Introduction

₹24.77 lakh crore worth of transactions were recorded through UPI in March 2025, setting a new all-time high. Following this record-breaking achievement, ₹485 crore was lost to UPI payment frauds in the same financial year. This indicates the direct proportion of the surge in the usage of a product to the spike in scams related to that product. Banks and financial institutions are facing massive security challenges to keep up with this direct cause-and-effect formula. Being indifferent or failing to set up a robust fraud prevention technology can add to the fraud record mentioned above.

In order to comprehend the spike in UPI frauds, this blog analyses the rise, recent trends and tactics in UPI payment scams, and finally, the preventive measures that could evade them.

Rise of UPI Frauds

After COVID-19, the Unified Payments Interface (UPI), which was launched in 2016, started to gain momentum due to the touchless transfer of money from anywhere to everywhere. This gained the attention of fraudsters, urging them to target UPI, which has rolled to 6.32 lakh UPI transaction fraud cases in the financial year 2025.

There are several contributing factors to this recent escalation of UPI frauds. The major factors are as follows:

1. Massive User Count

Over 350 million active UPI users have been recorded in recent years, which means multiple bank accounts are pooled into one mode of transaction. This is equivalent to a paradise for fraudsters, who exploit the scale and speed of the system to launch large volumes of low-value attacks, often going unnoticed until significant losses occur. With such a vast and growing user base, even a fractional success rate can result in millions being syphoned off through impersonation, phishing, and social engineering tactics.

2. Lack Of Verification Of Beneficiary Names

UPI transactions typically display only a virtual payment address or account number. Without automatic name verification before confirmation, users may unknowingly transfer funds to fraudulent accounts that mimic legitimate ones.

3. Convenience Leading to Carelessness

As UPI transfers are getting easier than other modes of transactions due to technological advancement, they have led to casual user behaviour. Most of the users fail to check the authenticity of the QR codes, the recipient’s name, and the receiver’s account details. This lack of vigilance, strong passwords, and biometrics enables easy access to UPI fraudsters, leading to unauthorised UPI transactions.

4. Real-Time Transactions are Irreversible

Unlike other methods of transactions, UPI transactions are irreversible once they are approved and processed. Aware of such technological gaps in the security system, fraudsters leverage the sense of emergency to manipulate customers into transferring their money without any clarification or verification.

5. Technical Vulnerabilities and App Cloning

Fraudsters exploit security loopholes by distributing fake UPI apps or using screen-sharing malware that allows them to view and manipulate user actions. Users who download apps outside official app stores or click phishing links are particularly vulnerable.

6. First-Time Digital Users

Many users who turned to digital payments during or after the pandemic lack cyber awareness. This inexperience makes them more susceptible to social engineering scams, including fake customer care numbers, UPI collect requests, and phishing messages.

7. Rise in Sophisticated Fraud Techniques

Regrettably, fraudsters frequently outpace financial institutions by utilising emerging technologies more quickly than they can enhance their security measures. This gap has created an urgent need for more advanced and adaptive financial security systems.

 Recent Trends and Tactics of UPI Fraud:

UPI Fraud:

Phishing

Phishing involves manipulating users into believing that the links provided by fraudsters through any social media, websites, or messages are legitimate. This method of social engineering is used to steal UPI credentials and sometimes approve a request to malicious systems.

Vishing (Voice Phishing)

Similar to phishing, vishing is scamming users through calls, posing as bank representatives or, in many cases, as RBI officials. The fraudster tries to gain sensitive bank details and urges the customers to take action, like transferring money into the fraudster’s account in the name of a fine, credit card retrieval cost, etc.

A Times of India report shared how a fraudster posing as a banker used vishing to trick a man into entering his UPI PIN for an ₹8,999 payment. Luckily, he recognised the scam in time and avoided the loss.

QR Code Scams

Through ads, offers, messages, and posters, fraudsters trick people into scanning QR codes that could directly transfer the victim’s money into their accounts.

In Pune, India,  a cop was scammed while trying to scan a QR code at the local bakery. It is revealed that the owner’s QR code is replaced with the fraudster’s QR code, looting 2.3 lakhs.

Small Transaction Focus

Fraudsters are now employing a new tactic—stealing small amounts of money that often go unnoticed or unreported by users. With a vast user base, these minor deductions accumulate into significant gains for the fraudsters, allowing them to escape with large sums while drawing little to no attention.

Fraudulent UPI Collect Requests (“Refund” Scams)

Fraudsters send ‘request money’ links under the false pretence of refunding money from banks, individuals or other organisations. In some cases, they deceive users by claiming they’ve won prizes or redeemable coupons, tricking them into approving payment requests and falling into the scam.

Fake UPI Apps and Cloned Interfaces

Fraudsters are increasingly leaning towards this method of creating fake UPI apps and payment websites, which have scammed almost ¾ of the user base into believing that they are authentic due to their close resemblance to the original. They also trick users into thinking that the payments are made mistakenly or in the name of gift vouchers to the users’ accounts; they share fabricated screenshots, receipts, and bank statements.

