Cyber fraudsters using new tech to bypass UPI security for financial transactions: Report — How to Identify & Stay Safe

Severity: HIGH | View Full Scam Details

Beware in 2026: How Cyber Fraudsters Use New Tools to Bypass UPI Security in India

UPI users across India face a rising threat from cyber fraudsters using advanced technology to outsmart even the strongest security measures.

What Is the Cyber Fraudsters Using New Tech to Bypass UPI Security for Financial Transactions Scam?

In 2026, a new form of cyber fraud targeting UPI (Unified Payments Interface) users in India has emerged as a major concern. Fraudsters have developed a sophisticated toolkit named Digital Lutera that can manipulate device trust settings and bypass standard UPI security features. This allows them to authorize transactions without triggering the usual alerts or OTP (One Time Password) requests, putting millions of Indians’ money at risk.

The scam specifically preys on everyday users who rely on mobile payments for bills, shopping, and money transfers. Victims are often approached via WhatsApp or other social media platforms with convincing messages that imitate government officials, bank representatives, or even friends and family. Due to the increasing number of such attacks, the Indian Computer Emergency Response Team (CERT-In) and the Indian Cyber Crime Coordination Centre (I4C) have issued warnings urging people to stay alert. The Reserve Bank of India (RBI) has also emphasized the need to verify transaction alerts carefully and avoid sharing banking details on any messaging app.

The scam is becoming more widespread, especially in metropolitan cities and rural areas with growing digital banking use. Reports so far estimate thousands of cases in 2025-2026 alone, with victim losses running into crores of Indian Rupees.

How This Scam Works — Step by Step

1. Initial Contact via WhatsApp or Social Media
   The fraudster sends a message or voice call pretending to be a bank official or government agent offering easy money, loan approval, or urgent help with financial issues.

2. Building Trust
   They may send fake documents, government logos, or even spoof phone numbers to seem legitimate. Sometimes, they act as acquaintances urgently needing assistance with UPI payments.

3. Installing ‘Digital Lutera’ Toolkit
   The scammer convinces the victim to download a seemingly harmless app or share a link under the guise of “authentication” or “verification.” This installs the Digital Lutera malware that can manipulate device security settings.

4. Bypassing UPI Security
   Once active, the malware tricks the device into “trusting” fraudulent transactions and bypasses OTP or biometric checks by creating fake confirmations on the device.

5. Unauthorised Transactions
   The victim remains unaware as UPI transactions happen silently. Fraudsters transfer money to multiple accounts, draining the victim’s bank balance.

6. Covering Tracks
   After the theft, scammers delete messages and block the victim on WhatsApp, making it hard to trace them.

Real Warning Signs to Watch For

• Unsolicited WhatsApp messages asking for financial help or promising easy money
• Requests to install unknown apps or click suspicious links claiming to be from banks or government
• Pressure to “verify” or “authenticate” payments urgently without explanation
• Unexpected or unknown UPI transaction alerts without your approval
• Calls or messages from numbers pretending to be RBI or bank officials but not matching official contact lists
• Messages that ask for your UPI PIN, OTP, or Aadhaar details — official sources never ask for these
• Requests to disable your phone’s security settings or allow “device administrator” permissions for apps

What Happens to Victims

Victims often face immediate financial loss as money is transferred out of their bank accounts with no easy reversal through UPI. Because these transactions are authenticated by device manipulation, banks may claim they were authorized, complicating refunds. Many victims also report emotional distress, anxiety, and helplessness, especially when their Aadhaar or SIM cards are compromised in identity theft or SIM swapping attacks. This leads to longer-term financial damage and difficulties in restoring accounts.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has repeatedly warned users to never share OTPs, UPI PINs, or debit card details with anyone. They emphasize verifying all transaction alerts immediately and reporting unauthorized payments. RBI also advises using app-based UPI apps that send alerts for every transaction.

CERT-In has issued advisories about malicious apps that can manipulate device security and compromise financial data. They remind all internet users to download apps only from official stores and avoid clicking unknown links.

In case of cybercrime, users should immediately call the cybercrime helpline 1930, report at cybercrime.gov.in, and reach out to their respective bank’s grievance cell or the RBI helpline.

How to Protect Yourself

1. Never share your UPI PIN, OTP, or Aadhaar details with anyone, even if they claim to be officials.
2. Do not download apps or click on links sent by unknown or unverified contacts on WhatsApp or social media.
3. Regularly check your bank account and UPI app transaction history for unknown activities.
4. Set app permissions strictly; avoid allowing device administrator access to unknown applications.
5. Use official apps downloaded from Google Play Store or Apple App Store only.
6. Enable two-factor authentication (2FA) where possible for all financial apps.
7. Inform your bank immediately if you suspect fraud or receive suspicious calls/messages.

What to Do If You’ve Been Targeted

1. Immediately block your UPI payment app and contact your bank to freeze transactions.
2. Call the National Cyber Crime Helpline at 1930 to lodge a complaint and get assistance.
3. File a complaint on the official portal at cybercrime.gov.in with all details of the fraud.
4. Contact your mobile operator to secure your SIM and prevent SIM swap fraud.
5. Update your Aadhaar-related mobile number and bank KYC details after reporting the fraud.
6. Keep all evidence like WhatsApp chats, screenshots of transactions, and call records for investigations.

Frequently Asked Questions

Q: Can these fraudsters withdraw money without my UPI PIN?
No, but their Digital Lutera toolkit tricks your device into thinking you have authorized payments. So, they bypass OTPs and PINs without needing you to enter them directly.

Q: What if I receive a suspicious call claiming to be from RBI or my bank?
Hang up immediately and call your bank’s official helpline to verify. RBI or banks never ask for your PIN, OTP, or Aadhaar details over the phone.

Q: Can I get my money back if I fall victim?
Recovering money is difficult if the transaction was “authorized” by tricking device security. However, immediate reporting to your bank and cybercrime authorities improves chances of a refund.

Stay safe from evolving UPI scams like Digital Lutera by staying vigilant and verifying every suspicious message at BharatSecure.app — India’s trusted platform to protect you against digital fraud.