UPI, card payment changes: RBI’s new digital payment rules from April 1; Why OTP alone won’t work now — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 25, 2026

Severity: MEDIUM | View Full Scam Details

UPI & Card Payment Changes Scam 2026: Why OTP Alone Won’t Protect You in India

Scammers are exploiting RBI’s new digital payment rules from April 1, 2023, to trick Indians into revealing sensitive data — and OTP verification is no longer enough to keep you safe.

What Is the UPI, Card Payment Changes Scam and RBI’s New Digital Payment Rules?

Beginning April 1, 2023, the Reserve Bank of India (RBI) mandated stronger customer authentication (SCA) for digital payments, including UPI and card transactions. This means, for high-value or risky transactions, a one-time password (OTP) alone will not be sufficient; additional authentication factors are required to enhance security.

Unfortunately, cybercriminals have seen this change as an opportunity. The scam targets everyday Indian users who regularly use UPI apps like Google Pay, PhonePe, or BHIM, and debit/credit cards for payments. India’s rapidly growing digital payment ecosystem, with billions of transactions monthly, gives scammers a broad hunting ground.

The scam has spread widely, capitalizing on popular communication channels like WhatsApp, where fraudsters impersonate bank officials or digital payment apps’ customer service. These scammers rely on social engineering to gain victims' trust, citing bogus RBI guidelines, urgent security alerts, or fake promotional offers. The Indian government’s Computer Emergency Response Team (CERT-In) and the Indian Cyber Crime Coordination Centre (I4C) have issued alerts warning users about such fraudulent tactics, emphasizing vigilance amid these rule changes.

How This Scam Works — Step by Step

1. Initial Contact: Victim receives a WhatsApp message or call allegedly from SBI, HDFC, or another major bank’s customer support. The message might mention RBI’s “new rules” and urge immediate verification to avoid transaction failures or account blocks.

2. Fake Offers or Security Alerts: Scammers often lure victims by offering exclusive cashback, rewards, or warn about suspicious activity requiring action.

3. Request for OTP and Additional Details: The fraudster convinces the victim to share the OTP received during a supposedly necessary verification or payment attempt. They may also ask for UPI PIN, card CVV, or Aadhaar-linked authentication details, posing as “safe steps” under RBI’s new guidelines.

4. Transaction Authorization: While the victim is distracted, scammers initiate unauthorized UPI or card transactions using the stolen details combined with social engineering tactics. Since RBI’s new rule requires two-factor authentication, fraudsters exploit the victim’s willingness to share both factors through deceptive prompts.

5. Victim’s Money is Drained: With both factors in fraudsters’ hands, attackers successfully authorize payments or withdrawals. Reversals are difficult once OTP and PINs are compromised.

6. Disappearance: Scammers often cut all contact; victims realize only later after checking bank statements or receiving payment failure messages.

Real Warning Signs to Watch For

• Messages asking you to verify payment details urgently due to “RBI’s new rules” via WhatsApp or calls.
• Unsolicited offers promising cashback or rewards for “verifying identity.”
• Requests to share OTP, PIN, CVV, or Aadhaar authentication codes over phone or chat.
• Banks or payment apps never ask for full credentials or PINs; official communication will not demand this.
• Pressure tactics creating a false sense of urgency or fear.
• Poor grammar and spelling mistakes in messages claiming to be from reputed banks.
• Links in messages leading to websites that don’t match official app URLs or domains ending with unfamiliar extensions.

What Happens to Victims

Indian users who fall prey often lose significant sums from their linked accounts, sometimes draining INR 10,000 to lakhs in a single fraud. Given the widespread use of UPI apps for everyday transactions, affected individuals face sudden financial distress with little recourse for immediate reversal.

Emotionally, victims experience anxiety, distrust toward digital banking, and embarrassment. There may be complications around Aadhaar misuse if biometric or OTP-based Aadhaar authentication is compromised. In certain cases, SIM swap fraud can exacerbate the issue, letting scammers intercept OTPs directly.

Victims also bear the burden of grievance redressal, often lacking immediate clarity on recovery timelines. RBI’s payment dispute mechanisms may not cover cases where the customer unknowingly authorized the transaction.

What RBI and CERT-In Say

RBI has issued clear instructions on two-factor authentication and cautions customers never to share OTPs, PINs, or passwords. Public advisories remind users that banks and UPI apps will never ask for complete credentials over calls or messages.

CERT-In and the I4C have warned about rising OTP frauds exploiting RBI’s rule changes and emphasize reporting suspicious calls or messages immediately. The RBI Banking Ombudsman and the National Cyber Crime Reporting Portal (cybercrime.gov.in) are recommended complaint channels. For immediate assistance, RBI’s helpline (1800 425 3800) and CERT-In’s cybercrime helpline number 1930 are available 24/7.

How to Protect Yourself

1. Never Share OTPs or PINs: Neither RBI nor your bank will ask you for these over call or WhatsApp.
2. Verify Official Sources: Always check SMS or app notifications for transaction alerts instead of trusting WhatsApp messages.
3. Enable App-Based Authentication: Use biometric or app-generated PINs for UPI and card payments where possible.
4. Update Mobile Apps & OS: Keep your UPI app and phone software updated to benefit from security patches.
5. Decline Unsolicited Messages: Don’t click on suspicious links or respond to offers about RBI rule changes.
6. Check Bank Statements Frequently: Review your account activity daily for unauthorized transactions.
7. Report Suspicious Activity Promptly: Use RBI helpline or visit cybercrime.gov.in at the first sign of fraud.

What to Do If You’ve Been Targeted

1. Immediately block your UPI app or card via internet banking or mobile app.
2. Contact your bank’s customer service urgently and inform them about fraudulent transactions.
3. File a complaint on the National Cyber Crime Reporting Portal (cybercrime.gov.in).
4. Call the CERT-In helpline at 1930 and the RBI helpline at 1800 425 3800 for further guidance.
5. Inform your mobile network provider to prevent or report SIM swap fraud.
6. Change all related passwords and PINs after reporting.
7. Keep a full record of complaint numbers and communications for follow-up.

Frequently Asked Questions

Q: Why won’t OTP alone work according to RBI’s new rules?
A: RBI’s updated guidelines require additional authentication beyond OTP, such as biometrics or app-based PINs, to reduce fraud risks. OTP alone can be stolen or intercepted, making it insufficient.

Q: Can I reverse unauthorized UPI payments if OTP was shared?
A: Generally, no. If the transaction was authorized with your OTP or PIN, banks treat it as valid, limiting chances for reversal. Immediate reporting is critical to contain damages.

Q: How can scammers get my Aadhaar details during this scam?
A: Through social engineering, scammers trick victims into sharing Aadhaar-linked OTPs or biometric authentication through fake calls or WhatsApp messages, enabling misuse.

Stay alert to suspicious messages about RBI payment rule changes and never share your OTP, PIN, or Aadhaar details with anyone. When in doubt, verify all communications on BharatSecure.app — India’s trusted platform against digital fraud. Protect your money, protect your identity.