The UPI Trap: Why Your ₹500 Transfer Can Empty Your Account

The Message That Costs Everything

Delhi, last Tuesday. A 34-year-old accountant named Rajesh received a WhatsApp message from a number that looked like his bank's. "Suspicious transaction detected on your account. Click here to verify." He clicked. He entered his UPI PIN. He lost ₹2,11,000.

The bank later told him the money was "sent voluntarily". As if clicking a link and entering a PIN is voluntary in any meaningful sense.

I bring this up not because Rajesh is careless. I bring it up because Rajesh is careful — he updates his passwords, he does not share OTPs, he checks his balance every week. And yet. UPI fraud does not work the way we are taught to believe it works.

Why UPI Is Not What We Think It Is

UPI — the Unified Payments Interface — was built by NPCI (the National Payments Corporation of India) to be fast, frictionless, and everywhere. And it is. That is the problem.

The common understanding is this: UPI is safe because you need your PIN to send money. True. But UPI is also a consent-based system. If you enter your PIN and authorize a transfer, the bank's job is done. NPCI's job is done. The money moves. What happened before the PIN — the phishing, the trickery, the social engineering — that is treated as "user error".

I have watched this firsthand at CyberSathi Desk. In 2019, we began tracking UPI fraud complaints in earnest. Most people I spoke to had done exactly what they were supposed to do. They had been cautious. And they had still been scammed.

How It Actually Happens: The Three-Step Sequence

There are variants, but the core works like this:

Step One: The Hook. A text message arrives. Sometimes it claims to be from ICICI, SBI, or your payment app. Sometimes it claims to be from the RBI (which does not send text alerts — but many people do not know this). The message says your account is locked, or your Aadhaar has not been verified, or there is a security threat. Urgency is the key ingredient. People do not think carefully when they are afraid.

Step Two: The Landing. You click the link. It takes you to a website that looks identical to your bank's website. Not close. Identical. The colors are right. The logo is right. The URL is almost right — maybe "icici-bank-verify.in" instead of "icicibank.com". If you are in a hurry (and you are, because the message said your account is at risk), you do not notice the difference.

You enter your username. Your password. Sometimes your Aadhaar number. Sometimes just your mobile number and the OTP that arrives on your phone (the scammer is phishing for that too, in real time, as you receive it).

Step Three: The Drain. You are redirected to your real bank website. Your account is still there. Your balance is still there. Everything looks normal. You think the verification is done, the crisis is over. You close the browser and get on with your day.

Five minutes later, your phone buzzes. A transaction notification. ₹50,000 sent to an account you do not recognize. Then another. Then another.

Now they have your credentials. They log in to your actual UPI app (or create a new UPI request using your registered mobile number, a feature many people do not understand). They send money out. Each transfer requires a PIN — but the PIN you gave them on the fake website is the same PIN you use for everything.

By the time you realize what is happening, the account is empty. And the bank tells you it was voluntary.

The Second Wave: The Social Engineer

There is another variant, and it is harder to defend against because it relies not on your passwords but on your trust.

You receive a call from someone who says they are from your bank's customer service. Their voice sounds professional. They have your account details — your name, your last four digits of your account number, sometimes even your recent transaction history (scraped from the dark web or bought from a disgruntled bank employee). They say there has been suspicious activity and they need to "verify" your details. Could you please share your OTP?

Or they say: "Sir, we are upgrading your UPI limit. Can you generate a payment request for verification?"

You generate the request. Thinking it is just a test, a confirmation. But payment requests in UPI can be captured by the scammer and sent back to you — and when you accidentally approve them, money flows out instead of in.

I know a woman in Bengaluru who did this. She thought she was transferring ₹1 to test the upgrade. She actually sent ₹1,00,000 to a mule account (an account controlled by someone else, usually a third or fourth party removed from the scammer). By the time she realized, it was gone.

The bank said, "You generated the request and authorized it. This is a civil matter, not a criminal one. You can file a case, but recovery will take years."

Years. For money that was stolen in seconds.

The Hard Truth: Banks Do Not Care

I will be direct about this because I have seen the pattern repeat too many times to soften it.

