How UPI Fraud Works: What Happened to Rajesh and Why Banks Won't Help

Rajesh is not his real name. But everything that happened to him on a Tuesday afternoon in Gurugram is real, and it has happened to 47,000 other Indians this year alone.

The Moment It Broke

He was sitting at his desk — software engineer, 32, earning well, careful with money. His phone buzzed. A message from "ICICI Bank" (it looked right; he has had an ICICI account for twelve years). The message said: Your card has been blocked due to suspicious activity. Click here to verify.

The link looked right. It took him to a page that looked like ICICI. His muscle memory took over. He typed his username. He typed his password. He typed the 6-digit OTP that had just arrived on his phone.

Three seconds later, his UPI ID was active on someone else's phone in Bengaluru. Six minutes later, ₹84,000 was gone.

Three months of saving. For his sister's wedding outfit.

I know this because he called the CyberSathi hotline on Wednesday morning, voice steady, asking the question everyone asks: "Could I have known?"

What Actually Happened

Let me walk you through the machinery of UPI fraud as it works right now in 2024, because the truth is more intricate than "don't click suspicious links."

First: phishing pages have gotten sophisticated. Not the obvious ones that misspell "ICICI" as "1C1C1." The ones that are pixel-perfect replicas, hosted on a domain that differs by one character from the real bank — icicibank-verify.com instead of icicibank.com. Most people do not notice. Most people are thinking about something else when they tap.

Second: the OTP is not your firewall. It is the last lock on the door, and it is broken. Here is why: once a scammer has your username and password, they can initiate a UPI transaction on their device. Your OTP arrives on your phone. You think it is legitimate because the bank sent it. You read it aloud to your friend. You type it into the phishing page. And you have just handed over the final credential.

The NPCI (National Payments Corporation of India) system assumes — incorrectly — that if you have typed the OTP, the transaction is legitimate. The UPI rails move fast. By the time you realize what happened, the money has already been pushed to a mule account (a temporary bank account, often opened with forged documents), and from there it begins its journey into cryptocurrency or cash withdrawals.

Third: the banks know this is happening and they are not rushing to fix it.

Why the System Failed Rajesh

On Wednesday morning, Rajesh called ICICI's fraud helpline. He was transferred four times. Each person told him: "Sir, the transaction was initiated using your OTP. That means you authorized it."

Technically true. Practically false. But try explaining that when you are sleep-deprived and the money is gone.

RBI guidelines do exist for fraud reversal. Banks are supposed to reimburse if the fraudulent transaction was unauthorized. The bar is high, though. You have to prove negligence on the bank's part — that they should have caught it. And here is the reality: when 1,200 transactions per second flow through UPI, the banks have little incentive to build the detection layer that would catch these. It costs money. It would slow transactions down. And when the customer bears the burden of proof, the cost-benefit calculus favors the bank.

Rajesh's case is still open. Four months later, he has been asked to file a complaint with the local cyber police, obtain a copy of the FIR, escalate to the bank's grievance officer, wait for CERT-In to respond, and then submit everything to the RBI Ombudsman. No one told him that the RBI Ombudsman has a two-year backlog.

How It Spreads: The Ground Reality

I have watched this fraud vector evolve for three years. It started with crude SMS phishing. Now it lives in WhatsApp forwards from "friends" you have not heard from in six months, asking you to "verify your UPI urgently — there is a tax claim." It lives in call center fraud, where someone dials you claiming to be from your telecom operator and asks for an OTP under the guise of updating your pan (they actually mean UPI). It lives in fake job interviews, where candidates are asked to do a "verification payment" of ₹100 via UPI from their account — the scammer captures the screen, obtains the UPI ID, and sells it to someone else.

And it is accelerating because the barriers to entry are vanishingly small. A scammer needs:

1. A phishing page (costs ₹500 to ₹2,000 to host on a bulletproof server).
2. A list of phone numbers (₹5,000 for 50,000 numbers from data brokers).
3. A mule account (costs ₹10,000 to ₹15,000, opened with stolen PAN and Aadhaar).
4. Cryptocurrency exchange account (takes 30 minutes).

Total investment: ₹20,000. If you get a 2% conversion rate — 1,000 people falling for the phishing link — and each loses an average of ₹8,000, you are looking at ₹80 lakhs in gross revenue. Minus the police raids (which happen rarely, and after the money is gone), minus the mule arrests (which do not stop the main operator), and you have a sustainable crime business.

It is simple math. And the math is winning.

The Complication: Why You Cannot Simply "Not Click"

Yes, the standard advice is: "Never click links from banks." Go directly to the app. Good advice. But let me ask you something — when you received a message saying your card was blocked, did you sit down calmly and open the app? Or did you feel a spike of panic and react? That is not weakness. That is how human beings work. Scammers are not playing checkers against you. They are playing blackmail with your sense of security.

Second: the phishing pages are improving. I have seen pages that actually authenticate against the real bank server because the scammer has a man-in-the-middle (MITM) attack running on their network. You type your credentials into the fake page. The page immediately relays them to the real bank. The real bank sends an OTP to your real phone. You read the OTP back to the scammer. The scammer enters it into the real bank's system. Your account is now compromised, and you have no way of knowing it happened until the transaction clears.

Third: the banks have not made it easy to recognize what is real. Some ICICI messages do include calls to action. Some legitimate ICICI notifications do ask you to confirm things. The delta between a real notification and a fake one is sometimes one word.

This is not a knowledge problem. This is a design problem.

The Hard Truth

The reality is this: if a scammer has your UPI ID and can convince you to give them an OTP, they can drain your account. The system is not built to defend you. It is built to move money fast. And the speed is the vulnerability.

Rajesh has not recovered any of the ₹84,000. But he has become obsessive about teaching his parents how to spot phishing. They live in a small town in Punjab. They receive messages about pension claims and court cases. They understand now that banks never ask for OTPs via message. That is the only thing that has changed.

What You Can Do Right Now

1. Turn off UPI notifications for 15 minutes after a transaction. If you authorize a payment, mute your phone. If you receive an unexpected OTP during that window, you know something is wrong. Do not type it anywhere. Call your bank immediately from a separate device.

2. Set up a PIN lock on your UPI app, separate from your device lock. Many phones do not have this. Add it manually. If your phone is stolen, at least they cannot instantly drain your account without the PIN.

3. Verify bank messages directly. Do not click links. Instead, open your banking app directly (not via link) and check your account activity. If there is an alert, call the bank's registered phone number from your bank statement — not from Google, not from the message.

4. Use a separate device for banking if possible. If you have an old tablet, use it only for bank transactions and UPI. Do not install WhatsApp or email on it. A scammer cannot phish you if they cannot reach you.

5. Enable a spending limit on your UPI app. Most banks let you set a daily transaction cap. If your usual spend is ₹20,000 per day, cap it at ₹25,000. A scammer will hit the cap and be blocked. Yes, you may miss out on one emergency transfer. That is a better trade-off than losing ₹1 lakh.

6. File a police report immediately. This sounds bureaucratic and futile. But the FIR is your legal record that the transaction was unauthorized. Without it, the RBI Ombudsman will not even open your case. Go to the cyber police station in your jurisdiction, take screenshots of everything, and file first-information report (FIR). Keep the copy.

7. Track your bank statements weekly. UPI fraud sometimes does not drain the account in one hit. Scammers will set up recurring payments or make small recurring withdrawals to avoid detection. If you check your statement only monthly, you may not notice until thousands are gone. Weekly checks catch patterns early.