What is the most common UPI fraud in India?

The most common UPI fraud involves tricking users into sharing OTPs, entering their UPI PIN for fake collect requests, scanning fraudulent QR codes, or calling fake customer care numbers.

Is UPI PIN needed to receive money?

No. A UPI PIN is never required to receive money.

Can scanning a QR code help me receive money?

No. In UPI, scanning a QR code usually initiates a payment from your account.

What is a UPI collect request scam?

A UPI collect request scam happens when a fraudster sends a payment request that looks like an incoming payment.

What should I do if I become a victim of UPI fraud?

Call the National Cybercrime Helpline at 1930, inform your bank immediately, block your account or card if required, and file a complaint on the cybercrime portal.

What is SIM swap fraud?

SIM swap fraud happens when fraudsters get a duplicate SIM issued in your name. Once active, your original SIM stops working and the fraudster receives your OTPs and banking alerts.

How Fraud Works in India and How to Protect Your Bank Account? Details

Fraud cases in India are rising fast, with scams involving OTPs, fake QR codes, SIM swaps, screen-sharing apps and fake customer care numbers. Learn how the

Key Highlights

India saw over 10.64 lakh UPI fraud cases in FY26, with losses crossing ₹805 crore — and 51% of victims never even filed a complaint.
The most common entry point for fraud is not hacking. It is a phone call, a WhatsApp message, or a link in an SMS.
You never need a PIN to receive money.
Screen-sharing apps like AnyDesk and TeamViewer are now a major fraud tool. Never install them on someone else's instruction.
A man in Delhi lost ₹20 lakh through 16 transactions overnight — just because his SIM stopped working and he did not act immediately.
You can cap how much damage is possible by simply lowering your daily transaction limit. Most people never do this.
Fake customer care numbers for Google Pay, PhonePe, and HDFC regularly appear on Google. Never trust a number you searched for.
If fraud happens, call 1930 within three working days. RBI rules entitle you to a full refund if it was not your fault.

Fraud in India has changed. It used to be someone physically stealing a wallet or cloning a card at a shady ATM. That still happens, but the scale is nothing compared to what is happening digitally.

In FY24, UPI fraud losses crossed ₹1,087 crore — nearly double what they were the year before. In FY26, the Finance Ministry reported 10.64 lakh UPI fraud complaints. The RBI's own annual report flagged a 34% year-on-year rise in digital payment fraud cases.

And here is the part that does not get talked about enough: according to a LocalCircles survey, 1 in 5 families with a UPI user has experienced fraud at least once in the past three years. Of those who got hit, 51% never reported it — not to police, not to their bank, not to NPCI, nobody.

The fraud methods have also evolved. In 2026, fraudsters are not just making cold calls. They are building fake websites that show up on Google, running fake customer care desks on WhatsApp, using screen-sharing tools to take control of your phone, and exploiting SIM infrastructure to intercept your OTPs before you even see them.

Also Read: Meta Overtakes Google in Digital Ads 2026: What Changed

Rule 1 — OTP Is a One-Time Key. Giving It Away Unlocks Your Account for Someone Else

The "OTP scam" sounds old. It is still the way, millions of Indians lose money.

The reason it keeps working is that fraudsters have gotten better at it. They do not just say "I am from your bank." They already know details about you — your name, the last four digits of your card, your registered mobile number, sometimes your date of birth. This information gets bought and sold from data leaks every day.

A typical call sounds like this: "Sir, I am calling from HDFC Bank's fraud prevention team. We have noticed an unauthorised login attempt on your account from Pune. To secure your account, we need to verify your identity. An OTP has been sent to your registered number. Please share it with me."

It sounds official. It sounds urgent. They already knew your name and card details. So you share the OTP.
The OTP was actually a transaction authorisation for ₹49,000. It is now gone.

What actually happens with an OTP:

Every OTP that comes from your bank is authorising something specific — a login, a transaction, a password change. The bank never needs you to read it out to them. They sent it to you. They already know it. If someone is asking you to repeat it back, they are not from the bank.

The rule has no exceptions: Do not share any OTP with any person, on any call, for any reason. Not even if they already know your account details. Not even if they say your account will be blocked. Not even if they sound very convincing.

Hang up. Call your bank directly from the number on the back of your card.

