Security

UPI Fraud in 2026: The 10 Active Scams and the 5-Step Safety Setup

July 10, 202616 min read
UPI Fraud in 2026: The 10 Active Scams and the 5-Step Safety Setup
Dharmendra Asimi

Dharmendra Asimi

SEO Expert & WordPress Professional since 2005

Cyber Kavach, the self-defence security series by Dharmendra Asimi

Cyber Kavach Ā· Article 5 of 5

The self-defence series for your digital life. No jargon, no fear-selling. Free tools, clear steps, and checks you can run yourself in minutes.

The electrician who services my building sold an old inverter on OLX last year. The "buyer" was enthusiastic, agreed to full price, and said he had sent the money on PhonePe, just approve the request and enter your PIN to receive it. He approved. He entered his PIN. Rs.18,000 left his account in the time it takes to read this sentence, most of what he had in it. He did everything the scammer said because it sounded exactly like how he imagined receiving money worked.

That misunderstanding, repeated across millions of phones, is why India lost Rs.805 crore to UPI fraud in just the first eight months of FY26, across 10.64 lakh reported incidents. A LocalCircles survey found 1 in 5 UPI users has faced a fraud attempt, and 51% of victims never report it, so the real numbers run higher still.

Here is what makes UPI fraud beatable: almost every active scam exploits the same two or three misunderstandings about how UPI works. Fix those, add a 20-minute safety setup, and you become a hard target. This final article of the Cyber Kavach opening season gives you all ten active scams and the five-step setup, plus the family-sized safety card to forward to your WhatsApp groups.

Short answer

One iron rule defeats most UPI fraud: you NEVER enter your UPI PIN and NEVER scan a QR code to RECEIVE money. Receiving requires nothing from you. The PIN only sends. Every "approve this request to get your refund", "scan this code to receive payment", and "enter PIN to claim cashback" is theft in progress.

Then harden your setup in 20 minutes: app lock separate from your phone unlock, per-transaction and daily limits, a separate limited-balance account linked to UPI, no screen-sharing apps installed, and transaction alerts you actually read. If fraud happens, call 1930 inside the first hour and file at cybercrime.gov.in; RBI's rules give you zero liability when you report unauthorised transactions within 3 working days.

How big is UPI fraud, and why does it keep growing?

UPI is a victim of its own success. NPCI's own statistics show UPI processing over 16 billion transactions a month, which makes India's payment rails the busiest on the planet. The fraud percentage is tiny; the absolute numbers are not. UPI frauds jumped 85% in FY24 and the trend has held: Rs.805 crore lost between April and November 2025 alone, per data presented in Parliament.

The growth engine is not technical weakness. UPI's cryptography is fine. The engine is social: hundreds of millions of newer users whose mental model of "how receiving money works" was formed by scammers rather than by their bank. Every scam below is social engineering wearing a payments costume, the same species of manipulation I covered in the digital arrest article and the suspicious links guide.

šŸ”µ Quick Stat

1 in 5 UPI users has faced a fraud attempt (LocalCircles), and 51% of victims never report, mostly from embarrassment or "it was only a small amount". Unreported fraud is free money for scammers: the same mule accounts keep working, and the same scripts keep running. Reporting at 1930 is not just about your refund, it burns the infrastructure for everyone after you.

What are the 10 active UPI scams in 2026?

Every one of these is running right now. Each entry: how it works, and the tell that gives it away.

1. The collect-request reversal

A "buyer" or "refund desk" sends a UPI collect request and tells you approving it will pay you. Approving it plus your PIN sends YOUR money out. Tell: receiving money never needs approval or a PIN.

2. The QR-to-receive lie

"Scan this QR to receive your payment / refund / prize." A UPI QR can only pull money FROM the scanner. Tell: you share your UPI ID to receive; you never scan.

3. The screen-share takeover

"Support" asks you to install AnyDesk or TeamViewer so they can "fix" an issue. They watch your PIN and OTPs live and drain the account. Tell: no real bank or app support ever needs to see your screen.

