UPI Payment Security: Protecting Your Money from Scammers

Fourteen billion transactions a month. That's the number NPCI reported for UPI in late 2025, and honestly, it should scare you a little. Not because UPI is broken — it isn't — but because that volume of money moving through phones creates an irresistible target. Every chaiwallah, every auto driver, every college student splitting dinner has a UPI app now. And scammers? They've noticed. They noticed years ago.

I keep running into the same bad advice recycled across blogs and YouTube. "Don't share your PIN." Great. Thanks. Very helpful. That's like telling someone to lock their door without mentioning that the burglar's already inside the house posing as a plumber. UPI fraud in India is messier, more creative, and far more psychologically manipulative than any bullet-point list can capture. So let's actually talk about what's happening, why it works, and what you can do when — not if — someone tries it on you or someone you know.

How Collect Requests Became a Weapon

Here's the thing that drives me slightly mad. UPI has this feature called a "collect request" where someone can ask you for money. You get a notification. You approve or decline. Simple enough in theory. Disastrous in practice.

Someone contacts you — maybe through an OLX listing you posted, maybe pretending to be a buyer interested in your used laptop. They say they'll send you the money right now, very eager, very friendly. Then a notification pops up on your phone. It says "collect request" and shows an amount. Your brain, which has been primed to expect an incoming payment, sees numbers and thinks: oh, the money's arriving. You enter your PIN to "accept" it.

Except you just authorised a debit. Money left your account. You paid them.

I've talked to people this happened to. Smart people. Engineers, teachers, small business owners. They aren't stupid. But the scam exploits a fundamental confusion that UPI's interface doesn't do enough to prevent. When you're expecting money and a notification arrives with the right amount, your guard drops. Scammers make sure you're hurried — they create urgency, they call you simultaneously, they pressure you — so you don't read carefully. That fleeting moment of inattention is all they need.

One thing I probably should clarify since it gets muddled in advice columns: you never, ever need to enter your UPI PIN to receive money. If someone's sending you funds, it hits your account without any action from you. No PIN. No approval. No scanning. It just arrives. Any time a person tells you to enter your PIN or scan something to "get" your payment, something's wrong. That single rule covers about half the scams out there, and it's the one worth memorising if you remember nothing else from this article.

I recall reading an RBI consumer awareness bulletin from mid-2025 that showed collect request fraud accounted for roughly 30% of reported UPI complaints. Thirty percent! For a single trick that could be mostly solved with better UI design and a fat red warning label. But that's a rant for another day.

The Fake Customer Care Trap

This one's insidious. You've got a problem with your Google Pay account, or maybe PhonePe is showing an error, or a payment got stuck. What do you do? You Google the customer care number. Seems reasonable. It's what everyone does.

And that's exactly what scammers are counting on.

They buy Google Ads for search terms like "PhonePe customer care number" or "Google Pay helpline." They create official-looking websites with toll-free numbers. Some of them even show up in Google Maps as business listings — I've seen it myself, a "Google Pay Service Center" pinned to a random address in Noida with a mobile number listed. When you call, a polite person answers, sounds professional, maybe even has hold music. They "verify your identity" by asking some basic questions. Then comes the pivot.

"Sir, for security purposes we need to remotely access your device to fix the issue. Please install AnyDesk."

AnyDesk. TeamViewer. QuickSupport. These are legitimate remote desktop apps that IT teams use daily. But in a scammer's hands, they're skeleton keys. Once you install one and share the access code, the person on the other end can see your screen, control your phone, watch you type your passwords. They'll ask you to "log into your UPI app to verify the transaction" while they quietly note every keystroke. Some don't even bother being subtle — they'll wait until you step away and just transfer money directly.

A friend's mother lost forty-two thousand rupees this way in late 2025. Called a number she found on Google for SBI support. Installed TeamViewer because the "bank employee" told her it was an official security app. Within eight minutes, two transactions had cleared from her account. She didn't even realise what happened until the SMS alerts came through — and by then, the scammer had already disconnected.

What frustrates me is that Google knows these ads exist. They pull them down sometimes, but new ones pop up the next day. The scammers aren't doing anything technically sophisticated — they're just buying ad space and answering phones. Here's what actually helps: only use customer care numbers from the official app itself (usually under "Help" or "Support" in settings) or from the bank's official website that you go to directly, not through a search result. Never from a Google search. Never from a random website. Never from a number someone texts you.

QR Codes: The Backwards Payment Trick

QR code scams exploit a misunderstanding that's so common I'm surprised payment apps haven't plastered a giant warning banner across the screen. Many people think scanning a QR code can work both ways — that you can scan to pay or scan to receive. You can't. Scanning a QR code in a UPI app always initiates a payment from you. Always. No exceptions.

