Cybercriminals Exploiting India's Digital Payments System — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 22, 2026

Severity: HIGH | View Full Scam Details

Beware in 2026: Cybercriminals Exploiting India’s Digital Payments System (UPI Fraud Alert)

Cybercriminals are using increasingly sophisticated scams to exploit India’s digital payments system, especially targeting UPI users, causing huge financial and emotional damage.

What Is the Cybercriminals Exploiting India's Digital Payments System?

This scam involves fraudsters manipulating India’s rapidly growing digital payments ecosystem, primarily through Unified Payments Interface (UPI). With over 8 billion UPI transactions monthly, fraudsters find vast opportunities to trick unsuspecting users into revealing payment credentials or authorizing bogus transactions.

The scam mainly targets people who are less digitally savvy or those who recently made high-value payments, such as utility bill payers, e-commerce buyers, or freelancers receiving payments. Fraudsters use social media platforms like WhatsApp, phone calls, or even SMS messages to contact victims under the guise of bank officials or customer care agents. They create a false sense of trust by mimicking official communication styles or quoting transaction details.

Incidents of such frauds have surged in India, pushing regulatory bodies like the Reserve Bank of India (RBI), the Indian Computer Emergency Response Team (CERT-In), and the India Cybercrime Coordination Centre (I4C) to issue warnings highlighting the dangers of UPI fraud. Official advisories now emphasize user vigilance and reporting suspicious communication to curb this rising menace.

How This Scam Works — Step by Step

1. Initial Contact: The scammer sends a message on WhatsApp, calls, or sends an SMS pretending to be from the bank or UPI customer care. They reference a recent legitimate transaction or claim suspicious activity on your account to build credibility.

2. Gaining Trust: They use social engineering tactics—threatening to block your account or freeze funds—to create urgency and panic. This pressure often pushes victims to comply without thinking.

3. Request for Sensitive Information: The scammer asks for OTPs (One-Time Passwords) received on SMS or requests screen sharing via apps like WhatsApp or third-party software, claiming it is necessary to “verify” or “unlock” your account.

4. UPI PIN and App Access: They sometimes trick you into entering your UPI PIN on a fake interface or getting you to approve payments unknowingly through the official app, using techniques like overlay apps or deepfakes.

5. Transaction Authorization: Once the scammer has your OTP and UPI PIN or control over your phone, they initiate multiple small or large unauthorized transfers to fraud accounts.

6. Disappearance: After transferring money, the fraudsters immediately block you or vanish from communication, leaving victims helpless.

Real Warning Signs to Watch For

• Unsolicited calls or WhatsApp messages claiming to be from your bank or UPI service.
• Pressure tactics like threats of account suspension or legal action if you don’t act immediately.
• Requests for OTPs, UPI PINs, passwords, or installation of suspicious apps.
• Calls or messages that ask you to share screenshots of banking or payment apps.
• Unusually brief or scripted communication refusing to answer specific questions.
• Payment requests from unknown accounts or unusual UPI collect requests.
• Mismatch in official phone numbers or links that don’t begin with secure “https.”

What Happens to Victims

Victims often suffer significant financial losses as scammers drain their bank accounts via UPI transactions. Since UPI payments are instant and irreversible, recovery is difficult. Emotional distress follows—feelings of violation, fear of personal data misuse (especially Aadhaar linked to bank accounts), and loss of trust in digital services.

Sometimes, victims face secondary risks like SIM swap fraud, where scammers gain control over the victim’s mobile number to receive OTPs or conduct fraudulent transactions elsewhere. Such cases complicate the process of reporting and reclaiming funds.

Victims may also face delays or denials in refunds despite RBI’s guidelines, especially if the victim shared their credentials. This adds to their frustration and loss of confidence in digital payment methods.

What RBI and CERT-In Say

RBI and CERT-In have repeatedly warned users against sharing OTPs, UPI PINs, or sensitive login credentials. The RBI mandates banks to strengthen transaction verification and restrict risky UPI features. CERT-In advises vigilance regarding phishing attempts and unauthorized apps.

The Indian government’s cybercrime helpline (dial 1930) and RBI’s customer support helpline are key resources for victims. The RBI’s circular on UPI safety reinforces that users should never share confidential banking information or technician access.

I4C has enhanced coordination between banks and law enforcement to track fraudsters, but it stresses user awareness as the foremost defense.

How to Protect Yourself

1. Never share your OTP, UPI PIN, or passwords with anyone—even if they claim to be bank officials.
2. Do not respond to unsolicited calls or WhatsApp messages related to banking or payments. Hang up immediately.
3. Avoid clicking on suspicious links or installing unknown apps sent via messaging platforms.
4. Enable UPI app notifications to instantly know if any unauthorized transaction occurs.
5. Use app locks or biometric locks for UPI/payment apps to prevent unauthorized access.
6. Regularly monitor your bank and UPI transaction history for suspicious activity.
7. Register your mobile number with Do Not Disturb (DND) services to reduce spam calls/messages.

What to Do If You've Been Targeted

• Immediately block your UPI app via your bank or the app’s customer support.
• Report the fraud to your bank’s cybercrime cell and request a freeze on your accounts if suspicious transactions are pending.
• File a complaint on the National Cybercrime Reporting Portal at cybercrime.gov.in.
• Call the 1930 cybercrime helpline to report the attempt and get guidance.
• Inform your mobile operator immediately if you suspect SIM swap or misuse.
• Keep all records of communication with fraudsters and bank officials for evidence.

Frequently Asked Questions

Q: Can the bank reverse unauthorized UPI transactions?
A: RBI guidelines allow banks to investigate and, under certain conditions, reverse fraudulent UPI payments. However, if the victim shares OTPs or PINs, banks may be exempt from liability, making prevention crucial.

Q: How do scammers get my UPI-linked mobile number?
A: Scammers use social engineering, data leaks, or call records from third parties. They may also randomly call or message mobile numbers to identify vulnerable users.

Q: Is it safe to share my Aadhaar for KYC or payment verification?
A: Aadhaar should only be shared on official, secure portals. Never share Aadhaar details via phone calls or WhatsApp messages, as scammers can misuse them for fraud.

Stay safe in India’s digital payments ecosystem! Always verify suspicious messages, calls, or payment requests at BharatSecure.app — your trusted digital fraud awareness platform.