Also Read: Small Town Influencers, Big Internet Fame: How Bharat Is Taking Over Social Media?

Rule 2 — The UPI Collect Scam Has One Tell: It Asks for Your PIN

In FY26, cybercriminals are explicitly exploiting the UPI "collect request" feature at scale — particularly targeting people selling things on OLX, Quikr, Facebook Marketplace, and Instagram.

Here is the exact flow of how it happens:

You list a second-hand phone for ₹8,000. A buyer contacts you. They seem genuine — they negotiate, they agree on a price, they say, "Sending now." A few seconds later, a notification appears on your phone. It looks like a payment incoming. The screen says "Accept ₹8,000." There is a PIN field. You enter your UPI PIN.

₹8,000 just left your account. You paid them.

What happened: they sent you a collect request — a feature on all UPI apps where you can ask someone else to send you money. The notification interface looks almost identical to receiving a payment. The only difference is that one field — the PIN field. Receiving money never asks for a PIN.

Fraudsters also combine this with QR codes. They send a QR code saying "scan this to receive your payment." Scanning a QR code on UPI can initiate a payment from you, not to you. There is no such thing as a "receive money QR code" — QR codes on UPI only debit your account.

The test for every UPI transaction:

If your phone is asking for your PIN — you are sending money. Full stop. If you did not mean to send money, do not enter the PIN.

Rule 3 — Screen Sharing Scams: The Moment You Install AnyDesk, It Is Over

This is one of the fastest-growing fraud methods in India right now, and it is one of the most effective because the victim hands over control willingly.

It works like this: you have a problem with your PhonePe account, or you cannot process a transaction, or you receive a message saying your bank account will be blocked. You search Google for customer care. You call a number that appears in the search results — it looks legitimate.

The "agent" asks you to install an app so they can help you remotely. The apps they most commonly use are AnyDesk, TeamViewer, QuickSupport, or Anydesk Remote Desktop. These are real, legitimate apps used for IT support — but once you install one and share the connection code with a fraudster, they can see everything on your screen. They can see your banking app, your OTPs as they arrive, your UPI PIN as you type it, your contacts, everything.

Once they have what they need — usually within a few minutes — they make transfers, change PINs, and block you out of your own account.

Also Read: Before Taking a Loan, Know Your CIBIL Score: Why It Matters for Every Borrower?

What to know:

No bank — not SBI, not HDFC, not ICICI, not PhonePe, not Google Pay — will ever ask you to install a remote access app.
Fake customer care numbers are everywhere on Google. The official numbers are only on the back of your debit card or in the official app's "Help" or "Contact Us" section.
If you have already installed AnyDesk or TeamViewer on someone's instruction, uninstall it immediately and change all your banking PINs and passwords.

Rule 4 — SIM Swap: When Your Phone Loses Signal, Act in Minutes, Not Hours

A man in Delhi lost ₹20 lakh overnight. He woke up to find his phone had no network. He assumed it was a tower issue. He went to work. By the time he visited the mobile store to check, fraudsters had received all his OTPs, made 16–17 transfers from his account, and even dipped into a joint fixed deposit.
In Ghaziabad, a woman lost ₹18.5 lakh after her SIM was deactivated and an eSIM was activated in the fraudster's device.

SIM swap fraud works like this:

Fraudsters collect your personal details — Aadhaar number, date of birth, registered mobile number — from data leaks, phishing calls, or social media. They walk into a mobile operator's store (or call the helpline) and claim to be you — saying they lost their SIM and need a duplicate. Once the duplicate is active, your SIM stops working. Their device starts receiving all your OTPs. They then log into your net banking, request a password reset, receive the OTP, and clean out the account.

The signal you cannot miss: Your phone suddenly shows "No Network" or "Emergency Calls Only" — with no obvious reason. This is the warning sign. Do not wait to see if it resolves on its own.

Act immediately:

Call your mobile operator from a different phone — ask if a duplicate SIM was requested.
Call your bank — tell them to put a temporary hold on transactions.
Change your net banking password from a different device.

The fraudsters know they have a narrow window before you notice. Do not give it to them.

Rule 5 - The Fake Bank Website in Google Search Results Is a Real Threat

Most people assume that if something shows up at the top of Google, it is legitimate. Fraudsters know this.
In 2025 and 2026, there has been a documented pattern of fraudsters paying for Google ads or using SEO techniques to push fake bank websites and fake customer care pages to the top of search results. When you search "SBI customer care number" or "HDFC net banking login," a fake result can appear above the real one.

