This article is for educational and legal awareness purposes only. It does not constitute legal advice or solicitation. Please consult a qualified advocate for advice on specific legal matters.
Introduction
India’s UPI processed over 16 billion transactions per month in 2025. With this scale, UPI-related frauds have risen sharply — the Finance Ministry informed the Lok Sabha that 6.32 lakh UPI fraud cases amounting to Rs 485 crore were reported in the first half of FY 2024–25 alone. This article covers the common types of UPI fraud, applicable legal provisions, the RBI framework for customer liability, and the step-by-step procedure for reporting and seeking redress.
Common Types of UPI Fraud
Vishing (Voice Phishing)
Fraudsters impersonate bank officials, UPI app customer care executives, or government officers and call victims to extract UPI PINs, OTPs, or account credentials. A common script involves claiming that the victim’s KYC is incomplete and the account will be suspended unless credentials are shared immediately.
Phishing Links and Fake Apps
Victims receive SMS messages or emails containing links to fake banking portals or counterfeit UPI apps. These pages are designed to harvest login credentials and UPI PINs. Fake customer care numbers appearing in internet search results are another variant — callers are tricked into sharing sensitive information.
QR Code Scams
Fraudsters send QR codes to victims, claiming the victim needs to scan the code “to receive money.” In reality, scanning the code and entering the UPI PIN authorises an outgoing payment. Another variant involves replacing genuine merchant QR codes at shops with fraudulent codes that redirect payments to the scammer’s account.
Fake Collect Requests
Scammers register UPI IDs that mimic trusted entities (such as “refund@okaxis” or “pm-relief@upi”) and send collect requests to victims. If the victim approves the request without verifying, money is debited from their account.
SIM Swap Fraud
Criminals socially engineer telecom providers to issue a duplicate SIM card on the victim’s mobile number. Once they control the number, they intercept OTPs and access the victim’s UPI-linked bank account.
Screen Sharing and Remote Access
Fraudsters convince victims to download remote access apps such as AnyDesk or TeamViewer under the pretext of resolving a technical issue. Once screen sharing is active, the fraudster observes or controls the victim’s device to capture UPI PINs and authorise transactions.
Legal Provisions Applicable to UPI Fraud
Information Technology Act, 2000
The following sections of the IT Act are relevant to UPI fraud:
- Section 43 — Unauthorised access to or damage to a computer system; downloading, copying, or extracting data without permission. This section enables civil compensation claims against the offender.
- Section 66 — Computer-related offences committed dishonestly or fraudulently. Punishment: imprisonment up to three years and/or fine up to Rs 5 lakh.
- Section 66C — Identity theft, i.e., fraudulent use of the electronic signature, password, or any other unique identification feature of another person. Punishment: imprisonment up to three years and fine up to Rs 1 lakh.
- Section 66D — Cheating by personation using a computer resource or communication device. Punishment: imprisonment up to three years and fine up to Rs 1 lakh.
Sections 66C and 66D are the primary provisions invoked in UPI fraud cases involving OTP theft, fake customer care impersonation, SIM swap credential harvesting, and screen-sharing scams.
Bharatiya Nyaya Sanhita (BNS), 2023
The BNS replaced the Indian Penal Code (IPC) with effect from 1 July 2024. For offences committed on or after that date:
- Section 316 BNS (replacing Section 415 IPC) — Definition of cheating.
- Section 318 BNS (replacing Section 420 IPC) — Cheating and dishonestly inducing delivery of property. Punishment: imprisonment up to seven years and fine.
In practice, FIRs in UPI fraud cases typically invoke both BNS Section 318 (or IPC Section 420 for offences before July 2024) and IT Act Sections 66C and 66D together.
RBI Guidelines on Customer Liability
The RBI’s Master Direction on “Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” (Circular RBI/2017-18/15, dated 6 July 2017) sets out the liability framework for unauthorised digital transactions.
Zero Liability (Customer Bears No Loss)
The customer bears zero liability when:
- The unauthorised transaction is caused by negligence or fraud on the part of the bank’s own systems (a third-party breach of the bank’s infrastructure).
- The customer notifies the bank within three working days of receiving communication about the unauthorised transaction.
Limited Liability (Reporting Within 4–7 Working Days)
If the customer reports the unauthorised transaction between 4 and 7 working days, the maximum liability is capped:
| Account Type | Maximum Customer Liability |
|---|---|
| Basic Savings Bank Deposit Accounts | Rs 5,000 |
| Accounts with transaction limit up to Rs 25,000/day | Rs 10,000 |
| Accounts with transaction limit above Rs 25,000/day | Rs 25,000 |
Full Liability
The customer bears full loss if reporting is delayed beyond seven working days, or if the loss is due to the customer’s own negligence (such as voluntarily sharing the OTP or UPI PIN).
Bank’s Obligations
- The burden of proving customer liability lies on the bank.
- The bank must credit the disputed amount to the customer’s account within 10 working days of notification.
- Full resolution must be completed within 90 days of the complaint.
Step-by-Step Complaint Procedure
Step 1 — Call 1930 Immediately
The National Cyber Crime Helpline 1930 (toll-free, operated by the Ministry of Home Affairs) should be the first point of contact. Provide: bank name, account number, transaction ID/UTR number, amount, and the fraudster’s UPI ID or phone number. The operator alerts connected banks and digital wallets to freeze the funds before withdrawal. Note the acknowledgement number provided.