4. The fake customer care number

You Google a helpline for PhonePe, your bank, or a courier, and call a scammer's number planted in search results, maps listings, or social posts. Tell: only use the number inside the official app or on the back of your card.

5. The fake payment screenshot

Aimed at shopkeepers: a "customer" shows a doctored success screenshot or plays a fake payment-sound app and walks out with goods. Tell: trust only your own app's credit notification or your soundbox, never their screen.

6. The wrong-transfer plea

"I sent Rs.10,000 to your number by mistake, please return it." The original credit is from a stolen account or faked entirely; your "return" is clean money to their mule account. Tell: tell them to reverse it through their own bank; never send money yourself.

7. AutoPay mandate abuse

What you approve as a "one-time Rs.99 verification" is actually a recurring mandate that charges monthly. Tell: read the approval screen; it says clearly whether it is one-time or a mandate.

8. Cashback and reward phishing

"You've won Rs.4,999 cashback!" links open fake UPI pages that harvest your credentials, or trigger collect requests dressed as claims. Tell: real cashback lands automatically; anything you must "claim" with a PIN is theft.

9. Cloned and fake UPI apps

Lookalike apps sideloaded from links (never the Play Store) that skim credentials, plus fake "payment success" generator apps used against merchants. Tell: install payment apps only from official stores; recall the APK rule from article 4.

10. KYC-expiry links

"Your PhonePe/Paytm KYC expires today, update via this link or lose access." The link phishes credentials or installs a screen reader. Tell: KYC is never updated through SMS links; open the app directly and check.

šŸ”“ The Iron Rule

Scams 1, 2, 5, 6, and 8 all die against one sentence: receiving money on UPI requires nothing from you. No PIN, no QR scan, no request approval, no claim button. The PIN exists only to send. Anyone who tells you otherwise, buyer, refund desk, lottery, bank, or "support", is running a theft, and the correct response is to stop responding.

The 5-step UPI safety setup (20 minutes, once)

Prevention beats refunds. These five steps turn a successful scam from a catastrophe into a small loss, and most people never do any of them.

1

App lock, separate from your phone unlock. Set a different PIN or biometric requirement to open the UPI app itself. A snatched unlocked phone then cannot pay.

2

Set per-transaction and daily limits. Inside the app and with your bank. If you rarely send more than Rs.10,000, cap it there. Scams that need one big transfer hit the ceiling.

3

Link a separate, limited-balance account. The strongest move on this list: a basic account holding only weekly spending money is the only account your UPI apps ever see. Your salary and savings become unreachable through UPI entirely.

4

Remove screen-sharing apps. If AnyDesk, TeamViewer, or similar are on your phone without a current, specific reason, uninstall them today. Their absence breaks scam #3 completely.

5

Alerts on, mandates audited. Enable SMS and app notifications for every debit, read them, and review your AutoPay/Mandates list today, revoking anything unrecognised. Merchants: trust your own credit alert or soundbox, never a customer's screen.

🟢 Pro Tip

Do step 3 first if you do nothing else. A zero-balance account takes minutes to open online, and moving your UPI apps onto it converts every future scam, PIN leak, or phone theft from "my savings are gone" into "I lost this week's chai money". It is the single highest-impact change in this entire series, and it costs nothing.

What are your rights when fraud happens? RBI's rules, plainly

RBI's framework on customer liability for unauthorised electronic transactions is clearer than most people think:

  • Zero liability when the fraud came from a third-party breach (not your negligence) and you report within 3 working days of learning about it.
  • Capped liability (Rs.10,000 for basic accounts, Rs.25,000 for most savings accounts) when you report within 4 to 7 working days.
  • Beyond 7 days, the bank's own board-approved policy decides.

The honest caveat: when a victim was tricked into entering the PIN themselves, banks frequently classify the transaction as authorised, which weakens the refund claim. That legal grey zone is exactly why the iron rule and the safety setup above matter more than any after-the-fact remedy, and why the golden hour matters most of all.

