Home / Advisory / India’s flagship Project UPI hit by frauds thereby Denting India’s Payments Automation Venture: How To Avoid Falling Victim To Them

India’s flagship Project UPI hit by frauds thereby Denting India’s Payments Automation Venture: How To Avoid Falling Victim To Them

Posted on
Cyber Secure India
Fraud incidents rising with surge in UPI transactions.

Unified Payments Interface (UPI) frauds have become rampant as much as it is being used by subscribers in the Indian Payment System. In April 2022 alone UPI India’s transaction Volume was projected at over 558 Crs and Valued at about Rs.9,83,303 Crs. The Popularity of NPCIs (National Payments Corporation of India) UPI through their different products is laudable and the initiative has been well appreciated by one and all for the convenience that it offers. The very fact that the products has been accepted and subscribed by over 300 Banks and Payment Service Providers (PSPs) including the large number of retail subscribers; is a proof of its popularity. Participants in UPI include: Payer (Payment Service Provider) PSP, Payee PSP, Remitter Bank, Beneficiary Bank, NPCI (NPCI Owned Transitions), Bank Account holders and Merchants.

What Is UPI?

UPI is a payment method under which users can link more than one bank account with a single mobile app or a UPI ID and make transactions without using the Indian Financial System Code (IFSC) or the account number of either the payee or recipient. The UPI ID can be set up using the bank details and the mobile number registered with the bank account. The Credentials are stored by the NPCI ecosystem and all transactions are routed through the NPCI Switch. The application will prompt an OTP (one-time password) to the user’s mobile number, which can be used to complete the registration and set a PIN. Subsequently, all transactions are linked via the Mobile Number or the UPI ID.

The user while performing transactions need not remember the recipients’ account number, account type, IFSC, and bank name.  They can transfer money by simply using the mobile number registered with the bank or the UPI ID. Users can scan a QR code to make a payment. The UPI customer is provided with a unique virtual identifier. The UPI ID is structurally formatted as: “username@bank’s initials”. This ID is unique and is the reference for all transactions and for tracking activities.

How does one install UPI and create an UPI ID?

You may follow the steps below to enable or subscribe a UPI ID:

  • Download a UPI-enabled app from the Apple App Store or Google Play Store.
  • While installation the App will prompt you to select a Language.
  • Now input the Mobile Number that you have provided to a specific Bank and to the Specific Account Details linked to it.
  • Enter the OTP sent to the mobile number to authorise.
  • Link the savings account by adding necessary details like A/c no (certain Banks allow Debit Card Number also).
  • You are there, select a PIN, which will be now used to authorise nearly all future UPI Transactions.

The Pattern of Frauds that are prevalent in the UPI Ecosystem

Recent trends and reports reflect that that in a single month, over 90,000 grievances on UPI Transactions are being reported on a regular basis. This also includes the Aadhaar-Enabled Payment System (AEPS) Transactions, which approximately amount to a few thousand cases per month. AEPS is an NPCI-led model which allows online interoperable financial inclusion transactions at PoS (micro-ATM) through the business correspondent of any bank using Aadhaar authentication. As of Mar 2022, the total value of such fraud amount to over Rs.200 Cr per month.

The scamsters have weaponised the very things that provides the convenience of the UPI Ecosystem, by luring users into inadvertently sending money. Playbooks range from ‘click to win cashback’ and ‘scan QR code to receive payments’ to ‘call customer care executive from a number listed on the internet to report a problem’. Phishing, phony accounts and apps, payment requests, and usage of PIN and OTP are among the top UPI-related frauds, other than the routine ones.

Scamsters have also evolved their customised tricks to counter users’ scepticism. They offer trial transactions involving low sums of money as a show of faith to convince their targets. For example, when a user enters the UPI PIN to ‘receive’ Rs.1/-, the amount is debited from the user’s account, but the scamsters also credit the user account with Rs.1/- at the same time, duping the user into thinking that they’ve received money. This bait is then used to perform the actual fraud, which will have a larger amount of money.

