UPI and QR Code Fraud in India 2026: Pay vs Receive

Every UPI QR code is a payment request, never a receive flow. If someone tells you to scan a QR or enter your UPI PIN to receive money, refund, lottery winnings, cashback, or a transfer, the action will debit your account, not credit it. NPCI guidance is explicit: UPI PIN is entered only when you are paying. The most common UPI scams in 2026 are the pay-vs-receive QR trap, fake merchant UPI handles routing to mule accounts, fake refund and cashback calls, and fake bank or wallet customer support asking you to install screen-sharing apps. If you sent money to a wrong or fraudulent UPI ID, raise concern in the UPI app, call your bank’s fraud helpline, call 1930, and file at cybercrime.gov.in within 24 hours.

Who this is for

Anyone in India who uses UPI. Most documented UPI fraud victims in 2025 and 2026: small merchants and street vendors, OLX and Facebook Marketplace sellers, college students, senior citizens who recently adopted UPI, professionals on quick lunch transactions, and online sellers receiving advance payments. Per-incident losses are smaller than pig-butchering or digital-arrest cases but the volume is enormous. The patterns are simple to learn and the defences are mostly habits.

The single rule that prevents most UPI fraud

If you remember nothing else: enter your UPI PIN only when you are paying. Never to receive.

UPI is one-way from a debit perspective. Money leaves your account only when you approve a debit with your PIN. Receiving money requires no action from you; the sender enters their PIN on their side, and your app shows the incoming credit. Every scam in this category works by inverting this. The scammer convinces you that you need to scan or PIN-confirm to receive. You think you are receiving. You are paying.

The pay-vs-receive QR trap explained

Every UPI QR code is a request to pay. When you scan, the app reads the code and shows a payment screen: recipient name, amount, Confirm button. Tap Confirm, enter PIN, money goes from your account to the recipient.

There is no QR code in UPI that credits money to you. The payer’s bank needs the payer’s PIN to authorise the debit. A QR that credits you would let a stranger access your bank without consent, which is not how UPI works.

This is the trap. A scammer sends a QR via WhatsApp, Telegram, email, or marketplace chat, claiming it is for a refund, cashback, OLX advance, or recruiter reimbursement. You scan, see a payment screen, miss the direction, and enter PIN. The money is gone. Variants include a collect request labelled “Refund: Tap to receive INR 5000” (tapping opens a debit screen), or a caller telling you to enter PIN to verify your account before they send a refund. Entering PIN never receives money; it only authorises a debit.

Why this is spiking now

UPI volumes have grown faster than awareness. Per NPCI public statistics, monthly UPI transactions in 2025 ran into many billions, with values in tens of lakh crore rupees. As new users join (often older or first-time digital payment users) and as merchants demand UPI even for small amounts, the scam surface grows.

Per I4C and MHA, Indians lost approximately INR 22,495 crore to cybercrime in 2025, up about 24% year on year. Payment fraud forms a significant share of the case volume. NPCI in 2025 to 2026 has introduced multiple safeguards including per-transaction caps for new beneficiaries. The I4C portal, NPCI safety guidance, and CERT-In advisories on screen-sharing malware carry the official guidance.

Real Indian UPI fraud cases

Street vendor pay-vs-receive trap, 2024 to 2025. Cases reported across Bengaluru, Mumbai, Delhi, Hyderabad of vendors losing INR 5,000 to INR 50,000 when a customer claims payment failed and asks the vendor to scan a QR for a refund. Pattern documented in multiple Indian press accounts and consistent with NPCI and I4C advisories on UPI collect-request misuse.

OLX seller advance refund scam, ongoing. Seller lists an item, buyer sends a QR code asking the seller to scan to receive the advance. Money debits from seller’s account.

Fake bank or wallet support call, ongoing. Scammer poses as PhonePe, Google Pay, Paytm, or bank support and asks to install AnyDesk, TeamViewer, or QuickSupport to fix an issue. Once installed, the scammer captures the PIN or initiates transactions. CERT-In has issued explicit advisories.

Fake merchant UPI handle, 2025. Customers at small shops, fuel stations, or online stores routed to UPI handles that look like the merchant but route to a mule account.

KYC update phishing. WhatsApp message or SMS claims your UPI or bank account needs immediate KYC update. A phishing link captures UPI PIN, OTP, debit card number, and CVV. SBI, HDFC, ICICI, Axis all issue periodic advisories.

Festival reward scam. WhatsApp message claims a free gift from a brand and asks to share OTP or enter UPI PIN. Both lead to debit.

Senior citizen UPI introduction scam. Young person at a shop or bus stop offers to help an older citizen set up UPI. During setup, they capture the PIN or initiate a transfer.

The 5 most common UPI scam patterns

1. The pay-vs-receive QR trap (largest volume)

Already covered above. Anyone who tells you to scan a QR code to receive money is running this trap. The defence is one habit: do not scan QR codes to receive. Receivers do not scan anything.

