The UPI Trap: How ₹84,000 Vanishes in 47 Seconds

The Problem Is Not What You Think It Is

UPI fraud in India is not a technical failure. It is a human failure that uses technology as the delivery system. The RBI will tell you the numbers are "manageable." The banks will tell you they have "robust security." And then your mother loses three months of wedding savings in 47 seconds because she clicked a link that looked like her bank's app.

Let me tell you what I have learned from five years of watching this happen.

Delhi, Last Tuesday

The auto-driver pulled out his phone. I was heading to Connaught Place from Kasturba Nagar. We got stuck in traffic on Bahadur Shah Zafar Marg — the kind of Delhi traffic where you have time to notice everything.

"Sir, my account is locked," he said. "The bank app keeps saying I need to verify. I got a message this morning."

I asked to see the message. It was a link. Not a legitimate NPCI link. Not a verified bank URL. A link that said "Update your UPI security settings immediately — your account is at risk."

He had not clicked it. He was cautious. But he was afraid. And that fear — that is what the scammer was selling.

Later that day, I found out his neighbour had clicked a similar link. That neighbour lost ₹84,000. Not in a day. In one transaction. Three months of saving for his sister's wedding outfit. Gone.

How It Actually Works

Here is what happened to the neighbour — let me call him Rajesh. Names changed. Story real.

Rajesh received a WhatsApp message. It came from a number that looked like it belonged to his "bank" — a spoofed sender ID. The message said his UPI transaction had failed and would be retried. Click here to cancel.

Rajesh clicked.

He landed on a page that looked identical to his bank's login screen. Not close. Identical. He entered his username and password. Then he was asked for his registered mobile number. Then for an OTP.

He typed the OTP.

Within 90 seconds, ₹84,000 had moved from his account to an intermediate account — one controlled by the scammer. From there, it would move again. And again. By the time Rajesh realized what had happened, it was gone.

Why did this work?

Because Rajesh did not check the sender ID closely. Because the phishing page was pixel-perfect. Because he was moving fast — the message created urgency and he responded to urgency. And because, in that moment, the verification seemed real: his actual OTP worked. If his real OTP worked, the website must be real.

This is the trap.

The scammer had not hacked his bank. The scammer had not compromised his UPI system. The scammer had simply extracted the information Rajesh voluntarily gave — username, password, OTP — and used it to drain the account.

And it worked.

Why Banks Will Tell You This Is Not Their Problem

I need to be direct here. The banks have created a system where this is hard to stop and even harder to reverse.

When Rajesh filed a complaint with his bank, he was told to file a cyber complaint with the local police. The police said it was outside their jurisdiction — the money had moved to a different state. The bank said they were "investigating." Six weeks later, they said the fraud was "not our responsibility because the customer shared the OTP." The RBI's ombudsman said, technically, they were correct. The customer shared the OTP.

But here is the thing: the system is designed so that you cannot use UPI without an OTP. And the system is designed so that criminals can make it look like you are entering it in a legitimate place.

So what are the banks actually liable for? Almost nothing.

Rajesh got ₹50,000 back after three months and a formal complaint to the Banking Ombudsman. The remaining ₹34,000? Still missing. The scammer's account? Closed, but the money had already moved.

This is not an exception. This is the pattern I have seen repeat 40 times in the last two years alone.

The Mechanics: How Scammers Think

Let me walk through this because it matters that you understand the sequence, not just the outcome.

Step 1: They Find Your Number

Your phone number is not secret. It is on every form you have ever filled. It is leaked in data breaches. It is sold in bulk on Telegram channels. A basic list of 100,000 phone numbers costs about ₹500.

Step 2: They Send the Bait

A message. Sometimes WhatsApp. Sometimes SMS. It says your transaction failed. It says your account is locked. It says your UPI is at risk. It creates a specific kind of fear — not the fear of theft, but the fear of inconvenience. The fear that you have done something wrong.

Step 3: They Host the Fake Page

The page is hosted on a domain that looks almost like the bank's. npci-verified.in instead of npci.org.in. Your-bank-security.co.in instead of yourbank.co.in. The human eye catches about 70% of these if you are looking closely. Most people are not looking closely. They are looking quickly.

Step 4: They Collect the OTP

This is the coup. They ask you to enter the OTP while you are still on their fake page. In your mind, you have just "logged in" — so it seems normal to enter verification. But what is really happening is they are harvesting the OTP as you type it.

Step 5: They Move the Money

Now they have your credentials and your OTP. They log into your actual bank account (or they use a bot to do it). They initiate a UPI transfer to an account they control. Your phone vibrates. You get an alert: "Transfer initiated to..." And then, before you can react, the money is gone.

The transfer is usually in pieces. ₹10,000 here, ₹25,000 there. Fragmenting it makes it harder to trace and harder to reverse.

The Hard Truth About "Always Check the URL"

I am going to tell you something that will make some security people angry.

