How Scammers Steal Money via UPI — 7 Scams Indians Fall For and How to Avoid Them

ℹ️ Disclaimer: This article is for general educational and awareness purposes only. Scam tactics evolve constantly. The examples described are based on documented patterns reported by RBI, NPCI, I4C, and cybersecurity researchers as of 2026. Always verify information directly with your bank or official government portals. RozHisab is a personal finance tracking tool — not a cybersecurity or fraud recovery service. If you have been defrauded, contact the Cyber Crime Helpline at 1930 or file a complaint at cybercrime.gov.in immediately.

Here is a number that should stop every Indian UPI user in their tracks:

₹2,145 crore.

That is the total amount Indians have lost to UPI-related frauds since FY 2022-23, across 27 lakh reported cases — according to Ministry of Finance data presented in the Lok Sabha.

In just the first six months of FY 2024-25, there were 6.3 lakh fraud cases with losses of ₹485 crore. The RBI's 2024-25 Annual Report recorded a 34% year-on-year increase in digital payment fraud cases.

And a LocalCircles survey found that 1 in 5 Indian families has experienced UPI fraud at least once in the last three years.

Here is the most important thing to understand about all of these cases: almost none of them involved hacking the UPI system itself.

UPI is technically secure. The problem is not the technology. The problem is that scammers have become extraordinarily good at manipulating the humans who use it — using fear, urgency, greed, and confusion to make you hand over your money voluntarily.

This article explains exactly how each of the 7 most common UPI scams works — the specific words scammers use, the psychological triggers they exploit, and the exact steps to protect yourself.

Read this. Share it with your parents. Share it with anyone who uses UPI.

The One Rule That Prevents Most UPI Fraud

Before the 7 scams — one rule that single-handedly prevents the majority of UPI fraud in India:

🔐 You NEVER need to enter your UPI PIN to RECEIVE money.

Your UPI PIN is only required when YOU are sending money. If anyone asks you to enter your PIN, scan a QR code, or approve a request to receive a payment — it is always a scam, without exception.

Every scam in this article ultimately exploits one confusion: the victim believes they are authorising a receipt when they are actually authorising a payment. Keep this rule in your mind and you will never fall for it.

Scam 1 — The Fake Collect Request Scam

How it works:

You receive a notification on your PhonePe or Google Pay app — it looks exactly like a legitimate collect/payment request. The scammer has sent you a "collect request" — a feature where one UPI user requests money from another.

The scammer calls you and says:

"Sir/Ma'am, I am sending you ₹5,000. Please approve the request on your app to receive the money."

You see a notification on your app. You "approve" it. Your UPI PIN is requested. You enter it.

₹5,000 leaves your account. Not enters. Leaves.

Why people fall for it: The notification genuinely exists — it is a real UPI collect request. The app interface shows an amount and asks for approval. In the confusion of the moment, many people interpret the notification as "money coming in" rather than "money going out."

Common scenarios scammers use:

• "I'm buying your OLX/Quikr item. Approve this to receive the payment."
• "This is your refund from Amazon/Flipkart. Please approve to receive it."
• "I am your bank's customer care. We are testing your account. Please approve this small amount — it will be reversed immediately."
• "You have won a cashback of ₹1,000. Approve the request to claim it."

The protection: Never approve any collect request from someone you do not personally know. If you see a collect request on your app — reject it immediately unless you initiated the transaction yourself. From October 2025, NPCI discontinued P2P collect requests permanently — but merchants and known contacts can still send them. Any collect request from an unknown number is a red flag.

Scam 2 — The QR Code Scam

How it works:

This scam exploits one fundamental misunderstanding about QR codes that a surprisingly large number of Indians still have:

A QR code can ONLY be used to make a payment (send money). It CANNOT be used to receive money.

Scammers send you a QR code with the message:

"Scan this QR code to receive your refund."
"Scan to collect your prize money."
"Scan this to verify your account and receive ₹50."
"Scan to get your advance salary."

When you scan the QR code, your UPI app shows an amount and asks for your PIN. You enter it. That amount leaves your account and goes to the scammer.

