UPI Fraud

UPI Fraud: Why Your Phone Is Safer Than Your Habit

UPI fraud in India is not about weak technology—it is about one moment of trust. How scammers exploit that moment, and how to stop them.

CyberSathi DeskAI-assisted · editorially reviewed
Share𝕏inWA
UPI Fraud: Why Your Phone Is Safer Than Your Habit

The Moment It Happens

Delhi, Tuesday evening. A man named Rajesh—finance officer at a mid-size IT firm, salary in the low six figures, owns a flat in Sector 62—received a message on WhatsApp. The sender claimed to be from ICICI Bank's fraud department. "Your UPI has been flagged for suspicious activity. Verify now."

He clicked the link. It looked like the ICICI login page. He entered his credentials. Then came the OTP request. He typed the six digits into the form.

Within 90 seconds, ₹2,34,000 left his account.

When I asked him later why he did not verify the number before clicking, he said: "I was in a meeting. I thought it was urgent." When I asked if he had checked the sender's name in his contacts, he said: "It came from WhatsApp. I trusted it."

And here is the fact that matters: his phone was not compromised. No malware. No SIM swap. The technology worked exactly as designed. What failed was the space between his brain and his finger.

How the Scam Works—Honestly

I am going to describe this as it actually happens, not as the RBI wants to describe it in their guidelines.

The scammer has no access to your phone. They have no access to your bank. They do not have your password. What they have is your phone number—and they have learned that most Indians will trust a message that arrives during working hours, looks official, and creates a small pocket of urgency.

Here is the sequence:

Step 1: The Message A WhatsApp or SMS arrives. It claims to be from your bank, from NPCI (which operates UPI), from the National Cyber Crime Reporting Portal, or from some urgent-sounding authority. The message says your account has been flagged, your limit has been exceeded, or a transaction is pending confirmation. None of this is true. All of it is believable during a workday.

Step 2: The Fake Link The message contains a link. When you click it, you land on a page that looks identical to your bank's login page. This is a phishing site—usually hosted overseas, sometimes in a cloud service that the bank's own security team has not thought to block yet. I have seen sites registered in Bulgaria, Romania, Vietnam. The domain name is similar enough to fool a person who is reading fast: "icicibank-verify.xyz" instead of "icicibank.com". The human eye reads what it expects to read.

Step 3: Credential Harvesting You log in. You do not know that the username and password you just typed are now in a spreadsheet in someone's Telegram group. The scammer now has your bank login credentials.

Step 4: The OTP Trap The page does not take you to your account. Instead, it asks for an OTP—the six-digit code your bank sends to verify transactions. Most people at this point realize something is wrong. But some do not. Some think: "The bank is asking for this to unlock my account." So they type the OTP into the form.

The moment you do this, you have handed over the keys. The scammer now has your credentials and a valid OTP. They open your bank's app on their device using your credentials. They initiate a UPI transfer to an account they control. Your phone receives the request to confirm the transfer. But the scammer has already entered the OTP they harvested from you. The transfer processes.

Your money is gone in seconds.

Step 5: The Disappearance The account that received the money is a mule account—opened by someone in financial distress, someone who was offered ₹5,000 to "let the money pass through." By the time you call the fraud helpline, the mule account holder is withdrawing it in cash at an ATM across town. The money reaches a final beneficiary in another city. By the time the bank has filed an FIR, the account is closed.

Why Banks Will Not Own This

I need to be direct here, because this is where the blame-shifting happens.

The banks will tell you: "We have protected our systems. The compromise happened at the customer's end." This is technically true. It is also technically dishonest.

Yes, you clicked the link. Yes, you typed your credentials. But the bank designed a system where a customer's single moment of inattention results in total financial loss. They did this knowing—knowing—that such moments are inevitable.

Here is what they could do but do not:

  • Real-time alerts with reversibility: Send an alert the moment money leaves an account, with a 5-minute window to cancel. I have seen banks in Singapore do this since 2015. Indian banks say it is "technically complex."
  • Step-up authentication for large transfers: If a ₹2,00,000 transfer comes from a new or suspicious context, require a second factor verified outside the app—a call to a registered number, a security question. Banks do not do this because it increases customer support load.
  • Blocking of known phishing domains: CERT-In publishes lists of phishing sites daily. Banks could block these at their gateway level, making the fake login page invisible to anyone using the bank's network. Some do. Most do not.
  • Educating customers about what they will NEVER be asked: A bank will never ask for your OTP via a link. Never. But ask any auto-driver in Gurugram if his bank has sent him a single SMS saying this clearly, and he will say no.

The banks have decided that fraud is a cost of doing business. They would rather pay out the occasional claim than invest in prevention. And because the RBI's guidelines require them to refund "genuine" fraud victims within 10 days, the banks lose nothing long-term—they just shuffle the loss to an insurance company, which shuffles it to the next customer's premium.