Many Cyber Experts have expressed that the UPI Transfer System itself is designed to enable criminals, to perform their scam with ease. This then poses difficulty to the investigators and also to the Banks, as these frauds are done with unconscious consent of the payer, and at the face of it cannot be classified as a culpable transaction.

In the AePS fraud, the mode of authentication using a ‘Gummy Finger” or a “Biometric Replay’, will be passed as a legitimate authentication, and this cannot be evaded and the transaction is bound to go through as legitimate.

Fraudsters  also attempt to calls up victims, most of them being elderly and pensioners and  pretends to be bank representatives to obtain users’ UPI PINs, claiming  they need it for verification purposes or to enable the account to be maintained in active state, etc. 

The sophistication of the crime is dynamic and the trickster use innovative means and individualistic pattern to perform the crime. The UPI frauds are lucrative and provides instant monitory benefits to the Attacker/Fraudster. The Redressal Mechanisms are near to none, and payments companies are left playing catch up as these scams have become more and more non-detectable. But the racket is big enough to pose a headache for those whose job it is to tackle frauds—law enforcement agencies (LEAs), the Ministry of Home Affairs (MHA), Unique Identification Authority of India (UIDAI), Banks, Payments Apps, and National Payments Corporation of India (NPCI).

To avoid falling prey to UPI scams that are prevalent as on date, follow these Do’s and Don’t’s

    • Your UPI Registration and Installation Should be Done on a Secure Device and Downloaded from Reliable Source: Installation is a sensitive process, the Masquerading of a malicious App in the name of a Legitimate Name or Appearance is a common Scam. Users should not install or download the App from un-reliable sources. The Creation of Account or UPI ID should be on a secure environment and it should be ensured that the Smart Phone is not infected with Malware or Software like ‘TeamViewer’, ‘Anydesk’, etc.
    • Do not share UPI PIN or OTP: Scammers misuse the payment request option in UPI-enabled apps to source the PIN or OTP necessary to authorise a transaction. The requested payment request and the attempt to make contact to obtain OTP or PIN, should always be viewed with suspicion. These OTPs or PINs, may be used for transactions other than intended. The OTP and PIN are never requested by any Bank or by NPCI, hence, users are required to be aware of these facts.
    • Do not open unsecured links or download questionable appsFraudsters or Scamsters have also been noted to be creating fake websites or apps as a means of UPI frauds, these may look legitimate and genuine. Scammers share such links via SMSs, wherein is required to be click by the victim; on clicking the link is redirects to a UPI-enabled app with a prompt for making payment to the account of the attacker.
    • Scan UPI IDs carefully: Fraudsters often create UPI IDs resembling credible addresses, which they circulate via legitimate method and which may look genuine. Such IDs usually look similar to those of genuine payments or transfers, but this may be the design of the scamsters.
    • Beware of payment requests when sellingBusiness persons or online sellers may receive payment requests on a UPI-enabled app from supposed customers with the prompts “Pay” and “Decline”. One of the most popular UPI scams is when a counterfeit customer asks a seller to click on the “Pay” option to receive payment.
    • Other Means of FraudOTP or PIN is a personal data, and should not be communicated to anyone (The Service Provider or Banks do not ask for such data); Do not make transitions while one is distracted by any other pre-occupied job; Do not perform transactions under pressure from anyone else; Do not share account details or transaction details on Public Social Media; Never attempt a transfer to an unknow person; Never share your screen while performing transactions on the app.


Over 50 per cent of UPI frauds are recorded in metropolitan areas, while rural demography account for less than seven per cent. The UPI Ecosystem is Architecturally Strong from System and Process Security perspective. The Fraud that has been reported is observed to be not attributable to the UPI system, as the setup is free of vulnerabilities as on date. On the other hand, the frauds happen due to weak Psychological Awareness, which the Attacker takes advantage.

%d bloggers like this: