that account could be flagged or delayed. NPCI has been working on something like this, but as of early 2026, it's not fully operational.

What Keeps Changing

Phishing tactics evolve fast. In the last six months or so, I've noticed a few new trends that worry me. One is the use of AI-generated voice calls. Instead of a human scammer pretending to be a bank executive, victims are now receiving calls from synthetic voices that sound professional and consistent. These voices don't stumble, don't get flustered, and don't accidentally break character. They're being generated using text-to-speech tools that cost almost nothing to run.

Another trend is the integration of phishing with social engineering on platforms like Telegram and Instagram. Scammers build rapport over days or weeks — posing as potential romantic interests, business contacts, or job recruiters — before eventually directing the victim to a UPI payment trap. The phishing link isn't the first message. It's the twentieth, arriving after trust has been carefully manufactured.

There's also been a rise in phishing targeting UPI merchant accounts. Small business owners who accept UPI payments are receiving messages claiming their merchant verification is "expiring" and they need to "re-verify" by clicking a link. Since these merchants depend on UPI for their livelihood, they're more likely to comply quickly without checking.

Back to Rajesh

Remember the shopkeeper from Chennai I mentioned at the start? He filed a complaint within two hours. The police cyber cell traced the money to an account in Deoghar, Bihar. By then, most of it had been withdrawn. He got Rs 12,000 back out of the Rs 48,000 he lost. The bank's fraud team told him he was "lucky" — most victims get nothing.

Lucky. That's the word they used.

The frustrating reality is that UPI phishing won't disappear. Not while the system prioritizes speed over safeguards, not while telecom regulations have holes wide enough to drive a bulk SMS campaign through, and not while millions of new users come online every quarter without basic digital literacy training. What you can do — what any of us can do — is slow down. Read the message twice. Check the URL. Call your bank from the number on the back of your card, not the one in the SMS. And never, under any circumstances, share your UPI PIN with anyone. Not even if they sound official. Not even if you're scared. Especially if you're scared. That fear is the whole point.