The physical QR code variant: Scammers physically replace QR codes at shops, temples, parking areas, and donation boxes with their own QR codes. Customers pay thinking they're paying the legitimate merchant — but the money goes to the scammer. In January 2026, a Pune sweet shop owner discovered his QR had been replaced after customers paid ₹14,000 to a scammer over three days.

Common scenarios:

• OLX/Quikr buyers who say "I'm sending you the payment via QR"
• Part-time job recruiters who say "Scan to receive your first week's salary"
• Fake refund agents claiming "This QR will credit your refund"
• Replaced QR codes at physical merchants

The protection: Never scan a QR code to receive money — it is not possible. QR codes only initiate payments from you. At physical shops, verify the merchant name that appears in your app after scanning before confirming. If the name doesn't match the shop — don't pay and alert the shopkeeper.

Scam 3 — The Screen Sharing App Scam

How it works:

This is one of the most dangerous UPI scams because once it works, the scammer has complete control of your device — and by extension, all your financial apps.

A scammer calls you posing as customer care from your bank, PhonePe, Google Pay, or a government agency. They say there is a problem with your account — a KYC issue, a suspicious transaction, a technical error — and they need to "verify" your device remotely.

They ask you to install one of these apps:

• AnyDesk
• TeamViewer
• QuickSupport
• Remote desktop or screen share apps

Once you install and share the 9-digit access code with them — they can see everything on your screen in real time, including your UPI PIN as you type it, your OTPs as they arrive via SMS, and your bank balance.

While they're watching your screen, they guide you to open your banking app — under the pretext of "resolving the issue" — and watch as you enter your PIN. They can then initiate transactions from their side using the information they've captured.

The protection: No legitimate bank, UPI app, or government agency will ever ask you to install a screen sharing app. Never install AnyDesk, TeamViewer, or QuickSupport at anyone's request. If you've already installed these apps — uninstall them immediately. The only legitimate use for these apps is within corporate IT environments — never for banking support.

Scam 4 — The Fake Customer Care Number Scam

How it works:

You search Google for "PhonePe customer care number" or "HDFC Bank UPI helpline" or "Paytm support contact."

The first result — or a sponsored result above it — shows a phone number. You call it. A professional-sounding person answers, uses the bank's name confidently, and asks you to "verify" your account.

They ask for:

• Your UPI PIN (banks never ask for this — ever)
• Your OTP received via SMS
• Your debit card number and CVV
• Your registered mobile number and date of birth

With this information, they drain your account within minutes.

The scale of this problem: In Q2 2026, the Indian Cyber Crime Coordination Centre (I4C) removed 4,200 fake customer care pages from Google — meaning the fraudulent pages outnumber legitimate ones significantly in some searches.

Common trigger scenarios:

• You had a failed UPI transaction and are looking for a refund
• You need to update KYC on a payment app
• You received a message saying your account will be deactivated
• You're trying to raise a dispute on a payment platform

The protection: Never get customer care numbers from Google. Always find official numbers from: the back of your debit card, the official bank website (type the URL directly — don't click links), or the official app's in-app support section. No legitimate customer care will ever ask for your UPI PIN or OTP. If they ask — hang up immediately.

Scam 5 — The SIM Swap Fraud

How it works:

This is the most technically sophisticated scam on this list — and the most financially devastating. Average losses from SIM swap fraud range from ₹2 lakh to ₹25 lakh because it targets high-balance accounts.

The scammer first gathers your personal information — name, address, date of birth, Aadhaar number — from data breaches, social media, or social engineering calls.

They then visit a telecom store with forged documents, impersonate you, and get a new SIM issued for your mobile number. Your phone loses signal. The scammer's new SIM now receives all OTPs and calls meant for your number.

Within hours, they:

• Reset your UPI credentials using OTPs received on the new SIM
• Access your banking apps
• Transfer money out of your accounts
• By the time you report the signal loss — your account may be empty

Warning signs:

• Your phone suddenly loses signal for no apparent reason
• You receive a message saying "Your SIM has been activated on a new device"
• You stop receiving calls and SMS unexpectedly
• You receive an OTP for a transaction you did not initiate

The protection: If your phone suddenly loses signal — call your telecom operator immediately from another phone to report a possible SIM swap. Enable SIM change alerts via TRAI's portal. The Department of Telecommunications implemented a 5-day SIM swap cooling period in 2025 — meaning a newly issued SIM cannot be used for mobile banking for 5 days. Enable separate login PINs on your banking apps independent of your phone PIN. Consider setting a UPI transaction limit below your full balance.