2. The fake merchant UPI handle

You pay at a shop or online and the payment goes to a UPI handle that looks like the merchant name but routes elsewhere. The merchant does not receive payment. The customer is asked to pay again or sometimes pays both the scammer and the merchant.

Defence: before paying, verify the recipient name shown on the UPI app screen. If you are paying Anand Tea Stall, the screen should show Anand Tea Stall or a name that matches. If it shows a generic name or a personal name that does not match, do not approve.

3. The collect request scam

The scammer sends you a UPI collect request. The notification on your phone says “Request for INR 5000 from rahul@okhdfcbank with note Refund.” If you misread the request and approve, money goes out. UPI collect requests are debit-pull requests; approving them sends money to the requester.

Defence: never approve a collect request you did not expect. Read the notification fully. If you are confused, decline.

4. The fake customer support and screen-sharing app

A scammer calls posing as bank, wallet, or UPI app support and asks you to install AnyDesk, TeamViewer, or QuickSupport to fix an issue. They then either watch the screen or take control. They capture the PIN or initiate transactions.

Defence: no legitimate bank or UPI app support will ask you to install a screen-sharing app. CERT-In has issued explicit advisories. If a caller asks for this, hang up and call the bank’s known customer care number on the back of your debit card.

5. The KYC update or reward phishing

WhatsApp message, SMS, or email asks you to update KYC or claim a reward. Link leads to a phishing page that captures UPI PIN, OTP, debit card data, or installs malware.

Defence: banks and UPI apps do not send KYC updates via WhatsApp or SMS links. They notify inside the app. If unsure, open the bank app directly, not via the link.

How to verify before paying (5 step habit)

Build this into every payment.

1. Confirm you are paying, not receiving. If money is coming to you, you do nothing. The sender pays. If a step is being asked of you, you are paying.
2. Check the recipient name on the confirmation screen. The name comes from the recipient’s bank account. If you are paying Anand Tea Stall and the screen shows Pankaj Kumar, stop.
3. Check the amount. Editable QR codes can be pre-filled with a larger value than you intend.
4. Pause if anything feels off. Wrong name, unexpected QR, urgency, a stranger guiding the transaction, or a customer support call. Slowing down breaks the script.
5. Enter PIN only after confirming. Treat the PIN as a deliberate act, not a reflex.

NPCI safe-use guidance summarised

From npci.org.in/safe-digital-payments, distilled for everyday use: UPI PIN is required only for paying, never to receive. Never share PIN, OTP, debit card details, or CVV with anyone (including supposed bank or app support). Never install screen-sharing apps at the request of customer support. Verify the recipient name before approving. Decline unknown collect requests. Use only Play Store or App Store downloaded apps. Set transaction limits for new beneficiaries. Raise Concern on any disputed transaction immediately inside the UPI app. Keep your phone locked with PIN, fingerprint, or face ID. Update the app and OS regularly. These basics prevent most UPI fraud when followed.

What to do if you sent money to a wrong or fraudulent UPI ID

The first 30 minutes matter most. The first 24 hours are still meaningful. After that, recovery odds drop sharply.

1. Open the UPI app and use Raise Concern or Report Issue on the transaction. Most apps including PhonePe, Google Pay, Paytm, and bank UPI apps have this option. The transaction reference is logged with NPCI.
2. Call your bank’s fraud or emergency line immediately. This number is on the back of your debit card and inside the bank app. Provide the transaction reference, the recipient UPI ID, and the amount. Banks have fast-track escalation for ongoing fraud.
3. Call 1930. The national cybercrime helpline, 24x7. They escalate to local cyber cells and to banks.
4. File at cybercrime.gov.in within 24 hours. The acknowledgement number is used by banks to formally freeze the recipient mule account if flagged.
5. Preserve all evidence. Screenshots of the transaction, the QR code if you scanned one, the chat or message that led to the transaction, the caller’s number if it was a call-driven scam.
6. Do not pay any recovery fee. If anyone (including someone claiming to be police, bank, or recovery agency) asks for a fee to recover your money, it is a second-layer scam.
7. Tell your family. Hiding the loss accelerates harm and prevents help.

Recovery via UPI dispute resolution and bank escalation is possible but partial, and depends on speed.

The legal framework that protects you

UPI fraud triggers BNS 318 (cheating), BNS 336 (forgery), IT Act 66C and 66D (identity theft and cheating by personation), IT Act 43 and 66 (unauthorised access), the Payment and Settlement Systems Act 2007, and RBI’s Master Direction on Digital Payment Security Controls. RBI guidance on customer liability in unauthorised electronic transactions: if you report fraud within 3 working days and the loss is not due to your sharing PIN or OTP, your liability is limited and the bank bears the rest. The window matters; report fast.

