P2P scams: How they can drain your money through UPI in just seconds

Even with scams like these on the rise, the National Payments Corporation of India (NPCI) says UPI is still secure. New tricks keep popping up, though—like the “jumped deposit” one, where scammers fake a payment, show a bogus screenshot, and ask for it back.

To understand the tactics scammers use  better, indianexpress.com spoke with cybersecurity expert Shubham Singh. He explained the methods behind these frauds, the warning signs to watch for, and the different types of P2P (peer-to-peer) scams that unsuspecting victims should be aware of.

What are P2P payment frauds?

“P2P payment frauds involve scams where fraudsters trick users into sending money or revealing sensitive credentials. With UPI and mobile wallets, these frauds have evolved from phishing emails to sophisticated scams using fake QR codes, fraudulent UPI handles, and social engineering tactics,” said Singh. He listed different types of P2P frauds that happen through Unified Payments Interface (UPI) applications:

🎯Fake UPI apps and phishing websites – Scammers create fake UPI apps and fraudulent banking websites to steal user credentials

🎯QR code scams – Malicious QR codes trick victims into unknowingly approving payments instead of receiving money.

🎯”Request money” scam – Scammers pose as service providers and send fake money request links, deceiving users into sending payments.

🎯Remote access fraud – Cybercriminals use remote access apps to gain full control over a victim’s device, including UPI accounts.

🎯Customer support scams: Fraudsters impersonate bank representatives to steal credentials.

🎯Impersonation scams: Scammers pose as sellers, job providers, or officials demanding money upfront.

“Fraudsters now use AI-generated deepfake voices, WhatsApp & SMS social engineering, and malicious mobile apps disguised as UPI services. They also exploit leaked data from breaches to enhance their scams,” Singh said.

How do scammers exploit UPI?

“Social engineering plays a key role in UPI frauds,” Singh explained. Fraudsters manipulate victims by:

🎯Creating urgency (fake ‘account suspension’ alerts, distressed calls from ‘family members’).

🎯Impersonating banks, government agencies, and job recruiters.

🎯Exploiting user trust to gain sensitive information or initiate payments.

While UPI apps maintain strict security protocols, third-party platforms like Google Pay, PhonePe, and Paytm are targeted frequently due to their widespread use. Fraudsters transfer stolen funds to mule accounts, often converting them to cryptocurrency or moving them abroad to conceal their origin.

Red flags to watch out for:

🎯Unexpected money requests or QR code scans.

🎯Urgent calls or messages from supposed bank officials.

🎯Unknown payment links or SMS messages with login requests.

🎯Deals or cashback offers that seem too good to be true.

🎯Receiving OTP requests for unknown transactions.

Singh said, “Banks and fintech companies use several security measures to prevent fraud. These include AI-driven fraud detection, multi-factor authentication (like biometrics), transaction limits, cooldown periods for high-value payments, real-time fraud reporting systems for blocking suspicious accounts, and blacklisting fraudulent IDs.”

RBI regulations and NPCI guidelines:

The Reserve Bank of India and the National Payments Corporation of India (NPCI) have introduced two-factor authentication, real-time monitoring, fraud reporting mechanisms, and transaction limits, according to Singh.

If the user falls victim to the UPI scam, they can also raise a dispute complaint to NPCI at https://www.npci.org.in/what-we-do/upi/dispute-redressal-mechanism

A user can also report it on the RBI CMS complaint management system. Here is the link: https://cms.rbi.org.in/cms/indexpage.html#eng

What to do if scammed?

🎯Report the fraud to your bank and freeze the account if necessary

🎯File a complaint via NPCI’s portal and the Cyber Crime Helpline (1930)

🎯Inform the UPI platform (Google Pay, PhonePe, Paytm, etc.)

🎯File a complaint at the nearest police station

🎯Monitor accounts for suspicious transactions and change UPI PINs

“Law enforcement agencies use AI-based transaction analysis to trace fraudulent money flows, freeze suspicious accounts, and monitor the dark web for stolen UPI credentials. Cross-border cooperation also helps tackle international fraud,” Singh said.

On future security measures, he added, “Users can expect biometric authentication, AI-driven fraud detection, end-to-end encryption, and blockchain-based identity verification to enhance digital payment security,” and also said, “Public campaigns, including digital safety workshops and social media alerts, help educate users about fraud tactics and improve vigilance.”

Ultimately, safeguarding against the rising tide of P2P and UPI scams demands constant vigilance, a cautious approach to online transactions, and a commitment to staying informed about the latest fraudulent tactics. The onus is on both users and digital platforms to prioritize security, exercise caution in every transaction, and work collaboratively to curb the growing threat of P2P and UPI fraud.

The Safe Side

As the world evolves, the digital landscape does too, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.