RBI mandates 2FA for digital payments to enhance security — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 29, 2026

Severity: MEDIUM | View Full Scam Details

RBI Mandates 2FA for Digital Payments Scam in India 2026: How Fraudsters Exploit UPI Security Rules

A new digital payment scam is targeting Indian users by misusing RBI’s mandated two-factor authentication (2FA) for online transactions, putting UPI users at medium risk of losing money.

What Is the RBI Mandates 2FA for Digital Payments Scam?

In 2026, the Reserve Bank of India (RBI) has reinforced security by mandating two-factor authentication (2FA) for all digital payments, including UPI transactions, to reduce fraud and protect consumers. While this move improves safety overall, cybercriminals have started exploiting confusion around these new 2FA rules to trick people into sharing sensitive OTPs (One-Time Passwords) and UPI PINs.

In this scam, fraudsters send fake messages or calls claiming to be from RBI or well-known banks, informing users that 2FA is now mandatory and asking them to confirm their UPI credentials urgently. Such scams primarily target everyday Indian digital payment users, including senior citizens and those unfamiliar with RBI’s official procedures. The scam has spread widely in metro cities like Delhi, Mumbai, Bengaluru, and regional towns where UPI is heavily used.

Authorities like RBI, CERT-In, and the Indian Cyber Crime Coordination Centre (I4C) have cautioned the public against sharing OTPs or UPI PINs and clarified that RBI never calls or messages customers asking for such details. The scam is currently marked at medium severity with a risk score of 5/10, but it causes significant financial losses and distress among victims.

How This Scam Works — Step by Step

1. Initial Contact: The victim receives a call or WhatsApp message claiming to be from RBI or their bank, stating that 2FA for digital payments has been newly enforced and they must update their UPI account instantly.

2. Urgent Request for Details: The caller says this update is mandatory and time-sensitive, asking the user to share the OTP sent to their registered mobile number or to confirm their UPI PIN for “verification” purposes.

3. Phishing Link or Fake App: Sometimes users receive a link to a fake RBI or bank website or app update prompt, tricking them into entering UPI credentials or Aadhaar details.

4. Account Access: Using the stolen OTP, UPI PIN, or login details, the fraudsters initiate unauthorized money transfers from the victim’s linked bank account via UPI apps.

5. Victim Realizes Loss: After the transaction, victims notice the unauthorized withdrawals but by then the money is already sent to fraudsters' accounts and is very difficult to trace or recover.

Real Warning Signs to Watch For

• Calls or messages claiming RBI or banks need your UPI PIN or OTP immediately.
• Unexpected SMS/WhatsApp links urging you to update or verify digital payment apps.
• Pressure tactics emphasizing urgent or mandatory action within minutes.
• Requests to share OTPs received on your phone.
• Caller ID showing fake or masked numbers pretending to be from RBI or banks.
• No official RBI communication channels ask for sensitive data by phone or message.
• Messages with poor grammar, spelling mistakes, or unusual formatting in Hindi, English or regional languages.

What Happens to Victims

Victims of this scam suffer financial losses as fraudsters siphon off funds directly from their bank accounts via UPI. Since UPI payments are instant and irreversible in most cases, victims find it hard to recover stolen amounts. Emotional distress often follows, especially for older or less tech-savvy users who feel violated and fearful of further identity misuse.

Besides loss of money, some victims face Aadhaar-related identity fraud if details were entered on fake websites. Others have reported SIM swap impacts, where fraudsters take control of mobile numbers used for OTP verification, enabling repeated fraud. Reversals or dispute resolutions through banks and UPI apps can be slow and complex, causing frustration.

What RBI and CERT-In Say

The Reserve Bank of India has issued multiple advisories reminding users that it never asks for UPI PINs or OTPs via calls or SMS. RBI’s official guidelines emphasize keeping payment credentials confidential and using only authentic banking apps.

CERT-In advises users to verify sources of any messages requesting sensitive information and to report suspicious calls immediately. India’s 1930 cybercrime helpline, operated by the Ministry of Home Affairs, supports victims facing digital fraud and guides them on filing complaints.

The Indian Cyber Crime Coordination Centre (I4C) also works to raise awareness and coordinate action against growing UPI fraud. All Indian digital payment users should familiarize themselves with these official channels and helplines.

How to Protect Yourself

1. Never share your UPI PIN, OTP, or password with anyone, even if they claim to be RBI or bank officials.
2. Ignore calls or messages asking you to update UPI apps via unknown links; always use official app stores.
3. Enable app lock and biometric security on your UPI app to prevent unauthorized transactions.
4. Regularly monitor your bank and UPI transaction alerts for any suspicious activity.
5. Register your mobile number with DigiLocker and flag SIM swap attempts proactively with your mobile operator.
6. Use Multi-Factor Authentication (MFA) wherever available and avoid logging into financial apps on public Wi-Fi.
7. Report any suspicious calls or messages to 1930 and file complaints via cybercrime.gov.in promptly.

What to Do If You’ve Been Targeted

• Immediately block or freeze your bank account through online banking or by calling your bank’s customer service.
• Inform your UPI app support team and request a transaction hold if possible.
• Report the incident on the official cybercrime portal at cybercrime.gov.in.
• Contact the 1930 national cybercrime helpline for guidance and assistance.
• Change all your ATM, UPI, and internet banking passwords immediately.
• Notify your mobile service provider about possible SIM swap attempts.
• Keep records of all communication with fraudsters and bank officials for police complaint purposes.

Frequently Asked Questions

Q: Can RBI or my bank call me to ask for my UPI PIN or OTP for 2FA?
A: No. RBI and banks never call or message asking for your UPI PIN or OTP. These are confidential and must not be shared with anyone.

Q: What should I do if I receive a message about mandatory 2FA updates for my UPI app?
A: Verify any such message only through your bank’s or RBI’s official websites or customer service. Do not click on any suspicious links in SMS/WhatsApp.

Q: Is it possible to get my money back if I fall victim to this scam?
A: Recovering money after UPI fraud is difficult but you should immediately report the incident to your bank, cybercrime authorities, and helpline 1930. Quick action increases chances of recovery.

For all suspicious calls or messages about RBI mandates and UPI security, verify at BharatSecure.app and report fraud promptly at 1930 to protect yourself and others.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.