Banks have built a liability shield around UPI. From their perspective, UPI fraud is not fraud — it is "unauthorized transaction" or "user negligence". From the RBI's perspective, the NPCI-driven system is working as designed. Money is moving. Settlement is happening. The fact that some of that money is moving to criminals is a problem that belongs to you.

Yes, there is a fraud helpline. No, it almost never works before 9 a.m. on a Monday or after 6 p.m. on a Friday. Yes, you can file a complaint. No, it will not be treated with urgency. Yes, you can escalate to the RBI Ombudsman. Yes, that process is free. And yes, it can take six to eighteen months.

Meanwhile, your money is in a mule account, being withdrawn as cash by someone who has been paid ₹500 to make the deposit and withdrawal. That person does not know who they are working for. They are just trying to make a quick earning. By the time the police trace the mule account, the original scammer is already running the same scheme on someone else.

What Actually Works: Not What You Think

Let me be clear about what does not work:

• Checking the URL carefully. (Phishing websites are too good now.)
• Using a strong password. (You are not entering it on the real website.)
• Enabling two-factor authentication. (The second factor is often a new OTP the scammer captures in real time.)
• Calling your bank to verify. (The phone number you call might also be controlled by the scammer, especially if you got it from the phishing message.)

Here is what actually works:

One: Assume every unexpected message is fake. This is not cynical. This is rational. Your bank will not ask you to verify your details via a link in a message. Your bank already has your details. If there is a genuine problem, log in to the app directly — do not use a link from the message — and check. If nothing is there, the message was fake.

Two: Never share your OTP with anyone. This includes people who say they are from your bank. Your bank's real employees have access to your account. They do not need your OTP. If someone is asking for your OTP, they are scamming you.

Three: Understand payment requests. In UPI, there are two types of transactions: you can send money, or someone can request money from you. Many people approve payment requests without understanding what they are approving. You are not just confirming a request — you are authorizing a debit from your account. If someone sends you a payment request, call them on phone before you approve it.

Four: Use a separate device or browser for banking. If you use the same phone for WhatsApp, social media, and banking, malware on one app can give scammers access to the others. This is expensive advice, I know. But it is the only way to be certain.

Five: Turn on transaction alerts. This will not prevent fraud, but it will help you catch it faster. The moment money leaves your account, you will know. Fast action — calling your bank and the police, filing a cybercrime complaint — can sometimes freeze the receiving account before the money is withdrawn.

Six: Freeze your UPI if you feel unsure. Most banks allow you to disable UPI temporarily from the app itself. If you are worried, turn it off until you have time to check your account or call the bank (using a number you know is real).

Why This Keeps Happening

The reason UPI fraud is rising is not that scammers are smarter. It is that UPI is ubiquitous. A auto-driver uses it. A shopkeeper uses it. A grandmother uses it. For criminals, this is a lottery machine where almost every ticket is purchased by someone who has the habit but not the paranoia.

And the system — the banks, the RBI, the police — has not caught up. A UPI fraud victim in a tier-2 city often cannot even file an online complaint. A cybercrime helpline in many states has three officers managing complaints from three million people. When you call the bank's fraud department, you are placed in a queue with six hundred other people.

The system is drowning, and it is pretending it is not.

I believe that will change. Not soon, but eventually. When enough people have lost enough money, when the RBI starts treating UPI fraud as seriously as it treats data breaches, when banks are held accountable for negligent UPI design, things will shift. Until then, the burden is on you. Which is unfair. But it is true.

Five Things You Can Do Right Now

1. Go to your bank's app and check your registered mobile number and email address. If the scammer has changed these, they can receive OTPs you do not see. Correct any details that are wrong.

2. Enable UPI transaction alerts on your phone (not just email). SMS alerts are faster and harder to intercept than email. Check your bank app settings.

3. Create a list of real customer care numbers for each of your banks. Write them down or save them in a separate contact list. Do not rely on a number from a message or email.

4. If you receive a suspicious message, forward it to your bank's official fraud reporting email address (usually something like fraud@bankname.com). Do not click any links. Just forward.

5. Ask your bank if your UPI can be protected with an additional PIN or biometric check. Not all banks offer this, but many do. It adds a second layer between the scammer and your money.