UPI Link Phishing on WhatsApp

How UPI Link Phishing on WhatsApp Works

Overview: In UPI link phishing scams, fraudsters send WhatsApp or SMS messages offering fake refunds, cashback, or urgent payments. The hidden intent is to get victims to click on malicious UPI links, leading to authorisation of unauthorised debits. This scam is especially prevalent in India due to widespread UPI adoption. How It Works: Victims receive a WhatsApp or SMS claiming a pending refund, lottery win, or cashback offer. Scammers attach a UPI collect/request link, urging recipients to approve the transaction on their UPI app (Google Pay, PhonePe, Paytm, etc). If the victim authorises, money is debited instantly. Fraudsters may also pose as customer support and convince people to share UPI PINs or OTPs. India Angle: The scam thrives among smartphone users in urban and semi-urban regions, targeting Hindi, English, Tamil, and other language speakers. College students and middle-class families are frequent victims due to familiarity with UPI payments and eagerness for cashback/reward offers. Real Examples: “Dear Customer, your Paytm wallet has a ₹500 cashback. Collect now: [malicious UPI link]” or “Your electricity bill refund is pending. Click here to receive funds.” Red Flags: - Links requiring you to "collect" or "approve" unusual payments. - Cashbacks, refunds, or rewards that seem too good to be true. - Messages from unknown numbers or unofficial bank contacts. - Requests to enter your UPI PIN or share OTP. Protective Measures: Never click on payment links from unsolicited messages. Banks or apps do not send money via “collect” requests for refunds. Do not share UPI PINs or OTPs. Use official apps for all payment activity. If Victimised: Immediately contact your bank or payment app to report the fraudulent transaction. Use 1930 helpline and cybercrime.gov.in to file a complaint with full details. Related Scams: - Fake cashback festival offers by SMS/WhatsApp. - QR code payment frauds. - Utility bill discount phishing traps.

How This Scam Works — Detailed Explanation

In India, scammers often utilize popular messaging platforms like WhatsApp to target unsuspecting victims with UPI link phishing schemes. They typically find victims through bulk messaging techniques, reaching large audiences with enticing offers. Fraudsters craft messages that mimic official notifications from banks or government bodies, claiming they are due a refund, a cashback amount, or even an unexpected lottery win. These messages are often complemented by convincing logos and color schemes of well-known apps, creating a false sense of legitimacy. Given the widespread use of UPI for online transactions, the attacks exploit the ease of access to sensitive banking information through platforms that many individuals use daily.

The tactics employed by these scammers are calculated and psychologically driven. They create a sense of urgency by suggesting that the refund or benefit must be claimed immediately, thereby compelling the recipient to act without fully digesting the potential risks. Often, these messages contain phrases like "Act fast! Your ₹500 cashback is waiting!" which play on the psychological triggers of immediate gratification and fear of missing out (FOMO). Additionally, scammers may personalize messages by using the recipient's name or referencing a recent transaction, further instilling a sense of trust. They insist that clicking the link provided will lead the user to a secure page to process their refund, when, in reality, the link leads to a malicious site designed to capture sensitive information or authorize unauthorized transactions.

Once a victim clicks on the phishing link, they are usually taken to a fraudulent webpage that resembles a legitimate payment site. The user is prompted to enter their UPI PIN or other sensitive information under the pretense of completing the payment or receipt of a refund. For instance, if a person receives a message claiming they won ₹2,000 in a contest, they may unknowingly enter their UPI details, thereby allowing the scammers to siphon off money directly from their account. In a real-world scenario, a victim might receive an SMS allegedly from a bank stating, "You've won a cashback! Click the link to redeem!". After clicking the link, they could find their bank account drained within minutes, often with no traces left to pursue.

The financial impact of UPI link phishing scams on Indian recipients can be staggering. The Ministry of Home Affairs (MHA) reported over ₹2,000 crore lost due to various online scams, with UPI phishing remaining a major contributor to this figure. CERT-In has also issued multiple advisories highlighting the rising incidents of digital fraud involving UPI transactions. With the increasing adoption of UPI—over 7,400 crore transactions recorded in the last fiscal year alone—these scams are anticipated to proliferate. The easy accessibility of UPI and its integration into daily financial transactions make it a prime target for fraud, affecting countless individuals across various demographics, including young professionals and elderly users who may not be as tech-savvy.

Spotting fraudulent UPI communications can save individuals from becoming victims of such scams. Legitimate companies and banks would never ask for sensitive information through SMS or WhatsApp messages. If a refund is in question, the official channels would direct consumers to their apps or websites to process payments safely. Moreover, one should be suspicious of unsolicited messages, especially those that create a sense of urgency or excitement. Just because a message appears visually appealing does not guarantee its authenticity. Always confirm via official customer service helplines, such as SBI at 1800-11-1109 or HDFC at 1800-202-6161, before acting on any such communication.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does UPI Link Phishing on WhatsApp Target?

General public across India

Red Flags — How to Identify UPI Link Phishing on WhatsApp

• UPI links sent via WhatsApp/SMS for refunds or

What To Do If You Encounter UPI Link Phishing on WhatsApp

1. Report the scam immediately by calling the cybercrime helpline at 1930 or visiting cybercrime.gov.in.
2. Contact your bank's customer service to block your UPI access and prevent unauthorized transactions.
3. Change your UPI PIN and any related online banking passwords as a precaution.
4. Monitor your bank account for any unauthorized transactions and take action to dispute them.
5. Educate your friends and family about the risks of UPI link phishing on WhatsApp to help them stay safe.
6. Check your bank statements regularly to catch any suspicious activities early.

How to Report UPI Link Phishing on WhatsApp in India

• Call 1930 — National Cyber Crime Helpline (24x7)
• File a complaint at cybercrime.gov.in
• Contact your bank immediately if money was lost
• Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What to do if I shared my OTP in a UPI scam?

Immediately contact your bank to report the incident. Use helplines like SBI 1800-11-1109 or HDFC 1800-202-6161 to block your account and prevent further unauthorized access.

How can I identify UPI link phishing scams?

Look for unsolicited messages that promise refunds, winnings, or cashback and contain links. Verify the sender and never share sensitive information through messages.

How to report UPI phishing scams in India?

You can report such scams by dialing 1930 or visiting cybercrime.gov.in. Additionally, inform your bank about the incident.

What steps should I take to recover money after being scammed?

Report the scam to your bank immediately. They can assist you in filing a dispute. Additionally, contact the cybercrime helpline at 1930 to lodge your complaint.

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.