UPI FRAUDS: A CYBER LAWYER’S GUIDE TO UNDERSTANDING, RESPONDING AND RECOVERING MONEY

Introduction
Pattern or modus operandi of UPI frauds
Responding to UPI fraud attempts
Recovery
What does RBI say?
Common mistakes by victims

The Unified Payment Interface (UPI) has transformed the way e-commerce is conducted in India and made digital payments effortless. Post-pandemic, India’s digital adoption surged but also triggered an explosion of sophisticated cyber frauds. Several reports indicate that working professionals, homemakers, students, senior citizens are losing their money to UPI scams. The fraudsters are employing innovative and dubious methods to con people of their money. In my practice, I assist victims who have fallen prey to such frauds. Here’s my guide to understanding, responding, and recovering money.

Interestingly, Bengaluru tops the list of cyber frauds among South Indian states. The predominant reasons are that Bengaluru houses a tech-savvy population. It is also home to a large migrant population, and all e-commerce marketplaces thrive here. The pattern or modus operandi of UPI frauds remain more or less the same:

Vishing calls (Voice Phishing):

Victims are usually targeted by fraudsters after basic profiling either through telephonic calls or social media messaging.
The fraudsters usually pose as bankers/ insurance agents/ police or other government officials to appear credible.
The fraudsters share basic details of the victim such as name, contact number, address, date of birth, etc., to appear credible. These details are usually scraped from social media or online presence.
Once they manage to gain the victim’s trust, the victim is lured with receiving a cashback/prize/money/insurance amount.
The victim is then asked to enter the UPI PIN to ‘receive’ money. In reality, a collect request is sent to the victim via a UPI app.
The fraudster then asks the victim to enter the UPI PIN.
The victim being unaware of the fact that a UPI PIN is not required to receive money, enters his UPI PIN. The victim’s money is instantly debited from his account.

QR Codes Fraud:

The fraudster sends a QR Code claiming it will facilitate receipt of money.
The victim scans the QR Code to receive money and enters the UPI PIN.
The victim’s money gets instantly debited from his account.

SMS and Phishing Fraud:

The fraudsters convince the victims to send an encrypted SMS to a specific number (the fraudster’s UPI registration number).
This binds the victim’s mobile number to the fraudster’s device.
The fraudster then sends phishing links to get the victim’s UPI PIN.
Once the UPI PIN is compromised, the fraudsters drain funds instantly.

Remote Access Fraud, Social Media Impersonation Fraud is less common today due to increased public awareness, but still prevalent enough to cause losses if vigilance slips.

The mantra used by fraudsters is quite simple: the faster the victim panics, the greater the loss. These scams unfold within minutes and the victim seldom gets an opportunity to think before acting. The most common thing that I hear from victims: “I did nothing wrong, yet I was instantly manipulated”.

Responding to UPI fraud attempts:

The best and the most successful way is to not fall prey to any pattern of UPI frauds. The mantra to be followed by the victims is extremely simple: Slow down, think, do not panic, and refrain from acting on the fraudster’s instructions.

Recovery:

Contrary to the popular belief, there is no fixed golden window of 24 hours or 12 hours for recovery of money lost. The sooner the reporting, the higher the chances of recovering the money.

Dial 1930. This is the National Cybercrime Helpline.
Immediately file a complaint on the National Crime Reporting Portal www.cybercrime.gov.in.
Notify your bank in writing (preferably through e-mail) mentioning the date and time of fraud, UTR number, amount lost, and NCRP complaint number.
Preserve all evidence.
Lodge a police complaint in your nearest cybercrime police station.

Can money lost be actually recovered?

Yes. Recoveries are possible. They depend on:

Speedy complaint
Quick co-ordination between banks
Accuracy and completeness of documentation.

What does RBI say?

The RBI classifies customer liability into two categories:

Zero Liability:

Contributory fraud/ negligence/ deficiency arises on part of the bank, notwithstanding the customer reporting the transaction.
Third party breach, where the deficiency lies neither with the bank nor with the customer but elsewhere in the system, and the customer notifies the bank within three working days of receiving communication from the bank regarding the unauthorised transaction.

In such cases, the customer is entitled to zero liability.

Limited Liability:

If a customer is negligent (for e.g., sharing payment credentials) leads to loss, the customer is responsible for the loss until it is reported to the bank. After the report, the liability passes to the bank.
If a third-party breach occurs (not the bank’s or customer’s fault) and the customer delays reporting beyond three days and within seven days, the customer’s liability is limited to a capped amount as per RBI Rules or the value of the transaction, whichever is lower.
If the delay in reporting exceeds seven days, the customer may have to bear greater liability, as per the bank’s board approved policy.

For more details, please see the RBI circular available at: https://www.rbi.org.in/commonman/english/scripts/Notification.aspx?Id=2336

Common mistakes by victims:

Delaying action “to check/confirm with the bank tomorrow”.
Approaching the bank directly without calling 1930 or filing complaint on NCRP.
Deleting chats, screenshots, logs, etc.
Lodging vague, incomplete or emotional complaints.

Digital payments are here to stay, and UPI will continue to power most of our daily transactions. The real defence against fraud lies not in fear, but in awareness and disciplined habits. By slowing down, verifying before acting, protecting our PINs and OTPs, and limiting what we share online, we build strong “cyber health” for ourselves and our families.

Disclaimer: This article is intended for educational purposes only and does not constitute legal advice.

Vishnu Vinayak C R

Disclaimer & Confirmation

As per the rules of the Bar Council of India, lawyers and law firms are not permitted to solicit work or advertise in any manner.

By accessing this website of Ravi & Jana, you acknowledge that there has been no advertisement, personal communication, solicitation, invitation, or inducement of any sort whatsoever by Ravi & Jana or any of its partners or members to solicit any work through this website.
You wish to obtain information about Ravi & Jana for your own information and personal use only.
The information provided on this website is made available at your specific request and any information obtained or materials downloaded from this website are entirely at your own discretion and volition.
Your access to or use of this website, including the transmission, receipt, or use of any information contained herein, does not create a lawyer–client relationship between you and Ravi & Jana.
Ravi & Jana shall not be liable for any consequences arising out of any action taken by you relying on the information or material provided on this website.
If you have any legal issues, you must, in all cases, seek independent legal advice from a qualified legal professional.

This website uses cookies to enhance user experience. By continuing to browse or use this website, you consent to the use of cookies in accordance with applicable laws.

I AGREE I DISAGREE

RAVI & JANA

ADVOCATES

UPI FRAUDS: A CYBER LAWYER’S GUIDE TO UNDERSTANDING, RESPONDING AND RECOVERING MONEY

Table of Contents

Vishing calls (Voice Phishing):

QR Codes Fraud:

SMS and Phishing Fraud:

Responding to UPI fraud attempts:

Recovery:

Can money lost be actually recovered?

What does RBI say?

Zero Liability:

Limited Liability:

Common mistakes by victims:

Ravi & Jana | Advocates

Useful Links

Quick Links

Contact Us