INDIA PAYMENTS

UPI scam guide for India 2026: Paytm, PhonePe, Google Pay attack patterns and how to spot them

UPI now handles roughly 83 percent of every digital rupee in India. That same scale is what makes it the country's most-attacked payment rail. In FY26 alone, the Ministry of Finance confirmed ₹805 crore lost across more than 10.64 lakh reported UPI fraud cases through November.

SB

SafeBrowz Team Security ResearchJune 1, 202610 min read

Why UPI is the world's most-attacked payment rail in 2026

UPI processed 185.8 billion transactions in FY 2024-25, a 41.7 percent jump over the prior year, and accounts for roughly 83.4 percent of all digital payment volume in India, per NPCI's official UPI product statistics. That makes it the largest real-time retail payment system on the planet by transaction count.

Scale brings attention. The RBI Annual Report 2024-25 recorded 13,516 digital payment fraud cases worth Rs 520 crore, with digital payments now accounting for 56.5 percent of all reported banking frauds. NPCI separately tracked 632,000 UPI fraud incidents through September 2024, with full-year projections crossing 1.1 million. The Finance Ministry told Lok Sabha that ₹805 crore was lost across 10.64 lakh UPI fraud incidents in the first eight months of FY26 alone.

The National Crime Records Bureau (NCRB) Crime in India 2023 report counted 86,420 cybercrime cases nationally, a 31.2 percent jump from 2022. Fraud was the single largest category at almost 69 percent of all cybercrime cases. Cybercrimes are up 217 percent since 2018. Karnataka, Telangana and Uttar Pradesh lead state-wise totals.

A 2025 LocalCircles survey found one in five Indian families with a UPI user had experienced fraud at least once in the past three years. Roughly 51 percent of those victims never filed a complaint with police, their bank, NPCI or RBI. The official numbers therefore undercount the real volume by a significant margin.

The 8 active UPI scam patterns in 2026

Below are the patterns that account for the majority of FY26 losses across Paytm, PhonePe, Google Pay, BHIM and bank UPI apps. Each one has a precise signature.

1. The fake "collect request" — money requested, not received

A UPI collect request is a payment request, not a payment credit. When you approve it with your UPI PIN, money leaves your account. Scammers exploit confusion between "send" and "request" by claiming they are paying you for an OLX item, a job advance, a refund or a marketplace sale, then sending a collect request and asking you to "verify by entering your PIN to receive."

You never enter a UPI PIN to receive money. A PIN is only required to pay. Any time an app prompts for the UPI PIN, it is debiting your account. NPCI discontinued person-to-person collect requests on UPI in October 2025 specifically because of this scam, so a collect request from a stranger's mobile number today is almost certainly a fraud probe routed through a workaround. Merchants and verified businesses can still send legitimate collect requests, but only after you initiated the transaction.

2. UPI autopay mandate fraud (e-Mandate hijack)

UPI AutoPay (the e-mandate feature) lets a merchant debit a fixed amount from your account on a schedule. Scammers disguise the mandate-approval screen as a "KYC re-verification," a "prize claim" or a "delivery OTP" step. You see a familiar Google Pay or PhonePe screen, you press "Approve" because the amount on screen looks small, and you have just authorized a recurring daily, weekly or monthly debit.

The fingerprint: every legitimate UPI mandate screen clearly shows the biller name, amount, and frequency, with a separate explicit "Approve mandate" button distinct from a one-time payment. If the frequency line says "Daily" or "Weekly" but the agent told you this is a "one-time verification," cancel it. To audit mandates, open your UPI app, go to Profile, then Autopay / Mandates, and revoke anything you do not recognize.

3. QR code swap at petrol pumps, parking lots, shops

This is the most physical UPI attack. Scammers walk up to a merchant board at a high-traffic spot — petrol pumps, parking attendants, electricity-bill counters, vegetable stalls — and paste a sticker over the real QR code, sometimes with branding like "Discount QR," "Offer 5%" or "Refund Code." Every customer who scans it pays the attacker instead of the merchant. Multiple incidents have been reported across Times of India regional editions, including a high-profile Khajuraho case where several businesses including petrol pumps had QR codes physically replaced overnight.