Remote Screen-Sharing and Malware Attacks

Cyber attackers trick users into downloading malicious apps that gain control over their devices. These apps often enable screen sharing or covert monitoring, allowing fraudsters to access sensitive financial information. In many cases, they also install malware, putting the user at serious risk of data theft and financial fraud.

SIM Swapping/Cloning

SIM swapping/cloning is a fraud where criminals take control of your phone number, often by tricking your mobile provider or, less commonly, by creating a duplicate SIM card. This allows them to intercept SMS and calls, including OTPs, to access your online accounts like banking and social media. Protecting yourself involves strong account security, enabling MFA via authenticator apps, and being cautious about sharing personal information.

Preventive Measures Against UPI Frauds

Preventive Measures

1. Technology-Based Interventions For Security And Compliance

The primary and most crucial security measure is advancing in resilient and uncompromising technologies like FRM  (Fraud and Risk Management) solutions. Typically, FRM solutions should include the following features:

  1. True Real-Time, Risk-Based Transaction Monitoring: Continuously scanning each transaction against behavioural, geographical, and transactional risk models to flag or block anomalies.
  2. Onboarding Risk Scoring: Evaluating customer risk profiles at the point of onboarding by analysing identity documents, geolocation, IP data, and past patterns.
  3. Transaction Risk Scoring: Assigning risk scores to each transaction in milliseconds using AI to detect suspicious behaviour, device shifts, or unusual patterns.
  4. Automated Regulatory Reporting (FRM & STR): Integrating seamlessly with regulatory reporting systems to automate Fraud Risk Monitoring (FRM) and Suspicious Transaction Reports (STR) for the FIU (Financial Intelligence Unit) and Central Bank.
  5. Advanced Behavioural Profiling, Alerts, and Case Management: Building user-level profiles to spot deviations and create alert workflows for investigation, improving fraud prevention and recovery efficiency.
  6. Zero-Code Self-Service Fraud Rules Builder: Enabling risk teams to rapidly deploy or adjust rules without developer input, improving agility in responding to new scam trends.
  7. Regulatory Compliance with FIU & Central Bank: Ensuring that all processes are compliant with mandatory guidelines from regulatory bodies like the RBI and FIU-IND.

2. Employee and Institutional Preparedness

Organisations need to train their employees to stay vigilant and on the curve to identify, resist, and alert the appropriate officials and take proper action to mitigate fraud.

  • Regular training on current fraud tactics and response protocols.
  • Establishment of internal SOPs for fraud response, ensuring quick and consistent action when fraud is detected.
  • Internal Fraud Escalation Dashboards to track high-risk accounts, repeated complaints, and real-time alerts.
  • Banks must follow standardised timelines and formats for reporting digital Report frauds, suspicious transaction reports (STRs), and high-risk events to the Reserve Bank of India (RBI) and the Financial Intelligence Unit.

3. Best Practices for Customers

1. Download UPI apps Only From Official App Stores

Avoid third-party APKs or suspicious download links that could carry malware or spyware.

2. Keep Mobile Devices And UPI Apps Updated

Security patches and app updates often address critical vulnerabilities. Outdated apps are easier targets.

3. Avoid Using Public Wi-Fi Networks

Public connections are vulnerable to man-in-the-middle attacks that can intercept credentials and UPI requests.

4. Block Transactions After A Suspicious Pattern

Users should immediately report strange activity. Some apps offer “block new payee” or “pause account” options for suspected compromise.

BANKiQ: Your Payment Security Partner

By keeping pace with evolving technologies and leveraging the analytical expertise of its specialists, BANKiQ protects banks, issuers, acquirers, bankers, lenders, FinTech – Payment Gateway Providers, Payment Aggregators & Merchant Acquisition Fintechs against financial fraud. Their FRM (Fraud Risk Management) solution takes risk management and governance to the next level by detecting multi-channel fraud through their Deep Learning, AI, Customer and Transactional profiling, etc. Investing in a proactive fraud risk management solution like BANKiQ’s FRM helps financial institutions to analyse, identify, alert, and prevent fraudulent activities.

Connect with our experts at BANKiQ

Conclusion:  A Call for Proactive Defence

Most of the scam techniques only occur due to ignorance, greed, or carelessness on the part of the users. Financial institutions need to equip themselves with robust security systems involving real-time AI and deep learning, bespoke analytics, along with expert supervision to protect their organisation and its customers. As new technologies and tactics are born every day, it’s high time that Financial institutions take proactive measures to gain the trust of their customers and stakeholders and escape from any monetary fraud.

Recommended Posts

The Role of Real-Time Payments Fraud Detection in Building a Multi-Layered Security Framework for Banks, POs, PAs, PSPs, and Payment FinTechs
Fraud management for Acquiring Banks – The role of real-time payments fraud prevention in ensuring transaction security
The Role of Attribute Linking in Mitigating Merchant Risks