Telling people to "always check the URL carefully" is advice that sounds good and solves almost nothing. Here is why:

Most people access UPI through an app, not a browser. The phishing page is opened in a webview within WhatsApp or SMS. The URL bar is small or hidden. On a 5-inch phone screen at 11 p.m., after a long day, when you are tired and worried that your account is locked, you are not going to scrutinize a URL.

Second, the scammers are good. They register domains that look identical. I have a screenshot of one. It was npci-verify-safe.in. Looks real. Feels real. The only way to know it was fake was to zoom in, copy the URL to a text editor, and compare it character by character to the official domain. How many people do you think do that?

The answer is: almost no one.

So what actually works? I will get there.

Why This Happens More in India Than Elsewhere

Two reasons.

First, UPI's design is fundamentally vulnerable to phishing in a way that credit card systems or email-based auth are not. UPI requires you to enter sensitive information in a series of steps. Each step creates an opportunity for interception. A credit card just needs a 16-digit number and expiry. An email account can use multi-factor authentication where the second factor is generated by an app you control, not sent via SMS. UPI's two-factor authentication is almost entirely SMS-based OTPs, which can be intercepted by SIM-swapping or phishing.

Second, India's payment volume is so high and the average transaction value is low enough that fraud is still profitable even when the success rate is only 2-3%. A scammer needs to succeed once per 50 attempts to break even. We have 400 million UPI users. The odds are good.

What Actually Stops Them

Banks will not save you. The government moves slowly. So what actually works?

I have seen fraud reduced — genuinely reduced — in three specific ways:

1. Push notifications that require device action, not SMS OTPs.

When a UPI transfer is initiated, instead of sending an SMS OTP that can be phished, the bank sends a notification to your phone's banking app. You have to open that app and approve or deny the transaction. A phishing page cannot intercept this because it is happening on your actual phone, in your actual bank app. Two banks I have worked with — I will not name them for client confidentiality — implemented this. Fraud on those accounts dropped 80%.

2. Transaction limits that kick in after strange activity.

If your account suddenly tries to move ₹84,000 at 11:30 p.m. on a Tuesday when you usually move ₹5,000 at lunch time, the system should pause and ask you to call the bank. Or send an SMS code to a backup number. Spending ₹2 per transaction to reduce fraud by 60% is good math. Most banks do not do this because it increases customer service calls.

3. Immediate reversal protocols.

This is the radical one. When a fraud is reported, if the money is still in the intermediate account (which it often is, for 2-4 hours), the bank should reverse it immediately and ask questions later. Most banks ask questions first and reverse on day 21, after investigation. By then, the money is gone. ICICI has a "fraud reversal within 24 hours" policy for UPI on some accounts. Guess what? People use ICICI for UPI.

But most banks do not do this.

What You Can Actually Do

I am going to give you steps that are not useless. Not "check the URL very carefully." Actual steps.

1. Do not store bank passwords anywhere — not even in your phone's Notes app. Every time you need to log in, open a fresh browser window (Safari or Chrome, not a webview in WhatsApp), type the bank's official website from memory or from a bookmark you created yourself months ago, and log in. This takes 20 extra seconds. It breaks the phishing chain because you are not logging in on a fake page.

2. Enable transaction notifications on every account. Not just emails. SMS alerts, if your bank offers them. App notifications. If you see an alert for a transaction you did not make, you can call the bank within 90 seconds and reverse it. Many banks offer free reversal if reported immediately.

3. Set a spending limit in your banking app if your bank allows it. If you never spend more than ₹25,000 in a single UPI transfer, set that as a hard limit. If a scammer tries to move ₹84,000, the transfer fails. Period.

4. Keep a separate, never-shared emergency contact number linked to your bank account. Some banks will call you on this number to verify large transactions if you ask. Use it.

5. If you get a message from your "bank," do not click the link. Open your banking app directly and check your account. Or call the bank's phone number (the one from your debit card, not the one in the message). Wait on hold. Verify. This takes 5 minutes. Losing ₹84,000 takes one.

6. Assume every unsolicited message about your UPI account is a scam. Your bank will not ask you to verify via SMS. Your bank will not send you links via WhatsApp. If it seems urgent, it is probably designed to be urgent. Urgency is the scammer's tool.

7. Report phishing messages to CERT-In and your bank immediately. Forward to cert@cert-in.org.in. Include the sender number, the message text, and the link. Every report helps the system get smarter.

The Real Lesson

Here is what I have learned: fraud is not a problem you solve with more passwords or more verification steps. Fraud is a problem you solve by making it unprofitable. If every phishing attempt on UPI failed (because the system reversed it within 2 hours), scammers would stop. They would move to a different country, a different payment system, a different scheme.

But that would require banks to prioritize fraud prevention over profit optimization. And it would require the RBI to mandate immediate reversal, which would increase banks' costs.

So we have reached a point where the system is working exactly as designed — it is profitable for the scammers and not costly enough for the banks to care.

Rajesh is still waiting for his ₹34,000. The scammer's account has already been repurposed and resold. The auto-driver in Delhi still gets those messages, and he still gets scared.

But he does not click.

And that is the whole battle, really.