The defence is to read the merchant name shown by your UPI app on the confirmation screen before you press pay. If the merchant name does not match the shop you are standing in, abort. Pay cash and tell the shopkeeper their QR has been swapped.

4. "KYC expiry" call — fake UPI verify app install

The caller claims your Paytm, PhonePe, Google Pay or bank account is "blocked" because KYC has expired, and you must install a "verification app" to re-activate. The app is almost always AnyDesk, TeamViewer QuickSupport, Quick Support, or a sideloaded APK that mimics one. Once installed, the attacker watches your screen, reads OTPs, and either initiates UPI transfers directly or harvests credentials to drain net banking.

No legitimate Indian bank, NPCI, RBI or UPI app asks customers to install a screen-sharing tool to fix KYC. The RBI's repeated press releases on this have been unambiguous: customer KYC is handled inside the bank app, at a branch, or via a video-KYC link from the bank's verified domain. If a "RBI officer" calls you, hang up. RBI does not call retail customers.

5. Bank-impersonation SMS with shortened URL

"Dear customer, your SBI / HDFC / ICICI account will be blocked. Update PAN immediately: bit.ly/xxxx". The link leads to a near-perfect clone of the bank's net-banking login. Once you enter your customer ID, password and OTP, the attacker logs in from their side and initiates outbound UPI transfers up to the daily limit.

Indian banks do not send bit.ly, tinyurl or any URL-shortener links over SMS. Real bank SMS uses sender IDs registered with the TRAI DLT framework (such as VK-HDFCBK, VM-SBIINB, AX-ICICIB) and links to the full domain like sbi.co.in or hdfcbank.com. Any SMS that asks you to "click within 24 hours to avoid block" is hostile until proven otherwise.

6. Refund / reverse-payment scam ("you sent extra, please send back")

A scammer sends a small genuine payment of, say, ₹1 to your UPI ID. A minute later they call: "Sorry, I meant to send ₹1, but accidentally sent ₹50,000. Please return ₹49,999, this is urgent, my mother's hospital bill." They sometimes show a screenshot — which is fake. The first ₹1 was real, your subsequent ₹49,999 will be real, and nothing is ever returned.

Always check your actual UPI app transaction history before refunding anything. SMS notifications can be forged with an SMS-spoofing app. Bank app entries cannot. If the credit is not in your bank statement, no money came in.

7. Family / friend impersonation on WhatsApp

"Beta, this is your father's new number, my old phone fell in water. Please send ₹15,000 to this UPI ID, urgent, will explain later." The display photo is your parent's actual WhatsApp profile picture, scraped from public sources. The mobile number is unfamiliar. The grammar and tone often feel slightly off. Many victims realize only after sending money that they never confirmed via voice call.

The single rule that defeats this: verify on a known channel. Call the real number you have saved for that person. If they do not pick up, wait. Real emergencies stay real after a 5-minute callback. Scams die in those 5 minutes.

8. Matrimonial / romance + investment pivot

A connection on a matrimonial site, dating app or LinkedIn slowly builds trust over weeks. Eventually the conversation pivots: "I made good money on this crypto / forex / stocks platform, you should try, I will guide you." A small UPI deposit shows fake gains on a dashboard. Larger deposits follow. Withdrawal requests are blocked behind "tax" and "verification fees" that also require UPI transfers. This is the same pig-butchering pattern documented globally, adapted to UPI rails. The I4C has flagged these in its press releases as the fastest-growing high-value cybercrime category in India in 2025-2026.

The 5 red flags every UPI user should know

1. You are entering a UPI PIN to "receive" money. You never enter a PIN to receive. A PIN debits you. Always.
2. The "merchant name" on the confirmation screen does not match the place you are paying. If you are at a Bharat Petroleum pump but the screen shows "Rajesh Kumar" or a random business name, stop.
3. An "approve mandate" screen with frequency Daily / Weekly / Monthly when the agent told you this is a one-time check.
4. Any caller claiming to be from RBI, NPCI, or your bank's "head office" asking you to install AnyDesk, TeamViewer, or any APK file outside the Play Store.
5. Urgency framed in hours. "Your account will be blocked in 24 hours / 2 hours / right now if you do not act." Real Indian banking processes do not punish customers on the clock by SMS.