If this happened to you

If you sent money to the wrong UPI ID, scanned a fraudulent QR code, or were tricked into approving a transaction, these channels are free and operate 24x7.

• 1930. National cybercrime helpline operated by I4C under MHA. 24x7. Available across India.
• cybercrime.gov.in. Online complaint portal. File within 24 hours for fastest mule-account freeze.
• Your bank’s fraud or emergency line. On the back of your debit card. Report within 3 working days to limit your liability per RBI guidance.
• Raise Concern or Report Issue inside the UPI app on the specific transaction. NPCI dispute resolution begins from here.
• Cybersecify WhatsApp helpline: +91 99644 43350. Free verification for citizens. Send the QR code image, the suspicious UPI ID, the message that led to the transaction, or a brief description. We tell you whether it matches a known scam pattern and what to do next, in plain language.
• Email: contact@cybersecify.com. For longer evidence packages.

Save the WhatsApp number now. During an active scam, you will not have time to search.

You are not the first, and you are not alone

UPI is the largest real-time payment system in the world. The volume that makes it useful also makes it the target of constant scam innovation. Per I4C, Indians lost approximately INR 22,495 crore to cybercrime in 2025, with payment fraud forming a significant share of the case volume. Vendors, students, professionals, founders, and senior citizens all show up in the loss data. The scammers run scripts at industrial scale. The defence is a small set of habits applied consistently: PIN only when paying, verify the recipient name, decline unknown collect requests, ignore reward and KYC link prompts, and refuse any request to install a screen-sharing app.

The shame belongs to the scammer. The response that protects you is to follow the five-step verify-before-pay habit, save the 1930 and cybercrime.gov.in numbers, and report immediately if a transaction goes wrong.

We also publish related guides: traffic challan SMS scam, SMS task scam cluster, digital arrest scams, and fake loan app scams.

Foundational reads. The anchors behind every guide on this site.

• The First Hour After Cyber Fraud in India. What to do in the first 60 minutes after you realise you have been scammed.
• Pause, Verify, Then Act. The universal three-rule defence against every scam type.
• Your Digital Footprint Is the Scam’s Raw Material. Why scammers already know your name, employer, and bank.

Frequently asked questions

Can scanning a QR code take money out of my account?

Yes. Every UPI QR code is a payment request. When you scan and approve, money leaves your account. There is no such thing as a QR code that credits money to you; receivers do not need to scan anything. If anyone asks you to scan a QR code to receive a refund, lottery winning, cashback, or transfer from them, it is a scam. They are sending you a payment-out request disguised as a receive-money flow. NPCI guidance is explicit: enter your UPI PIN only when you are paying, never when you are receiving.

What is the most common UPI fraud pattern in 2026?

The pay-vs-receive QR trap, followed by fake merchant UPI handles and refund or cashback scams. A scammer convinces you to scan a QR code or approve a collect request, telling you the action will credit money to you. The action actually debits your account. Other common patterns: fake customer service numbers that pose as bank or wallet support and ask you to install screen-sharing apps; UPI handles that look like a real merchant but route to a mule account; OTP and UPI PIN phishing via fake KYC update calls. Per NPCI and I4C advisories, payment fraud forms a major share of India’s cybercrime case volume.

If someone has my UPI ID, can they take money from me?

No, not by itself. Your UPI ID alone (something like name@bank or 9876543210@upi) is like a public address. Anyone who knows it can send you money or send you a collect request, but they cannot debit your account without you approving the transaction with your UPI PIN. The risk is that they send a collect request you misread as a payment to you, or they socially engineer you into entering your PIN. Never enter your UPI PIN to receive money. Never share your PIN with anyone, including bank staff or customer support.

What should I do if I sent money to a wrong or fraudulent UPI ID?

Act within minutes. Open the UPI app and use Raise Concern or Report Issue on the specific transaction. Most major UPI apps have this option. Call your bank’s fraud helpline immediately and provide the transaction reference. Call 1930 and file a complaint at cybercrime.gov.in within 24 hours. NPCI’s dispute resolution mechanism gives banks a window to attempt reversal, especially if the recipient account is flagged as a mule. Speed of reporting is the single biggest factor in recovery. Once the funds are withdrawn or moved through layered accounts, recovery odds drop sharply.

Is UPI itself unsafe?

UPI as a payment rail is secure. The risk is not in the technology but in social engineering around it. NPCI has built in multiple safeguards: UPI PIN required for every debit, transaction limits, beneficiary checks, and dispute resolution. Most fraud cases involve users being tricked into approving a debit, entering a PIN at the wrong moment, sharing OTPs, or installing malicious apps that capture credentials. Following NPCI’s safe-use guidance prevents the vast majority of UPI fraud. The four-line summary: PIN only when paying, never to receive, never share with anyone, verify the recipient name before approving.