The fake website is built to look pixel-perfect — same logo, same colours, same layout. You enter your customer ID and password. They capture it. They are now inside your account.

In one documented case from 2025, a person searched for their bank's customer care number on Google, called the top result, and was connected to a fraudster who walked them through "verifying" their account — including reading out OTPs. ₹1.3 lakh was gone before the call ended.

What to do instead:

Bookmark your bank's official website today. Type it in directly — sbi.co.in, hdfcbank.com, icicibank.com — verify it looks correct, then bookmark it. From that point on, never use the bookmark from search results.
For customer care numbers: the only number you should trust is the one printed on the physical back of your debit card or inside the official app's Help section.

Rule 6 — Lower Your Transaction Limit. It Is the Easiest Line of Defence Nobody Uses

Most bank accounts come with a default daily ATM withdrawal limit of ₹40,000–₹50,000 and an online transaction limit of ₹1 lakh or more. These defaults exist for convenience. For most Indians who spend far less than that per day, they are a liability.

Think of it this way: if your account is compromised at 2 am when you are asleep, the damage a fraudster can do is capped by your transaction limit. If that limit is ₹50,000, they can take ₹50,000 before you wake up. If you have lowered it to ₹5,000, they can take ₹5,000.

How to change your limit:

On HDFC Bank app: Go to Cards → Debit Card → Set/Change Limits → Daily ATM / Online Transaction Limit.
On SBI YONO: Go to e-Services → ATM Card Services → ATM/ Debit Card Limit Change.
On ICICI iMobile Pay: Go to Cards → Manage Card → Set Limits.
On Axis Mobile app: Go to Cards → Manage Card → Limit Setting.

Set your ATM limit to what you actually withdraw in a day. Set your online transaction limit to what you spend in a day. You can raise it any time in seconds if you need to make a large payment.

Also turn on SMS and email alerts for every transaction. When an unknown debit hits your account, you will know within seconds — and you will have time to call the bank before the next one.

Also Read: India’s Tech Services Revamped: From IT Outsourcing to DeepTech, R&D and IP Creation

Your Gmail Password Is as Important as Your Net Banking Password

This connection catches people off guard.

Most Indians use Gmail as the recovery email for their bank account, their UPI app, their Aadhaar-linked services, and dozens of other accounts. If a fraudster gets into your Gmail, they can trigger "forgot password" on your net banking, receive the reset link in your Gmail, change your net banking password, and lock you out.

Your Gmail security directly protects your bank account.

Turn on 2-step verification on Gmail: Go to myaccount.google.com → Security → 2-Step Verification → Turn on. Now, logging into Gmail requires both your password and a code on your phone. A fraudster with your Gmail password cannot log in without also having your phone.

For your banking apps specifically:

Enable fingerprint or PIN lock on every UPI and bank app. This takes one minute per app.
Turn on the SIM PIN: On Android go to Settings → Biometrics and Security → Other Security Settings → Set Up SIM Card Lock. On iPhone go to Settings → Phone → SIM PIN. This means if someone removes your SIM and puts it in another phone, they need the PIN to use it — killing SIM swap fraud before it starts.
Never use the same password across your email, net banking, and UPI accounts.

Emergency Numbers — Save These Before You Need Them

Bank/Service	Number
National Cybercrime Helpline	1930
Cybercrime Portal	cybercrime.gov.in
RBI Ombudsman	cms.rbi.org.in
SBI	1800 11 2211
HDFC Bank	1800 202 6161
ICICI Bank	1800 1020 123

For any bank not listed: the 24/7 card block number is printed on the back of your debit card. Save it in your phone today.

Over 10 lakh Indians were defrauded last year. Most of them knew the rules. They just did not think it would happen to them.

To Read more such explainers, click here.

Sources:

UPI Fraud Hits ₹805 Crore in FY26
1 in 5 UPI users faced fraud — Business Standard
SIM Swap Fraud Explained — The420.in
Screen Sharing / AnyDesk Scam — UPI Fraud Types
India Top Cyber Scams 2025

No Network? It Could Be a SIM Swap Fraud Draining Your Bank Account!