Scammers know most people don't grasp this. So they'll send you a QR code — on WhatsApp, through OLX chat, wherever — and say "scan this to receive your refund" or "scan to get your cashback" or "scan to accept the payment." You scan it, see an amount pre-filled, enter your PIN thinking you're confirming receipt, and boom. Money's gone.

I've seen variations where a scammer sends a QR code embedded in a professional-looking email claiming to be from a payment platform. "Your reward of Rs 1,500 is ready. Scan to claim." It leads to a payment page for exactly Rs 1,500 — going the other direction. Some people catch it at the last second. Many don't, especially older users who adopted UPI during the pandemic without anyone properly explaining how it works.

What makes this particularly effective is that the scammer can set any amount in the QR code. They could make it Rs 1 to test if you'll comply, or Rs 10,000 if they're feeling bold. And because the confirmation screen on some apps doesn't scream "YOU ARE ABOUT TO PAY" in large enough letters, people breeze through it. There probably should be a mandatory two-step confirmation for any QR-initiated transaction above a certain threshold, but that's between NPCI and the app developers.

SIM Swap: The One That Keeps Me Up at Night

If collect requests are the pickpocket and fake helplines are the con artist, SIM swap fraud is the full-blown heist. It's technical, it's premeditated, and by the time you notice, the damage is done.

Here's how it works. A criminal gathers your personal details — name, address, Aadhaar number, maybe your date of birth. They might get this from data breaches, from social engineering, or even from your social media profiles. With enough information, they visit a telecom store (or call the provider) and request a SIM replacement for your number, claiming the old SIM is lost or damaged. If the telecom employee doesn't verify thoroughly — and in practice, they often don't — a new SIM is issued.

Your phone goes dead. No signal. You assume it's a network issue, maybe restart your phone a couple of times. Meanwhile, the criminal's new SIM is active with your number. They receive your OTPs, reset your UPI PIN, and drain your linked bank accounts. Some victims don't realise what's happened for hours. By then, the money's been moved through multiple accounts and withdrawn as cash.

A case reported in Mumbai in early 2025 involved a businesswoman who lost over seven lakh rupees in under ninety minutes through a SIM swap. Her phone lost signal during a meeting. She figured the network was down, didn't think twice about it. By the time she borrowed someone's phone to call her provider, four transfers had already gone through.

What can you do? First, if your phone suddenly loses network signal and doesn't recover within a few minutes, don't dismiss it. Call your telecom provider immediately from another phone. Ask if a SIM replacement was requested. If it was and you didn't initiate it, that's your alarm bell. Second, set up a SIM lock PIN with your provider — most offer this, and it means any SIM swap request requires the PIN. Airtel and Jio both have this option buried in their app settings. Third, register for your bank's alert system via email in addition to SMS, so if your SIM gets swapped, you've still got a notification channel that works.

Dozens of smaller scam variants float around — reward link scams, fake payment screenshots, malicious APK files mimicking UPI apps — but the four above account for the vast majority of losses. Let's talk about what actually protects you, beyond the platitudes.

Practical Protection That Goes Beyond "Don't Share Your PIN"

Yes, don't share your PIN. Obviously. But here's what people rarely mention.

Set a daily transaction limit. Most UPI apps let you cap how much can leave your account in a day. If you typically spend Rs 5,000 per day through UPI, set the limit at Rs 10,000. Even if someone compromises your account, they can't drain it completely. You can always raise the limit temporarily for a bigger purchase. Google Pay buries this in settings. PhonePe makes it slightly easier. Check yours right now — seriously, pause reading and go look.

Turn on per-transaction SMS alerts for every linked bank account. Not just app notifications, which you might miss or dismiss. SMS alerts from the bank itself. If your SIM gets swapped you'll lose these too, but for every other type of fraud, that instant text is your early warning system. Most banks activate this by default for transactions above Rs 100, but some require you to opt in for lower amounts. Call your bank and confirm.

Don't use UPI on rooted or jailbroken phones. I know some of you have rooted your Android for custom ROMs or ad blocking. Fine for a secondary device, but a rooted phone has weakened security boundaries. Malicious apps can access UPI app data that would otherwise be sandboxed. If you must root, don't link your primary bank account on that device.

Keep only one UPI app with your main bank account. I've met people with Google Pay, PhonePe, Paytm, CRED, and Amazon Pay all linked to the same SBI account. Each additional app is another attack surface. If someone tricks you through one of them, the damage is the same regardless. Pick one or two you trust, remove the rest.

Verify before you trust. Got a collect request? Don't just check the amount — look at the sender's UPI ID carefully. Scammers create IDs like sbi.refund@ybl or paytm.support@oksbi that look official but are just regular user accounts. No bank or payment company will send you a collect request. Period. If one arrives claiming to be from your bank, it's fake.

