MFA-Bypass Phishing in UPI and Payment Apps — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: CRITICAL | View Full Scam Details

MFA-Bypass Phishing in UPI and Payment Apps: India’s Critical Scam Warning for 2026

MFA-Bypass phishing scams targeting India’s UPI and payment apps are growing rapidly, putting millions of digital payments users at risk of losing money and data.

What Is the MFA-Bypass Phishing in UPI and Payment Apps?

MFA-Bypass phishing is a dangerous new form of fraud where scammers trick users into giving away their multi-factor authentication (MFA) codes to bypass the security checks on apps like Paytm, PhonePe, Google Pay, and other UPI-enabled platforms. With over 200 million active UPI users in India, this scam exploits the high trust people place in these apps and the widespread use of WhatsApp and SMS as communication channels.

This scam targets anyone using digital payments but especially those less familiar with digital security best practices or who are influenced by urgent messages that seem to come from banks or app customer support. Fraudsters posing as service representatives often send links mimicking official login or OTP verification pages, convincing users to enter credentials and OTPs. According to public complaints registered with cybercrime cells and advisories from CERT-In and the Indian Cyber Crime Coordination Centre (I4C), such phishing attempts have surged since late 2023 and continue to evolve in sophistication.

RBI and CERT-In have issued general advisories about phishing and the misuse of OTPs, warning users never to share OTPs or sensitive details over calls or messages. However, the MFA-Bypass scam goes a step further—tricking the victim into actively giving away the MFA codes that usually act as the last line of defence in UPI and payment app security.

How This Scam Works — Step by Step

1. Initial Contact via WhatsApp or SMS: The victim receives a message or call claiming to be from their bank or the payment app’s helpdesk. This message often warns about suspicious activity on their account or offers urgent help to fix a technical issue.

2. Phishing Link Shared: The caller or message asks the victim to click on a link to “verify their identity” or “secure their account.” This link leads to a fake login page made to look exactly like the official Paytm, PhonePe, or Google Pay website.

3. Fake Login and OTP Request: When the victim inputs their login details, the scammer immediately sends a real MFA prompt (usually an OTP or app-based approval request) to the victim’s phone through the official app.

4. Psychological Pressure to Share MFA: The caller claims that to “confirm the transaction” or “fix the issue,” the victim must share the OTP or app approval code received on their phone.

5. MFA Bypass and Fund Transfer: After receiving the MFA code, the scammer enters it on the real app, authorizing a transaction that transfers money to their account. Since MFA is bypassed in real-time, bank or UPI systems see the transaction as legitimate.

6. Victim Realizes the Loss: After the scammer logs out or deletes evidence, the victim only realizes their money is missing when they check their bank or UPI app.

Real Warning Signs to Watch For

• Unexpected calls or messages claiming to be from banks or payment apps requesting urgent verification.
• Links sent via WhatsApp or SMS that don’t come from official app sources or are misspelled URLs.
• Requests to enter login details on a website after a message or call, especially if asked to share OTP or MFA codes over the phone or chat.
• Pressure tactics insisting “you must do this now” or threats of account suspension.
• Requests to approve transactions you did not initiate.
• Messages with poor grammar, suspicious sender numbers, or unofficial email addresses.
• MFA codes asked for verbally or via chat rather than entered by the user in the app.

What Happens to Victims

Victims often lose significant amounts in INR, sometimes running into tens or thousands depending on their UPI limits and linked bank accounts. Because UPI transactions happen instantly and irreversibly, victims rarely get immediate refunds unless reported promptly. Emotional distress is also high, with victims feeling betrayed by “trusted” apps and frustrated by the technical nature of the scams.

In many cases, scammers also misuse Aadhaar-linked authentication and perform SIM swap frauds to gain control over victims’ phones, compounding losses and making account recovery difficult. The financial impact can include drained bank savings, blocked credit limits, and in some cases, consequences for unpaid bills or loans tied to stolen funds.

What RBI and CERT-In Say

RBI guidelines emphasize that customers should never share OTPs or internet banking passwords with anyone, even if the caller claims to be from the bank. RBI’s customer protection framework for UPI makes banks liable for transactions confirmed without customer consent—if fault lies with the bank’s security — but not for scams exploiting customer negligence.

CERT-In and the Indian Cyber Crime Coordination Centre (I4C) recommend vigilance against phishing messages and urge users to report suspicious activity immediately via the national cybercrime portal or the 1930 cybercrime helpline. These authorities have issued advisories cautioning against sharing personal data and MFA details over calls or chatting apps.

How to Protect Yourself

1. Never share OTPs, passwords, or app approval details with anyone, even if they claim to be from your bank or payment app.
2. Always open payment or UPI apps directly via their official app or website, not through links received on WhatsApp or SMS.
3. Verify any suspicious calls by independently contacting your bank’s official helpline number.
4. Enable app lock features and biometric authentication wherever possible.
5. Regularly update apps and your mobile device to the latest versions for security patches.
6. Check transaction alerts promptly and report any unauthorized activity immediately to your bank and to the cybercrime helpline 1930.
7. Use the official UPI PIN for transactions and never share this PIN.

What to Do If You've Been Targeted

• Immediately block your payment app or bank account via official channels.
• Change your UPI PIN and related passwords as a precaution.
• Report the incident to your bank’s fraud department and request a freeze on suspicious transactions.
• File a complaint on the national cybercrime reporting portal at cybercrime.gov.in.
• Call the 1930 cybercrime helpline for guidance on next steps.
• Keep records of all messages, calls, and transaction screenshots for investigation.
• Consider contacting local police cybercrime cells for assistance with SIM swap or data theft issues.

Frequently Asked Questions

Q: Can sharing an OTP really lead to my bank account being hacked?
Yes. OTPs are multi-factor authentication codes that confirm transactions. If scammers obtain your OTP and login credentials through phishing, they can authorize payments from your account.

Q: How can I tell if a UPI app login page is fake?
Look closely for website URL misspellings, unusual domain names, or pages that ask for credentials immediately after a message or call. Official apps rarely ask you to visit external links for authentication.

Q: What should I do if I accidentally shared my MFA code with a caller?
Immediately inform your bank about the possible fraud and change your UPI PIN and app passwords. Report the issue on cybercrime.gov.in and call the 1930 helpline for further help.

Stay alert and protect your money by double-checking every message and call you receive. For any suspicious messages claiming to be from your bank or UPI app, verify at BharatSecure.app and report fraud immediately via 1930.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.