Dr. Reyaz Ahmad
It usually begins with a small, believable moment. A customer says, “Sir, I’ve paid,” and shows a green “Success” screen. A buyer on an online marketplace says, “I’m sending an advance—please scan this QR.” Or a caller claims to be “customer care” and offers to “fix” your UPI issue in two minutes.
In many Indian homes and marketplaces, these moments feel routine because UPI has become routine. That is exactly why frauds are rising in sophistication: criminals do not attack the technology first; they attack human habits—our speed, our trust, and our desire to resolve a problem quickly. The Reserve Bank of India has repeatedly warned that fraudsters often use familiar tactics—pressuring users to share sensitive information, tricking them into clicking links, swapping SIMs, or pushing them to download spurious apps. (Reserve Bank of India)
The uncomfortable truth is this: most digital payment fraud is not a “hack.” It is social engineering—a well-designed conversation that turns an honest user into an unwitting authoriser.
The single rule that defeats half the scams
If you remember only one line, make it this:
If you entered a UPI PIN, you were paying—never receiving.
NPCI (the organisation behind UPI) states it plainly: scanning a QR code and entering a UPI PIN is meant for making payments, not receiving them. (npci.org.in) That one sentence exposes the logic of the most common “QR-code refund” trap.
Fraudsters exploit a psychological shortcut: “QR codes are for money.” True—but money can move in two directions. The PIN decides which direction.
How the most common UPI scams actually work
Below are the patterns that appear again and again across Indian cities and small towns, among students, shopkeepers, professionals, and retirees alike.
1) The “Refund/Prize/Advance” QR code trap
You are told you will receive money, but you are asked to:
• scan a QR code, and/or
• approve a request, and/or
• enter your UPI PIN “to confirm”
That is the scam. NPCI’s safety guidance is explicit: do not share your UPI PIN, and scan QR only for making payment, not for receiving money. (npci.org.in)
Practical habit: If someone says, “I am sending you money,” your correct response is: “Send it to my UPI ID/number. I will not scan anything.”
2) The “Collect Request” that looks like an incoming payment
Some scammers send a payment request (a “collect” request) that resembles a notification and relies on hurried tapping. If you approve it and enter your PIN, you have authorised an outgoing payment.
Practical habit: Slow down when you see any request that asks for a PIN. Read the on-screen text: Pay vs Receive, amount, name/handle.
3) Fake customer care + remote access apps
This is one of the most damaging patterns because it feels “technical,” and victims assume the other person is an expert.
CERT-In (India’s national cybersecurity agency) has documented this method: the fraudster poses as a representative, asks the victim to download a screen-sharing or remote-access app, gains control of the device, and then entices the user to type bank details, UPI PIN, or OTP. (cert-in.org.in)
Banks themselves also warn that criminals may induce customers to download remote-access apps such as AnyDesk/TeamViewer-type tools to extract OTPs or conduct fraud. (SBI Bank)
Practical habit: No bank or UPI provider needs screen sharing to “fix” your account. If anyone asks you to install remote-access or screen-sharing software, treat it as a red alert.
4) “KYC update” links and fear-based messages
Messages that threaten account blocking, urgent KYC updates, or “verification” often push you toward a link, a file, or a phone number.
RBI’s consumer alerts underline the core principle: banks and payment operators never ask for password, PIN, OTP, CVV. (Reserve Bank of India) When the request is for secrets, the caller is not support—he is theft in a polite voice.
Practical habit: Never use numbers from random search results or messages. Go to the bank’s official website/app and use the listed support channel.
5) The new layer: deepfakes and “authority theatre”
A growing twist is the use of video calls, official-looking backdrops, uniform-like visuals, and intimidating language to create panic and obedience. The technology varies; the strategy is constant: urgency + authority + isolation (“Do not tell anyone”).
Even when the scam looks dramatic, the payment step is usually simple: “Transfer to this account for verification,” “Pay a fine,” or “Move funds temporarily.” The moment you are asked to send money to “prove innocence,” the conversation has left reality.
Fact Box: India’s UPI Safety Shield (Quick Checklist)
Use this as a household poster.
1. Never share your UPI PIN—not with “customer care,” not with “bank staff.” (npci.org.in)
2. Scan QR only to pay, never to receive. (npci.org.in)
3. If you entered a PIN, you paid. (PIN is for authorising outgoing transactions.) (npci.org.in)
4. Do not install screen-sharing/remote-access apps to solve banking issues. (cert-in.org.in)
5. Never share OTP/password/CVV/PIN—banks never ask for these. (Reserve Bank of India)
6. Verify names and handles before sending money (small spelling changes are common). (npci.org.in)
7. When in doubt: stop. call back. verify via official channels. (Reserve Bank of India)
What to do in the first hour if money is debited
Fraudsters move money quickly through multiple accounts. Your best chance improves when you act immediately.
1. Call your bank/payment app support through the official app/website and report the transaction.
2. Report the fraud to the national cybercrime helpline 1930 and file a complaint on the National Cyber Crime Reporting Portal. The portal lists Cyber Crime Helpline: 1930. (Cyber Crime Investigation India)
3. Preserve evidence: screenshots, UTR/transaction ID, caller number, messages, QR codes, links, and timestamps.
Think of this as financial first aid: the goal is not to argue with the scammer; it is to freeze the damage as early as possible.
Why smart people still fall for it
Many victims blame themselves: “I should have known.” That shame is part of the fraud cycle because it delays reporting.
These scams work because they exploit three normal human instincts:
• Speed (a busy shop counter; a crowded metro; a classroom break)
• Trust (a familiar banking brand name; a “verified” look)
• Relief (the promise that the problem will be solved quickly)
The solution is not paranoia. The solution is procedural thinking: build a few non-negotiable rules and apply them even when you are rushed.
A simple discipline that protects families and small businesses
Adopt a “Two-Step Verification Culture” at home and at work:
1. Pause whenever money is involved.
2. Verify through an independent channel (official app/website, saved bank helpline, known contact).
In a country where digital payments have reduced friction dramatically, we now need to add a small amount of healthy friction back into the process—just enough to stop the fraudster’s script.
Because in the end, UPI is not only a technology. It is a trust system. And trust, in the digital age, survives not by being blind—but by being careful.
Author Can be mailed At reyaz56@gmail.com
