RBI's Risk-Based Authentication for UPI Payments — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 26, 2026

Severity: MEDIUM | View Full Scam Details

Beware in 2026: RBI’s Risk-Based Authentication Scam Targeting UPI Users in India

Scammers are exploiting RBI’s Risk-Based Authentication process to trick millions of Indian UPI users into handing over sensitive banking details and losing money.

What Is the RBI's Risk-Based Authentication for UPI Payments?

The Reserve Bank of India (RBI) introduced Risk-Based Authentication (RBA) to enhance the security of Unified Payments Interface (UPI) transactions. The idea is to apply additional checks for transactions that appear risky, such as unusually high amounts or activity from new devices. While RBA helps protect users, fraudsters have twisted this concept to trick people.

In the scam targeting Indian internet users in 2026, con artists pretend to be from RBI or your bank’s security team. They send messages or calls saying your UPI account triggered “suspicious activity” and you must complete extra authentication immediately—mimicking the official RBA alerts. Often, the fraudsters impersonate trusted apps or banks on WhatsApp, SMS, or social media, making it easy for victims to trust them.

This scam mainly targets everyday UPI users across India, especially those not fully aware of digital banking safeguards. With UPI transactions crossing trillions of rupees monthly, fraud attempts using this modification of RBA scams have grown increasingly common. The Indian government’s CERT-In (Indian Computer Emergency Response Team) and the I4C (Indian Cyber Crime Coordination Centre) have issued advisories reminding users never to share UPI PINs or OTPs, in line with RBI’s anti-fraud measures.

How This Scam Works — Step by Step

1. Initial Contact: The scam begins with a WhatsApp message, text, or call claiming to be from "RBI Risk Management" or your bank’s fraud prevention team. They warn you of suspicious UPI payment activity.

2. Creating Urgency: The message insists you must verify your details to avoid account suspension or fraud losses. It often shows legitimate-sounding language referencing RBI policies or transaction limits.

3. Fake Verification Link: You receive a link that appears to lead to RBI or your bank’s webpage. However, this is a phishing website designed to capture your login details, UPI PIN, or OTP codes.

4. Request for Sensitive Info: The scammers may ask you to share your Aadhaar number, UPI PIN, or OTP under the guise of “verification” or “multi-factor authentication.”

5. Exploitation: Once they have your UPI PIN/OTP, fraudsters carry out unauthorized payments from your linked bank account, often to unknown accounts or multiple mini-transactions that are harder to trace.

6. Cover-Up: Victims are left unaware until they check their bank statements or get a fraud alert. By then, the money might already be transferred out, and recovery is difficult.

Real Warning Signs to Watch For

• Messages or calls demand immediate action or else your UPI access will be blocked.
• They ask for your UPI PIN, OTP, Aadhaar, or bank details — RBI or banks never request these over call or message.
• Links sent do not match official RBI or bank URLs exactly; they often use slightly altered domain names.
• Messages come from unknown or unofficial numbers/accounts, even if named “RBI” or your bank.
• Poor grammar or spelling mistakes in communications claiming to be from RBI or banks.
• Unsolicited WhatsApp forwards asking to click verification links or download unknown apps.
• Pressure tactics, like threats of account freezing, to rush you into sharing details.

What Happens to Victims

Indian UPI users victimized by this scam face immediate financial loss as scammers empty bank accounts, sometimes within minutes. Unlike debit or credit card fraud, UPI transactions are often instant and irreversible. Although RBI has guidelines for dispute resolution, in many cases, victims struggle with delayed investigations and partial or no refunds.

Beyond money loss, victims face stress and anxiety—especially since their Aadhaar-linked accounts may be further misused for identity theft or SIM swap fraud. A SIM swap can give criminals access to OTPs sent via SMS, compounding potential damage. The emotional toll includes loss of trust in digital payments, fear of repeat scams, and time wasted in reporting and recovery.

What RBI and CERT-In Say

RBI regularly issues alerts to the public warning against phishing and frauds related to UPI. They emphasize that no authentic entity will ever ask for your UPI PIN, OTP, or password. RBI’s guidelines recommend enabling app-based approvals and checking transaction alerts promptly.

CERT-In advises users to keep their devices updated, avoid clicking on suspicious links, and report cyber incidents immediately. I4C runs a 24/7 cybercrime helpline — dialing 1930 connects victims with authorities to report incidents and get guidance. The RBI banking fraud helpline is also available to assist RBI-regulated entities and customers facing fraud.

Both agencies stress awareness and caution, encouraging users to verify any security alerts or messages by contacting their bank directly through official channels, not the ones provided in suspicious messages.

How to Protect Yourself

1. Never share your UPI PIN, OTP, or Aadhaar details over phone, WhatsApp, or SMS.
2. Always verify messages claiming to be from RBI or banks by calling official helplines.
3. Avoid clicking on links received via unsolicited WhatsApp messages or social media.
4. Use official apps downloaded from Play Store or App Store — do not download apps from outside sources.
5. Enable biometric locks or app passwords for your payment apps.
6. Regularly check your bank statements and UPI transaction history for unauthorized activity.
7. Immediately report and block your UPI app or bank account if you suspect compromise.

What to Do If You've Been Targeted

• Contact your bank’s customer service immediately and request a block on UPI payments linked to your account.
• Change your UPI PIN at once using your payment app, if possible.
• File a complaint on the government’s cybercrime portal at cybercrime.gov.in explaining the scam details.
• Call the national cybercrime helpline 1930 for guidance and to report your case.
• Inform your bank about any unauthorized transactions and request for dispute resolution or reversal.
• Avoid engaging with the scammer again and do not share further personal or financial information.

Frequently Asked Questions

Q1: Can RBI or my bank really contact me on WhatsApp or by phone for UPI authentication?
No. RBI and banks do not ask for UPI PIN, OTPs, or Aadhaar details over calls, WhatsApp, or SMS. Official communication happens via app notifications or emails from verified addresses only.

Q2: What should I do if I accidentally shared my UPI PIN or OTP with a scammer?
Immediately notify your bank to block your UPI ID or linked accounts. Change your UPI PIN right away and report the incident on the cybercrime portal and helpline 1930.

Q3: Is it safe to click on verification links sent by my bank for risk-based authentication?
Only click on links coming from verified official sources, like your bank’s app or website. Do not click on unsolicited links received via WhatsApp or SMS without confirming their authenticity with your bank first.

Scam messages mimicking RBI’s Risk-Based Authentication on UPI can look very convincing. Stay alert and verify suspicious alerts before acting. When in doubt, always cross-check with your bank or BharatSecure.app — India’s trusted source to protect you from digital fraud.