🟔 Did You Know

If you ever change your mobile number, delink it from UPI and your bank FIRST. Telecom operators recycle inactive numbers after a few months, and the new owner of your old number can receive your OTPs and, in documented cases, register UPI against accounts still tied to it. Update the number with your bank before you abandon the SIM, not after.

The golden hour: what to do the moment fraud happens

  1. Call 1930 immediately. The freeze system works best while the money is still hopping between mule accounts. Minutes matter.
  2. File at cybercrime.gov.in with transaction IDs, screenshots, and the fraudster's UPI ID or number. Keep the acknowledgement number.
  3. Report inside your UPI app and to your bank's fraud line the same day, and put the report in writing (email works) to start the RBI liability clock in your favour.
  4. Report even if it feels too small or too late. Your report burns their mule account for the next victim, and late freezes still sometimes catch a hop.

The Cyber Kavach series: the complete season

This article closes the opening season of Cyber Kavach. All five, in reading order:

Every article pairs with a free printable resource on the Free Resources page. For this one, download the UPI Safety Card, a single phone-sized card with the iron rule, the 5-step setup, and the 1930 emergency flow, built to be forwarded to every family WhatsApp group you are in.

Frequently asked questions

How common is UPI fraud in India?
Rs.805 crore lost across 10.64 lakh incidents in the first eight months of FY26, after an 85% jump in FY24. LocalCircles found 1 in 5 UPI users has faced an attempt and 51% of victims never report. UPI itself is safe by percentage; the absolute victim count is huge.

What is the single most important UPI safety rule?
You never enter a PIN or scan a QR code to RECEIVE money. Receiving requires nothing. The PIN only sends. Every claim otherwise is theft in progress.

What is the collect request scam?
Scammers send a money request dressed as an incoming payment ("approve to receive"). Approving plus PIN sends your money out. Read notifications slowly: "request FROM" means money leaves if you approve.

Why are screen-share apps dangerous with UPI?
AnyDesk or TeamViewer lets a "support agent" watch your PIN and OTPs live and direct transfers. No genuine support process ever needs your screen. Uninstall them.

Can I get my money back after UPI fraud?
Often, if you call 1930 within the first hour and file at cybercrime.gov.in, freezes catch money mid-hop. RBI gives zero liability for unauthorised transactions reported within 3 working days, capped within 7.

What are RBI's liability rules?
Zero liability reporting within 3 working days (third-party fraud), capped at Rs.10,000-25,000 within 4-7 days, bank policy after that. If you entered the PIN yourself, banks may treat it as authorised, so prevention beats remedy.

Is UPI AutoPay safe?
Yes for genuine subscriptions, but audit your mandates today and revoke unknowns. At approval time, check whether the screen says one-time payment or recurring mandate before entering your PIN.

Should my main account be linked to UPI?
Ideally no. Link a separate limited-balance account and top it up weekly. It is the highest-impact protection available and costs nothing.

Cyber Kavach series logo

Cyber Kavach Ā· Free Resource

Download the UPI Safety Card, one phone-sized card with the iron rule, the 5-step setup, and the 1930 emergency flow. Forward it to your family groups today.

About the author

Dharmendra Asimi is an SEO Expert and WordPress Professional based in Bangalore, India. Founder of Aapta Solutions (established 2007), he has built, secured, and managed websites and payment integrations for hundreds of Indian businesses since 2005, including Razorpay and UPI-based checkout flows. Cyber Kavach is his self-defence series for everyday digital safety. Read his full bio, explore technical consulting, or book a free 15-minute call if your business handles online payments and wants its stack hardened. The whole series and every printable checklist live on the Free Resources page.

Cyber KavachUPI FraudUPI ScamPhonePeGoogle PayPaytmOnline Payment SafetyRBINPCI1930 Helpline
Share:

Enjoyed this? Get the next one in your inbox

Join readers getting practical guides like this every week. Free, unsubscribe anytime.

  • One practical article a week, no fluff
  • Free checklists and self-check PDFs first
  • SEO, WordPress, AI search, and online safety
16 min read
0%
DHARMENDRA ASIMI