UPI & OTP Fraud: How Scammers Empty Your Bank Account — And How to Stop Them
India now loses over ₹1,000 crore every year to UPI and OTP-related fraud. Here's everything you need to know to protect yourself — and your family.
"I just shared one OTP. I didn't think anything would happen." — This sentence has cost Indians thousands of crores. It's time to change that.
India's UPI ecosystem now processes over 21 billion transactions a month — making it the largest real-time payment system in the world. But with every new user who joins, scammers see another opportunity. What makes UPI fraud so devastating is not technical complexity — it is psychology. Scammers don't hack your phone. They convince you to hand them the key.
This blog breaks down exactly how UPI and OTP scams operate, the newest tactics in use right now, and the specific rules that will keep your account safe.
Sources: Ministry of Finance (Parliament data), National Herald India, YourStory
The Real Scale of UPI & OTP Fraud in India
The numbers are staggering — and they almost certainly undercount the real damage. More than 13 lakh fraud cases were reported in 2024–25, with losses exceeding ₹1,000 crore. Experts warn the real scale may be much higher, as many victims do not report incidents due to lack of awareness or fear of stigma.
By early FY26 (up to November 2025), losses had already hit ₹805 crore across 10.64 lakh complaints, driven by UPI's 18.4 billion monthly transactions. The platform's explosive growth is inseparable from the fraud surge — every new user who joins without proper awareness becomes a potential target.
The government acknowledged that fraud cases rose alongside the rapid expansion of digital payments, but pointed to a series of regulatory and technical interventions aimed at containing the damage. On grievance redressal, 22% of reported fraud cases were acted upon within seven days and 92% within 30 days during April–September 2025 — however, only about 6% of fraud chargebacks were successfully recovered, underlining the limits of post-facto remedies once funds have been siphoned off.
This is the key takeaway from the statistics: Once money leaves your account through a UPI fraud, the chances of getting it back are very low. Prevention is not optional — it is your only real protection.
How UPI Fraud Actually Works
Before we look at specific tricks, you need to understand one fundamental truth about UPI that scammers exploit constantly:
The most important thing to know about UPI
- Entering your UPI PIN always means money is going OUT of your account — never coming in.
- Scanning a QR code to "receive" money is a lie. You only scan a QR code to send money.
- Accepting a "collect request" means you are authorizing a payment from your account. Never accept collect requests from numbers you don't recognize.
- An OTP received on your phone is triggered by a transaction. Sharing it hands the transaction over to someone else.
Scammers know these facts better than most users do. Their entire strategy is to create situations where victims unknowingly authorize outgoing payments — believing they are receiving money or verifying their identity.
7 Tricks Scammers Use to Steal Your OTP
The Fake Bank Official Call
Scammers impersonate bank officials or customer service representatives and contact victims via phone calls or messages. They create a sense of urgency by claiming suspicious activity on the account — then ask for the OTP to "stop the transaction." The moment you share it, the transaction they're actually completing is the theft itself.
The Fake Buyer / Seller on OLX or Marketplace
Scammers pose as buyers or sellers on online marketplaces and use QR codes or fake payment confirmations to steal money. A buyer sends a QR code asking the seller to "scan to receive payment" — but scanning it and entering a PIN sends money out, not in.
The Wrong Number OTP Trick
You receive a call stating that an OTP for a transaction has been sent to you because the caller mistyped your mobile number. They then ask you to share this code. In reality, the OTP was generated by their login attempt on your account — sharing it gives them full access.
The Refund / Cashback Trap
Scammers take advantage of refund requests and limited promotions by posing as e-commerce companies or sellers. They promise a refund or bargain and request the OTP received on your phone to "complete it" — then use the OTP to carry out fraudulent transfers from your account.
Screen Monitoring App (Remote Access)
Scammers encourage users to install apps that record screen activity, capturing sensitive information like UPI PINs. These are often disguised as "customer support tools" from fake helpdesks. Once installed, the scammer watches your screen in real time — no need to ask for your OTP at all.
SIM Swap Fraud
Fraudsters obtain a victim's personal data (often from breached KYC databases), visit a telecom store with forged documents, get a new SIM issued, and use it to receive OTPs for UPI transactions. The victim's phone loses signal — by the time they report it, accounts are drained. Average loss in SIM swap cases: ₹2 lakh to ₹25 lakh.
Credit Card Limit Upgrade Scam
Fraudsters call or message customers pretending to be bank executives offering an instant increase in card limit. They say an OTP will be sent to "authorise" the limit enhancement. The unsuspecting customer, thinking it's a standard procedure, shares the OTP — which actually authorizes a transaction draining their account.
