Understanding the Safe Use of UPI | AU Small Finance Bank
Gateway to Digital Life. Download AU 0101.

Understanding the Safe Use of UPI

    Unified Payment Interface (UPI) is one of the fastest-growing and most accepted payment modes in India. It is the most secured payment method to carry out transactions, authorized only by a PIN, i.e. UPI PIN set by the customer.

    Here’s how UPI functions
    • UPI works on the concept of a virtual payment address called UPI ID
    • Bank accounts can be mapped to a unique UPI ID
    • Payments can be made using an account number, mobile number, and UPI ID
    UPI has many benefits
    • The use of a UPI ID, QR affords interoperability & makes one-click payment possible.
    • Funds transfers can be initiated by either the payee or the payer.
    • UPI eliminates the need for exchanging sensitive information, such as bank account numbers, onetime passwords (OTPs), or phone numbers during a financial transaction.

    Staying Clear Of UPI Frauds

    Fraudsters usually trick customers using social engineering, emphasizing the need to part with bank credentials. They trick people by misinforming them that their banking service may get deactivated, they may not receive refunds, redemption of reward points, lucrative offers, etc.

    Some customers post their contact numbers with their complaints on social media platforms, which fraudsters can misuse.

    Phishing is another way UPI fraud happens. Fake URLs which look almost identical to the original URLs of banks or e-shopping portals are sent through SMS or while claiming any fake rewards. If a customer clicks on such a link, they are directed to the UPI payment app installed on their phone and asked to select an app for debit. Once the customer provides permissions and enters their UPI PIN, money is debited from their Bank Account instantly.

    Similarly, wrong customer care numbers can also be dangerous. Calling on random unofficial numbers retrieved from search engines or other unofficial communication may connect the customer to fake criminal call centers.


    A detailed look at how UPI Frauds happen

    Remote access tool (RAT)

    1. This fraud occurs when customers grant remote access to their device to the fraudster.
    2. The victim shares RAT credentials through which the fraudster gains access to the victim’s mobile.
    3. The victim also shares App access passcodes along with banking credentials.
    4. The fraudster now is in control of the victim’s device and credentials.
    5. Fraudster executes transactions using the victim’s device and compromised banking credentials.
    6. Victims are unaware of fraudulent debits until realization by further notification or by later checking bank statements.

    Fake Collect request / Self-initiated

    1. The impostor sends a “Collect Request” to the victim and asks him/her to enter a UPI PIN in order to receive a payment.
    2. At this point, you must keep in mind that UPI PIN is only required for authorizing payment online, and it is not necessary when you are receiving funds or collecting offers from the UPI app.
    3. Sometimes, even the UPI ID from which the victim receives a “collect request” is misleading and appears to represent a genuine entity.

    QR Code Fraud

    1. The scam starts with someone putting an item on an online sale website. Fraudsters pose as buyers & share the QR codes over Whatsapp, asking the victim to scan the code for receiving money in advance.
    2. Believing the fraudster, victims scan the code & presume that they will receive money in their account, but they end up losing the money.
    3. One should remember that QR codes should be scanned only to make payments and not for receiving money.

    SIM Swap frauds – also known as SIM hijacking

    1. Under this, fraudster procures a blank SIM card issued against the victim’s registered mobile number via the mobile service provider.
    2. The victim is convinced to text the 19/20 digit new SIM number to the service provider. Once the victim shares the information, the services on his/her existing number stop entirely.
    3. Now, the fraudster can obtain OTPs with the new SIM to conduct fraudulent transactions on the victim’s accounts using the banking details obtained via Phishing / Vishing tactics.
    4. If your mobile number is inactive / out of range, inquire with your mobile operator immediately.

    Dos & Don’ts related to UPI


    • Never download any screen sharing apps or SMS forwarding apps when asked upon by an unknown person and without understanding its utility. It is possible for messages including OTP, PIN, Password, Card Credentials to be read or tapped into even remotely.
    • Never post personal and confidential information on social media platforms.
    • No SMS to be forwarded on the behest of an unknown person.
    • Never share details such as Debit Card credentials, OTPs or UPI PIN with anyone/unverified links.
    • Never share your UPI PIN if you are asked to receive or collect money.
    • Avoid carrying out transactions while speaking with a third party on the call.


    • Enter UPI PIN ONLY for making a payment from your bank account. Never enter UPI PIN for receiving funds.
    • Scan QR code for payment only and NOT for receiving money.
    • Always obtain contact details/customer service number from the official website of the service provider only & not through search engines.
    • Always check for in-app notifications from UPI Apps while doing a transaction.
    • Always use a verified UPI app for making an online payment.
    • Always verify the beneficiary or receiver’s details before entering a PIN.
    • If SIM is deactivated, immediately contact your mobile operator, and inquire.

    In UPI, you enter UPI PIN only to pay, not to receive. To know more, check the video ‘Stay Protected from UPI Frauds’ here

    If any suspicious activity is encountered on your account, report it immediately on our Customer Care at 1800 1200 1200 or visit the nearest AU Small Finance Bank Branch. Never share your OTP, PIN, Password, Card Credentials with anyone, even if the person claims to be a Bank employee.