The Hard Truth About What You Can Do

Let me not pretend that the burden is not, unfairly, on you.

You cannot control what a scammer sends you. You cannot control that your phone number is in a leaked database somewhere. You cannot control the fact that banks have normalized asking for OTPs and passwords in urgent circumstances, so that when a scammer does the same thing, it feels familiar.

What you can control is the space between stimulus and response. That space is where your safety lives.

What Actually Works

1. Understand That Banks Do Not Text OTPs

This is not a suggestion. This is a fact. Your ICICI Bank will never send you a message asking you to confirm an OTP on a link. Your State Bank of India will never ask you to log in and "verify" your account via SMS. If you receive such a message, it is a scam. Delete it. Do not open the link. Do not forward it to a friend—just delete it.

2. If in Doubt, Call the Bank Directly

Not the number in the message. Not a Google search result. Find the number on your debit card or your monthly statement—something you have physically held. Call that number. Wait on hold for 15 minutes. Confirm whether the "urgent" message was real. Nine times out of ten, it was not.

3. Never Type Your OTP Into Any Form Other Than Your Bank's Official App

If you have initiated a payment yourself through your bank's app and the app asks for an OTP, type it there. Nowhere else. Not in a SMS reply. Not in a web form. Not in an email. Not for a customer service representative who "just needs to verify."

An OTP is a one-time password. The moment you type it anywhere, its security value is zero. Do not share it.

4. Enable All Available Notifications

Set your bank to send you a push notification for every transaction—every single one, even ₹1. Most phones now allow you to have notifications come through even if your phone is on silent. If you see a transaction you did not authorize, call the bank immediately. You may have a 5-minute window to reverse it if you act fast.

5. Use Strong, Unique Passwords

I know this sounds like advice from 2009. But most UPI fraud begins with credential theft. If your bank login password is "Rajesh123" and you use the same password for three other apps, then one data breach in some unrelated company means a scammer has your banking password. Use a password manager—Bitwarden (free) or 1Password. Generate 16-character passwords with mixed characters. Use a different password for every bank.

6. Check Your Linked Devices

In your bank app, there should be a section showing "linked devices" or "active sessions." Open it. If you see a device you do not recognize—especially one in a different city—immediately log out of all sessions and change your password.

7. Know That Reversals Are Possible But Not Guaranteed

If you have been defrauded, file a complaint immediately with your bank and with the Cyber Crime Reporting Portal (cybercrime.gov.in). The bank is required to investigate. In some cases—if the money is still in the mule account, if the transfer was recent—the bank can reverse it. But this requires you to act within hours, not days. Do not sit on it. Call. Insist. Follow up.

The Unspoken Part

The reality is that UPI has made money transfer too easy. It has democratized access to banking—that is good. But it has also compressed the friction between impulse and loss to almost nothing. A scammer sends you a message. Two minutes later, you are poor. The system works. That is the problem.

I do not have a solution that does not involve either the banks taking responsibility (unlikely) or you becoming hypervigilant about every message that arrives on your phone (exhausting, but necessary).

The scammer is betting that you are busy. That you are distracted. That you trust the familiar form of a bank logo and an urgent message. Most of the time, they win.

But if you are reading this, you do not have to be most of the time.

Action List: Protect Your UPI Today

  1. Go to your bank app right now. Change your password. If you have used the same password anywhere else, change those too.

  2. Check your linked devices list. Log out of any session you do not recognize.

  3. Enable transaction notifications for every rupee. Set them to high volume or vibration so you do not miss them.

  4. Save your bank's official customer care number as a contact. Not from a Google search—from your debit card or statement. Use only this number if you need to verify a message.

  5. If you receive an urgent banking message, wait 5 minutes before clicking anything. The urgency is manufactured. Real fraud alerts from your bank will also be visible when you log into your app independently.

  6. Test your knowledge: If a message asks you for an OTP, where will you type it? Answer: Only in your bank's official app, if you initiated a transaction. Anywhere else is a scam.

  7. File a complaint if defrauded. Call your bank immediately, then file a report at cybercrime.gov.in or your local cyber police station. Speed matters. Money in motion can still be stopped.

Read next

The UPI Trap: Why Your ₹500 Transfer Can Empty Your Account

UPI Fraud

The UPI Trap: Why Your ₹500 Transfer Can Empty Your Account

How UPI Fraud Works: What Happened to Rajesh and Why Banks Won't Help

UPI Fraud

How UPI Fraud Works: What Happened to Rajesh and Why Banks Won't Help

The UPI Trap: How ₹84,000 Vanishes in 47 Seconds

UPI Fraud

The UPI Trap: How ₹84,000 Vanishes in 47 Seconds