30-second verification check before approving any UPI request

1. Read the action verb on the screen. Does it say "Pay" or "Approve mandate"? Both mean money leaves you. "Request from" means someone is asking you to pay — not the other way around.
2. Read the merchant or payee name. Is it the entity you expect? Compare letter by letter — fake merchants use lookalike names like "Bharat Petroliam," "Reliance Jio Recharg," "Jio Mart Online."
3. Read the amount. Decimal point in the right place? Indian scams love hiding "12,500.00" where the user expects "125.00."
4. Read the frequency. If it says anything other than "One-time," treat it as a recurring mandate.
5. Call back on a known channel if anyone is rushing you. Five minutes never lost anyone a real opportunity.

If you already sent money (recovery steps)

Speed matters more than anything else here. Indian banks can freeze the receiving account if you report fast enough, often before the attacker can withdraw via ATM or chain it through layers of mule accounts.

1. Within the first hour: call 1930. This is the national cybercrime helpline operated by the Indian Cyber Crime Coordination Centre (I4C). Operators flag the receiving bank under the RBI Limited Liability framework. Keep transaction ID, UPI reference number (UTR), receiver VPA / mobile, and screenshots ready.
2. Within 24 hours: file at cybercrime.gov.in. The National Cyber Crime Reporting Portal is the official MHA platform. Attach screenshots, the SMS or WhatsApp trail, and any caller numbers. As of May 2025, complaints involving losses above ₹10 lakh now trigger an automatic e-Zero FIR through the Delhi e-Crime Police Station.
3. Within 3 days: notify your bank in writing. Per the RBI Customer Protection circular (DBR.No.Leg.BC.78/09.07.005/2017-18, July 6, 2017), reporting within 3 working days of receiving communication of the unauthorized transaction limits your liability to zero, provided the loss is not due to your own negligence. Reporting between 4-7 days caps liability between ₹5,000 and ₹25,000 depending on account type.
4. File an FIR at the nearest cyber police station. The 1930 ticket and the cybercrime.gov.in acknowledgement number are accepted as the basis for FIR registration under Section 66D (cheating by personation using computer resource) and Section 66C (identity theft) of the IT Act 2000, alongside relevant BNS sections.
5. Report on RBI's Sachet portal at sachet.rbi.org.in if the fraud involves an unregistered deposit scheme or chit-fund-style promise.
6. Inside the UPI app, raise a dispute. Paytm, PhonePe and Google Pay all have in-app "Report fraud" buttons under the disputed transaction. NPCI's UPI Dispute Redressal Mechanism (UDIR) routes the case through the receiving bank for chargeback evaluation.

One important caveat: UPI does not have a true chargeback like a Visa or Mastercard purchase, because UPI is a real-time bank-to-bank push. Recovery depends on whether the receiving bank can freeze funds before the attacker withdraws them. Hours matter. Days rarely succeed.

How SafeBrowz catches UPI phishing landing pages

SafeBrowz runs a 3-layer detection architecture against fake UPI sites and phishing landing pages that impersonate Paytm, PhonePe, Google Pay, BHIM and Indian banks. The browser extension protects the click — the call and SMS leg of the attack still requires user awareness, which is why this guide exists.

• Layer 1 - Local detection: 60+ URL patterns and 550+ brand-specific signatures run inside the extension itself, including Paytm, PhonePe, Google Pay, BHIM, SBI, HDFC, ICICI, Axis, Kotak, and other major Indian payment brands. Hyphenated lookalikes (paytm-kyc-verify.in, phonepe-rewards.xyz, gpay-cashback.com), Punycode homographs, and known scam TLDs are blocked before the page renders. The community whitelist and blacklist also run locally so there is no network round-trip for known-safe domains.
• Layer 2 - API checks: Server-side aggregation of Google Safe Browsing, PhishTank, URLhaus and additional threat-intelligence feeds catches domains already flagged by the wider security community within minutes of being reported anywhere.
• Layer 3 - AI deep scan (Premium): Content analysis in 100+ languages including Hindi, Tamil, Telugu, Bengali, Marathi, Gujarati, Kannada, Malayalam and Punjabi reads the actual page text to identify brand impersonation, fake KYC flows, and credential-harvesting forms — catching novel domains that have never been seen by any feed.

