Fake UPI KYC Update Scam — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 25, 2026

Severity: CRITICAL | View Full Scam Details

Beware in 2026: Fake UPI KYC Update Scam Spreading Across India

The Fake UPI KYC Update Scam is a critical cyber threat targeting millions of Indians, attempting to steal money by tricking users into sharing sensitive bank details.

What Is the Fake UPI KYC Update Scam?

This scam revolves around fraudsters impersonating well-known UPI payment platforms like Google Pay, PhonePe, Paytm, and BHIM. Their goal is to convince users that they must urgently update their KYC (Know Your Customer) details or risk losing access to their UPI-based bank accounts.

KYC is the process mandated by the Reserve Bank of India (RBI) and other authorities to verify identity and details linked with bank accounts. In 2026, with the growing number of UPI transactions exceeding 8 billion monthly, scammers are exploiting users’ trust in digital payment systems to lure them into fraudulent updates. The victims tend to be everyday users who receive messages or calls warning them of “account suspension,” “service disruption,” or “mandatory verification” through familiar platforms.

The scam is widespread across India, from metropolitan cities to smaller towns where UPI penetration has rapidly increased. CERT-In (Indian Computer Emergency Response Team) and the Indian government's I4C (Indian Cyber Crime Coordination Centre) have issued alerts warning citizens about such fraudulent KYC update requests, highlighting increased reports and losses tied to these scams.

How This Scam Works — Step by Step

Here’s the typical fraud sequence that scammers use:

1. Initial Contact via WhatsApp Message or SMS: You receive a message allegedly from Google Pay, PhonePe, or your bank’s UPI service. The message looks official, sometimes with logos, and states you must update your KYC immediately. It warns your account will be suspended otherwise.

2. Fake Link or Form: The message contains a link directing you to a website that looks exactly like the official UPI service's page asking for personal details — Aadhaar number, PAN card, bank details, or UPI PIN.

3. Verification Call or OTP Request: After submitting details, you receive an automated call or SMS with an OTP (One Time Password), or a fraudster calls pretending to be a bank officer to “verify” the OTP.

4. Sharing OTP: If you share the OTP, scammers use it to approve transactions or change UPI settings without your consent.

5. Money Transfer: Using your UPI credentials, the fraudster transfers funds from your account to unknown wallets or accounts. The victim notices unauthorized deductions but often too late.

6. Blocked Access: Victims may find their UPI apps blocked or their accounts temporarily frozen while banks investigate, increasing distress.

Real Warning Signs to Watch For

• Messages or calls claiming urgent KYC updates with threats of account suspension.
• Links that do not direct to the official UPI app or bank website URLs.
• Requests to share OTPs or UPI PIN via call, message, or chat.
• Unsolicited messages from unknown numbers or masked senders on WhatsApp.
• Misspelled app names, blurry logos, or grammatical errors in messages.
• Lack of official communication channels like SMS from your bank’s registered number.
• Pressure to act immediately or risk losing access to your bank account.

What Happens to Victims

Victims often suffer serious financial loss, as UPI transactions happen in real-time with minimal reversal options. Even though RBI allows customers to request transaction reversal, it can take weeks, and success is not guaranteed if PIN and OTP details are compromised.

Emotional distress is also common. Many victims report anxiety from losing access to their phone numbers due to SIM swap scams, which fraudsters combine with fake KYC updates to gain control over multiple accounts. The misuse of Aadhaar and personal data further complicates recovery, sometimes leading to identity theft.

With the growing dependence on UPI for daily transactions — from shop payments to salary credits — the impact on victims can be devastating.

What RBI and CERT-In Say

The Reserve Bank of India has reiterated in advisories that no bank or UPI service provider will ever ask for your UPI PIN, password, or OTP over call or messages for KYC updates. RBI’s helpline can be reached at 1800-122-7888 for immediate assistance.

CERT-In has urged Indians to report suspicious messages immediately and to avoid clicking on unknown links. The 1930 cybercrime helpline is available 24/7 for reporting cyber fraud. I4C continues to coordinate nationwide responses to such scams and works with banks and telecom providers to clamp down on fake callers and websites.

How to Protect Yourself

1. Never Share OTP, PIN, or Password: Do not provide OTPs or sensitive information to anyone, even if they claim to be bank officials.

2. Verify Sources: Always check SMS or WhatsApp messages for official sender IDs and URLs before clicking on any links.

3. Use Official Apps and Updates: Perform any UPI-related verification only via official apps downloaded from trusted stores like Google Play or Apple App Store.

4. Enable App Lock and Multi-factor Authentication: Use app locks and biometric authentication to add layers of security to your payment apps.

5. Regularly Check Bank Statements: Monitor your bank and UPI transactions frequently to spot unauthorized activities promptly.

6. Do Not Respond to Urgent KYC Requests via Phone/SMS: Legitimate KYC updates are usually communicated through your bank’s registered email or letter, never unsolicited calls or WhatsApp messages.

7. Report Immediately: Report suspicious messages and calls to your bank and local cybercrime authorities.

What to Do If You've Been Targeted

1. Freeze or Block Your UPI Payment Accounts: Immediately lock your UPI-linked bank accounts via your banking app or call customer service.

2. Change Your UPI PIN: Reset your UPI PIN from your app through a secure channel.

3. Report to Your Bank: Inform your bank to block unauthorized transactions and issue a fraud complaint.

4. File a Cybercrime Complaint: Visit the National Cyber Crime Reporting Portal at cybercrime.gov.in to lodge a complaint.

5. Call the Cybercrime Helpline: Dial 1930 to report the fraud and seek guidance.

6. Inform Your Mobile Operator: Report suspected SIM swap activity and request blocking or porting of your number.

7. Keep Documentation: Maintain records of all messages, calls, and transactions related to the scam to assist investigations.

Frequently Asked Questions

Q: Can RBI reverse unauthorized UPI transactions made due to this scam?
RBI encourages banks to provide grievance redressal, but reversals depend on the circumstances. Always report suspicious transactions immediately because faster action improves chances of recovery.

Q: How can I differentiate a fake KYC message from a genuine one?
Official KYC messages come from your bank's registered number or email and never ask for PIN or OTP. If the message includes urgent threats or strange URLs, it’s likely a scam.

Q: Is it safe to update my KYC details through WhatsApp or social media links?
No. Never update your KYC via WhatsApp or social media links. Always use official bank apps or visit your bank’s verified website for such activities.

If you receive any suspicious messages about UPI KYC updates, don’t take a risk. Verify every message and link at BharatSecure.app to stay protected against digital fraud in 2026 and beyond.