Newer Tactics You Probably Haven't Heard Of
Scammers evolve faster than awareness campaigns. Here are tactics that emerged or surged in 2025:
Scammers have recently developed a technique known as the Call Merging Scam, which allows them to defraud people without requesting an OTP at all. They merge your call with an automated banking verification line, tricking your own phone into completing authentication on their behalf. The NPCI has issued specific warnings about this tactic.
Users also believe fraudsters need complex hacking tools — in reality, social engineering, using friendly conversation, fake urgency, and an expert tone, is usually enough to steal OTPs. Scammers also use highly localised strategies: they speak the victim's language, reference nearby landmarks, and mimic customer-care tones, creating a false sense of legitimacy.
🛡 Fell for one of these? You're not alone — and you can still act.
Report Your Scam →Real Stories: Victims Who Lost Money This Way
Aman, a young professional in Pune, listed his old sofa on OLX. A buyer offered to pay online and sent a QR code for payment. Aman scanned the code and entered the OTP he received. Instead of getting paid, he lost ₹15,000.
Lesson: QR codes are for sending money — not receiving it. Ever.
Manoj, a shopkeeper in Hyderabad, got a call offering a pre-approved loan. The caller asked for an OTP to process the application. Minutes later, ₹1.2 lakhs were withdrawn from his account.
Lesson: No legitimate loan process ever requires an OTP from you during the application.
10 Rules That Will Protect You — No Exceptions
Never share your OTP with anyone — ever
No bank, no government official, no delivery agent, no customer support executive will ever ask for your OTP. If they do, it is always a scam.
Entering your UPI PIN means money is leaving — always
Pin entry is not a "verification step." It is a payment authorization. If someone asks you to enter your PIN to receive money, disconnect immediately.
Read every OTP SMS completely before doing anything
The SMS clearly states what the OTP is for — a login, a payment, a password reset. Read it fully. If the action described is not something you initiated, do not share the code.
Reject all "collect requests" from unknown numbers
A collect request is a payment request from your account. Accepting one you didn't initiate sends your money to a stranger. Reject immediately and block the number.
Never install apps suggested by phone callers
AnyDesk, TeamViewer, and similar remote-access tools handed to a scammer give them live view of your screen, including every OTP you receive.
If your SIM stops working without reason — call your bank immediately
Sudden loss of phone signal can mean a SIM swap is underway. Call your bank from another phone and freeze your account until you've verified with your carrier.
Set daily transaction limits on your UPI app
All major UPI apps allow you to set a daily limit. Even if a scammer gains access, they cannot drain your full account in one transaction.
Enable bank notifications for every transaction
Instant SMS and app alerts mean you know the moment an unauthorized transaction occurs — giving you the best chance to call 1930 within the golden window.
Never click UPI-related links in SMS or WhatsApp
Legitimate banks do not send payment or verification links via SMS or WhatsApp. These links lead to phishing pages designed to harvest your credentials.
Teach these rules to parents and senior citizens in your family
Older adults are disproportionately targeted because scammers know they are less familiar with how UPI works. One conversation with your family can prevent a devastating loss.
If You've Already Been Scammed — Act in the Next 60 Minutes
The 24-hour window is real. Cyber police can legally request banks to freeze fraudulent accounts within this period. After 48 hours, the money is typically transferred out in multiple hops and becomes nearly impossible to recover. Act immediately.
Exactly what to do right now — in this order
- Step 1: Call 1930 (National Cyber Crime Helpline, 24/7, toll-free). Report the fraud and request an urgent freeze on the recipient account.
- Step 2: Call your bank's fraud helpline immediately and request a hold on your account or the suspicious transaction.
- Step 3: File a detailed complaint on cybercrime.gov.in with all transaction details, screenshots, and the fraudster's contact information.
- Step 4: Report the fraudster's phone number or UPI ID on the UPI app where the transaction happened (Google Pay, PhonePe, Paytm etc.).
- Step 5: Report to Scam Shield India so we can alert others and add this scam pattern to our community database.
Your Report Can Protect the Next Person
Every UPI and OTP scam that goes unreported is a scammer who gets away and targets another family. When you report your experience to Scam Shield India — even if you didn't lose money, even if you caught it in time — your account becomes a warning that reaches thousands of people across India.
Our community scam database helps us run real-time workshops, publish pattern-based alerts, and give people across all age groups the specific knowledge they need to stay safe. It takes under two minutes to fill our form.
Experienced a UPI or OTP scam?
Your report is confidential. Your story protects others. Help us map active fraud patterns across India and keep our community safe.
Report to Scam Shield India →Free · Confidential · Takes under 2 minutes