MFA-Bypass Phishing in UPI and Payment Apps
INDIA — By BharatSecure Threat Intelligence Team ·
Verdict: Suspicious | Risk Score: 9/10 | Severity: critical
Category: UPI, WhatsApp, Phishing
How MFA-Bypass Phishing in UPI and Payment Apps Works
Overview: This scam targets users of UPI and digital payment apps (Paytm, PhonePe, Google Pay), using advanced phishing kits that can steal not just passwords or PINs, but also session tokens that bypass two-factor authentication (MFA/2FA). Victims face instant loss of control over their payment accounts—fraudsters transfer money or abuse linked credit cards until the session expires. How It Works: The attacker sets up a fake login page that copies a real payment app’s login screen. Rather than directly asking for your OTP, the site secretly ‘acts’ as the user by capturing the session—you enter your details and receive a real OTP from your bank or app. After entering the OTP, scammers access your live account session, moving money or updating linked devices before logging you out. India Angle: UPI customers across India, especially those in cities with high e-wallet usage, are frequently targeted. These attacks often begin with WhatsApp or SMS links claiming payment failures, UPI blockages, or cashback offers. Victims include both tech-literate youth and older family members. Real Examples: ‘Update Paytm security: login and verify your account. Visit: paytm-security[dot]shop’. After entering OTP, users are instantly logged out and notice funds moved. Red Flags: - Payment links requiring login on unfamiliar pages - Genuine-looking portals with minor differences in branding - Requests to complete an extra OTP challenge after initial entry - Loss of session/control after giving credentials Protective Measures: - Never click on payment links from unknown senders - Type UPI/payments app address[ADDRESS_REDACTED] - Always verify official app publisher before downloading - Set transaction alerts/limits; use app PIN and biometric security If Victimised: - Contact your bank and payment app support immediately - Report to 1930 and cybercrime.gov.in - Change account PINs and monitor recent transactions Related Scams: - Fake cashback UPI phishing - QR code payment frauds
How This Scam Works — Detailed Explanation
Scammers are increasingly targeting users of UPI and digital payment apps such as Paytm, PhonePe, and Google Pay through sophisticated MFA-Bypass Phishing tactics. They typically find and approach victims by exploiting social engineering techniques, particularly through WhatsApp and SMS. They often present themselves as representatives from banks or customer support, luring users into clicking on malicious links. These links direct victims to counterfeit login pages that closely mimic the official apps. In India, a country with over 200 million UPI users, these phishing websites are alarmingly convincing, making it easy for unsuspecting users to enter their sensitive information.
Once victims land on these fake pages, the attackers employ various psychological tricks to increase the likelihood of success. They may create a sense of urgency by claiming the user needs to verify their account due to suspicious activity or limited-time offers. By mimicking the fonts, colors, and layouts of real payment applications, they build trust with the user. Furthermore, attackers often instruct victims to enter the OTP received via SMS, promising that this is a part of login verification. This is particularly harmful as even technically savvy users may find it difficult to differentiate between real and fake prompts.
After entering their login credentials and OTP, victims unknowingly relinquish control over their accounts. These credentials set off a chain reaction: once logged in, the attackers, now having full access, can steal session tokens that allow them to bypass MFA protections altogether. For example, in just a single incident earlier this year, a customer of a major private bank lost ₹25 lakhs within minutes due to such a scam. The perpetrators transferred money out of the victim's account, leaving them with no control over the funds. This type of attack is not just theoretical; real individuals have faced significant financial ruin, with reports indicating losses in excess of ₹10 crore across the nation due to similar tactics.
The impacts of these scams on India’s digital payment ecosystem are severe, prompting warning signals from regulators like the Reserve Bank of India (RBI) and the Ministry of Home Affairs (MHA). According to recent advisories from CERT-In, the national Computer Emergency Response Team, the rise in MFA-Bypass Phishing activities poses serious risks to the rapidly expanding UPI landscape. Victims who fall prey to these scams often find themselves embroiled in lengthy disputes with banks that may take time to resolve. For some, the emotional toll and financial devastation can be profound, causing stress and uncertainty.
To identify this type of scam versus legitimate communications, users should keep an eye out for several red flags. Be wary of UPI or payment app login pages that do not match the official app domain name. Any request for an OTP beyond the initial login session should raise suspicions, as should links received through unsolicited WhatsApp messages or SMS. If you experience an instant logout or loss of account access after entering your OTP, this is a clear indicator that something has gone wrong, and immediate action should be taken. Always ensure that you are accessing your payment app directly through verified apps downloaded from legitimate sources, rather than through links that might lead you to counterfeit sites.
Visual Intelligence:
BharatSecure's AI has identified this as a used in scams targeting Indian users.
Who Does MFA-Bypass Phishing in UPI and Payment Apps Target?
General public across India
Red Flags — How to Identify MFA-Bypass Phishing in UPI and Payment Apps
- UPI/payment login pages that aren't from official apps
- Requests for OTP beyond initial login or after error
- Links received on WhatsApp or SMS for urgent payment update
- Instant logout or loss of account access after OTP entry
What To Do If You Encounter MFA-Bypass Phishing in UPI and Payment Apps
- Report the incident immediately by calling the cybercrime helpline at 1930 or visiting cybercrime.gov.in.
- Contact your bank's customer service to block your account — for SBI, dial 1800-11-1109 and for HDFC, call 1800-202-6161.
- Change your UPI and banking passwords immediately and enable two-factor authentication for added security.
- Monitor your bank statements closely for any unauthorized transactions and report them to your bank right away.
- Educate your friends and family about this scam to help them avoid falling victim in the future.
- Consider reaching out to a legal advisor if you've lost a significant amount, as you may need assistance for recovery.
How to Report MFA-Bypass Phishing in UPI and Payment Apps in India
- Call 1930 — National Cyber Crime Helpline (24x7)
- File a complaint at cybercrime.gov.in
- Contact your bank immediately if money was lost
- Call RBI helpline: 14440 for banking fraud
Frequently Asked Questions
- What to do if I shared my OTP in a UPI scam?
- Immediately contact your bank using their helpline and inform them about the situation. Also, report the incident at cybercrime.gov.in.
- How can I identify MFA-Bypass Phishing scams?
- Look for fake login pages that may appear similar to the official apps but have different URL addresses or additional requests for OTPs.
- How do I report a UPI scam in India?
- You can report the scam to the cybercrime helpline at 1930, visit cybercrime.gov.in, and also notify your bank immediately.
- How do I recover my funds after falling victim to this scam?
- Contact your bank to report fraud and request a transaction reversal. Additionally, consider filing a complaint with cybercrime.gov.in.
Related Scams in India
Verify Any Suspicious Message
Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.