Lock your UPI app separately. Most phones have an app lock feature, and many UPI apps have their own built-in lock. Enable both. Even if someone gets physical access to your unlocked phone — maybe you left it on a restaurant table for a minute — they still can't open the payment app without your fingerprint or a separate PIN.

Never install screen-sharing apps when someone on a call asks you to. I don't care if they say they're from the RBI, from Google, from the Prime Minister's office. No legitimate support process requires you to install AnyDesk or TeamViewer. If someone asks, hang up. You aren't being rude. You're being smart.

When It's Already Too Late: What to Do After a Scam

Speed matters here. Not tomorrow. Not after lunch. Right now.

Step one: call your bank. Not the branch. The 24/7 fraud helpline number printed on the back of your debit card. Tell them your account's been compromised and you need an immediate block on outgoing transactions. Some banks can freeze the account within minutes over the phone. SBI's number is 1800-111-111. HDFC's is 1800-258-3838. ICICI's is 1800-200-3344. Save yours before you need it — add it to your contacts today.

Step two: report to the cybercrime portal. Go to cybercrime.gov.in and file a complaint under "financial fraud." You can also call 1930, which is the national cybercrime helpline. It's actually gotten better over the past year — when you call, they can sometimes initiate a hold on the fraudster's receiving account if you report quickly enough, within what they call the "golden hour." I've heard mixed results on this, but it's worth trying.

Step three: file a complaint in your UPI app. Open the app, find the specific transaction, and use the dispute or complaint feature. Google Pay's is under "Get help with this transaction." PhonePe has it under the transaction details. Include the transaction reference number. This starts a formal process with NPCI that the banks are required to respond to within a set timeline.

Step four: file an FIR. Go to your local police station. Bring screenshots of the transaction, the phone number or UPI ID of the scammer, and any chat logs. Yes, this is tedious. Yes, many police stations are unhelpful with cybercrime complaints. File it anyway. You'll need the FIR number if you escalate to the RBI later, and it creates a paper trail that can help if the investigation actually goes somewhere.

Step five: RBI Banking Ombudsman. If your bank doesn't resolve the complaint within 30 days (and banks frequently drag their feet on fraud cases), escalate to the RBI Ombudsman. You can file online at cms.rbi.org.in. Under RBI's rules, if you report unauthorised transactions within three working days and you weren't negligent — meaning you didn't hand over your PIN willingly — the bank has to credit the disputed amount back within ten working days while they investigate. Most people don't know this. Banks certainly aren't going out of their way to tell you.

One more thing on recovery. Document everything. Screenshot the fraudulent transaction. Screenshot the scammer's UPI ID and phone number. Save any WhatsApp messages or call logs. Write down a timeline of what happened while it's fresh in your memory. If you spoke to someone on the phone, note the time and approximate duration. You'll thank yourself later when you're filling out forms and the details have gotten fuzzy.

Why the "Awareness" Approach Keeps Failing

I want to say something that might be unpopular. The way India talks about UPI fraud — all these government campaigns with slogans and celebrities wagging their fingers on TV — it's not working. Or rather, it's working for people who already understand digital payments and doesn't reach the ones who need it most.

My father-in-law got a smartphone in 2024. Set up PhonePe because his pension disbursement moved to direct transfer and someone at the bank showed him how. He doesn't understand what a UPI ID is. He doesn't know the difference between a collect request and an incoming payment. He saw one government ad that said "don't share your OTP" and thought that covered everything. It didn't cover the collect request scam. It didn't cover QR code tricks. It didn't explain that the customer care number on Google might be fake.

We're pushing five hundred million people onto a digital payment rail and then blaming them individually when they fall for scams that exploit poorly designed interfaces and inadequate verification processes. Maybe NPCI could add a mandatory two-second delay with a clear "YOU ARE SENDING MONEY" confirmation before any debit. Maybe telecom companies could stop issuing replacement SIMs without in-person Aadhaar biometric verification. Maybe Google could stop accepting ads for "PhonePe customer care" from random unverified advertisers.

But those are systemic changes that require institutional will. What you can control is your own setup. So here's what I'd ask you to do — one concrete thing, right now, before you close this tab.

Open your UPI app. Go to settings. Set a daily transaction limit that's reasonable for your normal spending. Then find the app lock or PIN lock feature and enable it. These two changes take about ninety seconds combined, and they won't prevent every scam, but they'll cap the damage from the ones that get through. That's not nothing. In a country where the average UPI fraud loss runs between five and twenty thousand rupees, a transaction cap could be the difference between an annoying loss and a devastating one.

Ninety seconds. Go do it now.