Step 2 — Block Your UPI Access
Simultaneously call your bank’s 24×7 customer care number to block UPI access on your account. Use the UPI app’s built-in “Raise Issue” or “Report Fraud” option to flag the transaction.
Step 3 — File Online Complaint at cybercrime.gov.in
Within 24 hours, log in to the National Cyber Crime Reporting Portal and file a formal complaint under the “Financial Fraud” category. Upload screenshots of transactions, the fraudster’s UPI ID, SMS messages, and any other evidence. The complaint is routed to the local cyber crime police unit for investigation.
Step 4 — Notify Your Bank in Writing
File a written complaint with your bank branch (or by email) within three working days of the bank’s transaction alert SMS. This preserves the right to zero liability under the RBI circular. Obtain a written acknowledgement with date.
Step 5 — File an FIR
Visit the nearest police station or cyber crime cell and file a First Information Report (FIR) citing BNS Section 318 (or IPC Section 420 for pre-July 2024 offences) and IT Act Sections 66C and 66D. Insist on an FIR, not merely a non-cognisable report (NCR). If the police refuse to register an FIR, a complaint may be made to the Superintendent of Police (Cyber) or directly to the Judicial Magistrate under Section 175(3) of the Bharatiya Nagarik Suraksha Sanhita (BNSS), 2023.
Step 6 — Escalate if Unresolved
- NPCI Dispute Redressal: If the bank does not resolve the dispute, file a complaint through the NPCI UPI Dispute Redressal Mechanism or call the NPCI helpline at 1800-120-1740 (toll-free, 24×7).
- RBI Ombudsman: If the bank does not resolve the complaint within 30 days, file a complaint with the RBI Ombudsman at cms.rbi.org.in.
- Consumer Forum: If no relief is obtained, the affected person may approach the District Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019 for service deficiency by the bank.
Documentation Checklist
- Bank statement showing the fraudulent transaction
- Screenshots of UPI transaction(s) and the fraudster’s UPI ID
- SMS/email messages related to the fraud
- Acknowledgement from 1930 helpline and cybercrime.gov.in
- FIR copy
- All bank correspondence and acknowledgements
Key Case Law
SBI v. Pallabh Bhowmick (Supreme Court, 2025)
In SLP(C) No. 30677/2024, a victim was deceived into sharing credentials with a fraudster posing as customer support, and Rs 94,204 was siphoned via UPI. The Supreme Court dismissed SBI’s appeal against the Gauhati High Court’s direction to refund the full amount, applying the zero-liability principle under the RBI 2017 circular. The Court observed that banks must remain vigilant and cannot deflect liability to customers where the fraud originates from a third-party system breach.
Hare Ram Singh v. Reserve Bank of India (Delhi High Court, 2024)
In 2024 SCC OnLine Del 8039, a 55-year-old academician received a fraudulent SMS link that triggered two unauthorised transfers totalling Rs 2,60,000. The Delhi High Court set aside the Banking Ombudsman’s order and directed SBI to refund the amount with 9% interest, holding that SBI’s two-factor authentication had failed and the bank had not complied with the RBI’s Master Direction on Digital Payment Security Controls.
Pankaj Nigam v. Union of India (Delhi High Court, 2026)
In a public interest litigation filed in 2026, the Delhi High Court issued notices to the Union of India, RBI, and NPCI on a plea seeking comprehensive guidelines against UPI fraud, inclusion of UPI frauds below Rs 10 lakh in the e-Zero FIR initiative, and a specialised SOP for multi-jurisdictional cyber fraud investigations.
Reporting in Lucknow and Uttar Pradesh
Victims in Lucknow may report UPI fraud at:
- Lucknow Cyber Crime Cell — Signature Building, Tower 4, Floor 5, Police Headquarters, Gomti Nagar Extension, Lucknow 226002
- Phone: 0522-2390538
- Email: sho-cybercrime.lu@up.gov.in
- UP Cyber Police Portal: cyberpolice.uppolice.gov.in
The national helpline 1930 and cybercrime.gov.in should also be used, as they trigger the inter-bank fund-freeze mechanism.
Prevention Tips (RBI and NPCI Guidelines)
- Never share your UPI PIN, OTP, or banking credentials with anyone — banks and NPCI never ask for these over phone, SMS, or email.
- Receiving money never requires entering a UPI PIN — if someone asks for a PIN to “send” money, it is a scam.
- Download UPI apps only from official app stores (Google Play Store or Apple App Store).
- Verify the recipient’s name before confirming any UPI transfer or QR code scan.
- Do not install remote access apps (AnyDesk, TeamViewer) at the request of unknown callers.
- Enable transaction notifications via SMS and email, and review bank statements regularly.
- Check UPI IDs carefully — fraudulent IDs often mimic official handles with minor spelling variations.
- If contacted by someone claiming to be from a government scheme or bank, independently verify by calling the bank’s published toll-free number.
Useful Resources
- National Cyber Crime Reporting Portal — File complaints online
- NPCI UPI Dispute Redressal — Escalate unresolved UPI disputes
- RBI Ombudsman Portal — File complaints against banks
- UP Cyber Police — UP-specific cyber crime reporting
- Indian Kanoon — Search Indian case law and statutes
Disclaimer: The information provided on this website is for general legal awareness and educational purposes only. It does not constitute legal advice, advertisement, or solicitation. No reader should act or refrain from acting based on this information without seeking professional legal counsel. Advocate Akhil Singh and this website are not liable for any actions taken based on the content provided herein.