Scam 6 — The Digital Arrest Scam

How it works:

This is the fastest-growing and most psychologically coercive scam in India in 2025-2026. According to MHA data, senior citizens lost more than ₹20 billion through impersonation and coercion-based scams — digital arrest being the primary method.

You receive a call — sometimes a video call — from someone claiming to be:

• A CBI/ED/Income Tax officer
• A police officer from the Cyber Crime Cell
• A Customs official
• A Supreme Court judge's secretary
• A TRAI (telecom regulator) officer

They tell you that:

• Your Aadhaar number was used to open a bank account involved in money laundering
• A package in your name was intercepted at customs containing illegal goods
• Your phone number is linked to a crime
• There is a warrant for your arrest

They say you are under "digital arrest" — meaning you must stay on the video call and must not contact anyone else or you will be physically arrested. They keep you on the call for hours — sometimes entire days — while demanding you transfer money as "bail" or "security deposit" that will "be returned after verification."

Why it works on intelligent people: The scammers use real government logos, appear in police uniforms, have fake "court order" documents, and speak with authority. The fear of arrest combined with the isolation tactic (don't tell anyone or you'll be arrested) creates a state of panic that overrides rational thinking even in educated, financially savvy individuals.

Critical fact: No Indian government agency — CBI, ED, Income Tax, Police, TRAI, or any court — will ever conduct an arrest or legal proceeding via a phone call or video call. There is no such thing as "digital arrest" in Indian law. If someone tells you you're under "digital arrest" — hang up.

The protection: If you receive such a call — hang up. Call a family member immediately. Call the Cyber Crime Helpline on 1930. No legitimate agency will keep you on a call for hours or prevent you from consulting a lawyer or family member. Prime Minister Narendra Modi specifically addressed digital arrest scams in his Mann Ki Baat address in 2024 — calling it a major national threat.

Scam 7 — The OLX / Marketplace Fake Payment Screenshot Scam

How it works:

You have listed an item for sale on OLX, Quikr, Facebook Marketplace, or any other platform. A "buyer" contacts you expressing interest. They say they want to pay via UPI and ask for your UPI ID or phone number.

Minutes later, they send you a screenshot of a UPI payment showing your phone number as the recipient and the agreed amount as transferred.

They say: "I've already paid. Please check and confirm receipt."

You check your phone — no payment has arrived. They say: "It's a banking delay. Please send the item first and the amount will arrive in 30 minutes."

If you wait — a variation of this scam involves them sending a UPI collect request and saying: "You need to approve this to confirm your UPI ID is correct so I can complete the transfer."

The screenshot is fake. Payment screenshots can be edited trivially. A screenshot of a payment is not proof of payment.

The protection: Only confirm receipt when money physically appears in your bank account — not when someone shows you a screenshot. Check your bank balance directly, not just UPI notifications. Never hand over goods or services until the payment reflects in your account. For high-value items, meet the buyer in person and wait for the payment to reflect before releasing the item.

What To Do Immediately If You Are Scammed

Speed is the most critical factor in UPI fraud recovery. The first 24 hours determine whether any money can be recovered.

Step 1 — Call 1930 within minutes:
The National Cyber Crime Helpline number is 1930. This is a 24/7 helpline that can freeze fraudulent accounts before the money is withdrawn. The faster you call, the higher the probability of recovery. Have your transaction ID, amount, recipient UPI ID, and time of transaction ready.

Step 2 — File complaint on cybercrime.gov.in:
Go to cybercrime.gov.in and file a formal complaint under "Financial Fraud." You will receive a complaint number — keep this for all future follow-ups with your bank and police.

Step 3 — Contact your bank immediately:
Call your bank's official helpline (from the number on the back of your card — not from Google) and request a chargeback or fraud investigation. Provide the complaint number from Step 2.

Step 4 — Contact the UPI app's official support:
PhonePe: 08068727374
Google Pay: In-app support or gpay.app/help
Paytm: 0120-4456456
Report the transaction as fraudulent within the app.