Detection signatures come from threat-intelligence research and brand database analysis, not from per-user browsing data. The extension does not log per-user URL history; anonymized signal patterns are retained only for detection-engine training.

Frequently asked questions

Can someone take money from my UPI account just by knowing my UPI ID?

No. Knowing your VPA (like yourname@oksbi or yourname@paytm) is the equivalent of knowing your email address — it lets people send you money or request money, but it does not let them take money. Money only leaves your account when you authorize a transaction with your 4 or 6 digit UPI PIN. The danger is that scammers use the UPI ID to send a "collect request" disguised as a payment, then call you to pressure you into entering your PIN.

What is the difference between a UPI PIN and an OTP?

A UPI PIN is set inside the UPI app and is required to authorize any outgoing payment from your linked bank account. An OTP is a one-time password sent over SMS, typically used for net-banking, card transactions, or registering a new device on UPI. Both are sensitive. Banks and UPI apps never ask you to share either over a phone call, SMS reply, or screen-sharing session.

I got a screenshot showing someone paid me but nothing arrived in my bank account. Is this a scam?

Almost always, yes. Screenshots of UPI confirmations can be edited or generated by template apps in seconds. The only proof of credit is a notification from your bank itself, ideally visible in the bank statement or net banking app, not just an SMS (which can be spoofed). If they then ask you to "return extra money," it is the refund-reversal scam covered above.

Will RBI or NPCI ever call me directly about my UPI account?

No. RBI does not have customer-facing call centres for individual UPI users. NPCI operates UPI infrastructure but does not service end-customers directly — your bank is your point of contact. Any caller claiming to be "from RBI" or "from NPCI" about your personal UPI account is impersonating. Hang up and call your bank's official customer care number from the back of your debit card or the official bank website.

How long do I have to report UPI fraud to get my money back?

Speed matters at every level. Within 1 hour, call 1930 — this gives the receiving bank the best chance to freeze funds. Within 3 working days of receiving notification of the unauthorized transaction, notify your bank in writing for zero customer liability under the RBI Limited Liability framework (2017). Beyond 7 working days, your liability is determined by your bank's board-approved policy, and recovery becomes harder. File at cybercrime.gov.in within 24 hours to lock in the official complaint trail.

Is UPI safer than credit cards in India?

Both have different risk profiles. UPI is safer against card-skimming and merchant data breaches because no card number is stored at the merchant. Credit cards offer stronger chargeback protection under Visa and Mastercard rules. UPI's biggest risk is social engineering — fake collect requests, mandate hijacks, and impersonation calls. A credit card's biggest risk is card-data leaks. Use UPI for small everyday payments; use credit cards for high-value online purchases where chargeback matters.

Can SafeBrowz block UPI scam calls and SMS too?

SafeBrowz is a browser extension — it protects the click. When a scam SMS contains a phishing URL and you tap it on your phone, SafeBrowz blocks the landing page if the device's browser has the extension installed (currently Chrome, Firefox, Edge on desktop; Firefox Android supports it on mobile). For SMS and call blocking specifically, look at TRAI's DND service and apps like Truecaller. SafeBrowz complements those by covering the web layer where credentials actually get stolen.

What if my elderly parent already entered their UPI PIN on a fake page?

Treat it as a live compromise. Immediately on a separate trusted phone: (1) Call 1930. (2) Open the affected UPI app, go to bank account settings, and change the UPI PIN. (3) Call the bank to temporarily block UPI on the account if any amount has already moved. (4) Check for any newly added autopay mandates and revoke them. (5) File at cybercrime.gov.in the same day. The PIN itself does not work without the SIM/device binding, but if the attacker also collected an OTP during the same session, they may have re-registered UPI on their device — which is why the bank lock is the most important step.

Article published June 1, 2026. Statistics cited are drawn from RBI Annual Report 2024-25, NPCI UPI product statistics, NCRB Crime in India 2023, Lok Sabha Ministry of Finance disclosures (FY26), and I4C press releases. Detection signatures derive from threat-intelligence research and brand database analysis, not user browsing data.