Step 5 — File an FIR with local police:
For amounts above ₹1 lakh, file a First Information Report (FIR) at your local cyber crime police station. The cybercrime.gov.in complaint is separate from the FIR — both are needed for serious amounts.

Important — RBI's Zero Liability Framework: If the fraud occurred without any negligence on your part (such as a bank system failure) and you report within 3 working days — your liability is zero under RBI guidelines. If the fraud occurred partly due to your actions (like sharing OTP) but you report within 7 working days — your liability is limited to a maximum of ₹5,000–₹25,000 depending on your account type. Beyond 7 days — recovery becomes significantly harder.

The 10 Golden Rules of UPI Safety

• 🔐 Rule 1: Never enter your UPI PIN to receive money — PIN is only for sending.
• 📷 Rule 2: Never scan a QR code to receive money — QR codes only initiate payments.
• 📞 Rule 3: Never get customer care numbers from Google — use only the number on your card or official app.
• 📱 Rule 4: Never install AnyDesk, TeamViewer, or screen sharing apps at anyone's request.
• 🚫 Rule 5: Never share your UPI PIN, OTP, or card CVV with anyone — not even someone claiming to be from your bank.
• ⚖️ Rule 6: There is no such thing as "digital arrest" — any such call is a scam. Hang up.
• 📸 Rule 7: A payment screenshot is not proof of payment — only your bank balance confirms receipt.
• ⚡ Rule 8: If your phone loses signal unexpectedly — call your telecom operator immediately from another phone.
• 🔔 Rule 9: Enable SMS and email transaction alerts on all bank accounts — so you know within seconds of any transaction.
• 📢 Rule 10: If scammed — call 1930 within minutes, not hours. Speed determines recovery.

Track Your Bank Balance — Know Instantly When Something Is Wrong

The common thread in every UPI scam that succeeds is a gap in the victim's financial awareness — they don't check their balance regularly enough to notice unauthorised deductions immediately.

Many victims discover fraud only at month end when they check their statement — by then the fraudulent transactions are days or weeks old and recovery probability has dropped significantly.

The best defence against delayed discovery of fraud is maintaining real-time financial visibility — knowing your account balance and recent transactions as closely as possible throughout the month.

Use RozHisab to log and track your income and expenses regularly. When you're in the habit of reviewing your financial picture daily or weekly — you notice the moment something doesn't add up. An unexpected ₹5,000 deduction on a day you made no payments is immediately visible. Catching fraud in hours rather than weeks is the difference between recovery and permanent loss.

Share this article with your family — especially parents and grandparents who are the most targeted by scammers exploiting fear and unfamiliarity with UPI's exact mechanics.

The scammer's greatest weapon is your unawareness. This article is the antidote.

👉 Track your daily finances and stay financially aware at RozHisab — free, built for Indian households, no complexity required.

Quick Reference — UPI Scam Protection Card

• 🚨 Cyber Crime Helpline: 1930 — call immediately if scammed
• 🌐 Report online: cybercrime.gov.in
• ❌ Never: Enter PIN to receive money
• ❌ Never: Scan QR to receive money
• ❌ Never: Share OTP or PIN with anyone
• ❌ Never: Install AnyDesk/TeamViewer for banking
• ❌ Never: Get helpline numbers from Google
• ❌ Never: Believe "digital arrest" calls
• ✅ Always: Verify recipient name in app before paying
• ✅ Always: Check bank balance directly — not screenshots
• ✅ Always: Enable transaction SMS alerts
• ✅ Always: Call 1930 within minutes of fraud — not hours

📌 Disclaimer: This article is for general educational and awareness purposes only. Scam tactics evolve constantly — the examples described are based on documented patterns reported by RBI, NPCI, I4C, Ministry of Finance, and cybersecurity researchers as of 2026 but may have changed. All figures cited are based on publicly available government and regulatory data. RozHisab does not provide fraud recovery, legal, or cybersecurity advice. If you have been defrauded, contact the Cyber Crime Helpline at 1930 or file a complaint at cybercrime.gov.in immediately. RozHisab is a budgeting and expense tracking tool — not a fraud recovery or financial advisory service.