India crossed 20 billion UPI transactions in a single month for the first time in August 2025. That milestone reflects just how deeply digital payments have become woven into daily life — from buying vegetables at a kirana store to paying rent and splitting bills with friends.

But with that scale comes a shadow side. As more people transact online, more fraudsters are actively working to exploit them. The good news is that almost every case of UPI fraud in India has one thing in common: the victim was tricked into doing something, rather than having their account technically broken into. Which means the best protection is knowing what those tricks look like.

This guide covers how India’s digital payment ecosystem works today, who’s leading it, and eight practical rules that apply to every UPI app — PhonePe, Google Pay, Paytm, CRED, Amazon Pay, or any other.

India’s UPI Landscape in 2025

The Unified Payments Interface (UPI), developed by NPCI (National Payments Corporation of India), is the backbone of digital payments in India. It lets you send and receive money instantly between any bank accounts, 24/7, through apps on your phone.

As of late 2025, the UPI market is dominated by two players:

• PhonePe — ~45–48% market share by volume, the clear market leader
• Google Pay — ~35–37% market share, a close second
• Paytm — ~7%, third place after significant regulatory changes in 2024
• Others including CRED, Amazon Pay, Navi, and super.money make up the remainder

Together, PhonePe and Google Pay account for over 80% of all UPI transactions in India. Whatever app you use, the safety principles are identical — because they all operate on the same UPI infrastructure.

8 Rules for Safe Online Transactions in India

1. Never Share Your OTP or UPI PIN — With Anyone, Ever

This is the single most important rule, and the source of the overwhelming majority of UPI fraud in India.

Here’s how UPI is designed: you need your UPI PIN to send money. No one can move money out of your account without it. This means that if someone asks you for your OTP or UPI PIN — whether over the phone, via WhatsApp, or in person — they are either a fraudster or someone who has been compromised themselves.

Common fraud scripts designed to get you to share your PIN or OTP:

• “Your KYC is expiring — share the OTP to keep your account active”
• “We’re processing your refund — enter your UPI PIN to receive it” (you never need your PIN to receive money)
• “I’m sending you ₹5,000 — just accept this request” (the “request” is actually a payment request, not incoming money — approving it sends money to them)
• “Your account will be blocked — verify by sharing the code”

PhonePe, Google Pay, your bank, and NPCI will never ask for your OTP or UPI PIN under any circumstances. There is no legitimate scenario where sharing these is required.

2. Understand the Difference Between Collect Requests and Incoming Money

One of the most common UPI scams exploits a genuine feature: the “collect request.” When someone sends you a collect request through a UPI app, your app shows a prompt asking you to approve a payment. Many victims assume this is them receiving money and tap approve — but approving a collect request sends money to the requester.

Real money coming to you appears automatically in your transaction history — you don’t need to approve anything to receive it. If an app asks you to “approve,” “accept,” or enter your PIN to “receive” money, you are about to send money, not receive it. Stop and verify before proceeding.

3. Never Allow Screen Sharing or Remote Access

Screen-sharing fraud is one of the fastest-growing payment scams in India. A caller posing as bank support or UPI helpdesk asks you to install a screen mirroring app — AnyDesk, TeamViewer, Quick Support, or similar — so they can “help” you. Once you share your screen, they can see every OTP that appears on your phone and use it to authorise transactions.

No legitimate bank, PhonePe, Google Pay, or any payment app’s support team will ever ask you to install a screen-sharing app or share your screen. Hang up on any such call immediately.

4. Download Apps Only From Official Sources

Install payment apps exclusively from the Google Play Store or Apple App Store — never from links sent via SMS, WhatsApp, or websites. Fake versions of popular apps like PhonePe and Google Pay have been used to steal login credentials.

When in doubt, go directly to the app store and search for the app by name. Verify the developer name matches the official one before installing.

5. Lock Your Apps and Your Phone

Set up both a phone screen lock and an in-app lock on every payment app you use:

• Phone lock: Settings → Security → Screen Lock (use fingerprint, face ID, or a strong PIN)
• PhonePe app lock: Profile → Settings → App Lock
• Google Pay: Uses your phone’s screen lock by default — ensure it’s set
• Paytm app lock: Profile → Security Settings → App Lock

This ensures that if your phone is stolen or picked up by someone else, they cannot access your payment apps or initiate transactions.

6. Verify the Recipient Before Every Payment

Before confirming any UPI payment, check the name shown on the confirmation screen. This is especially important when paying by scanning a QR code — fraudsters sometimes place fake QR stickers over legitimate merchant codes to redirect payments to their own accounts.

If you scan a QR code at a shop and the name that appears doesn’t match the shop or its owner, cancel the payment and ask the merchant to verify their code. A few seconds of verification can save you significant money.

7. Enable Transaction Alerts on Your Bank Account

All banks in India offer SMS and email alerts for every debit transaction. Make sure these are enabled for your linked bank account. This gives you real-time visibility into every rupee leaving your account — and means any unauthorised transaction is immediately visible rather than discovered days later.

To enable alerts: contact your bank’s customer care or visit the bank’s official app and check notification settings. Most banks have these enabled by default, but it’s worth confirming.

8. Use Official Helplines — Not Numbers Found on Google

If you face a payment issue and search for a helpline number on Google, be careful. Fraudsters often create fake websites and ads with fabricated customer care numbers for PhonePe, Google Pay, and other apps. Calling these numbers connects you to scammers who will ask for your account details and OTPs under the guise of helping.

Always find support contact details through the official app itself — every payment app has a Help or Support section in its menu. This is the only reliable source for genuine contact information.

If You’ve Been Defrauded — Act Immediately

Speed matters. The sooner you report a fraudulent transaction, the better the chance of recovering funds.

• National Cybercrime Helpline: 1930 — call immediately to report financial fraud
• Cybercrime portal: cybercrime.gov.in — file a complaint online
• Your bank: Call your bank’s 24/7 helpline and request they flag the transaction
• In-app reporting: PhonePe, Google Pay, and Paytm all have in-app fraud reporting — use these to raise a dispute

Frequently Asked Questions

Q: Which UPI app is the safest to use?
A: PhonePe, Google Pay, and Paytm all operate on the same NPCI-regulated UPI infrastructure with equivalent underlying security. The safety difference between them is minimal — what matters far more is how you use any of them. Following the eight rules above makes a bigger difference than which app you choose.

Q: Can someone hack my UPI account without my UPI PIN?
A: No. Every UPI transaction requires your PIN to complete. Without it, no money can leave your account. The vast majority of UPI fraud happens when users are tricked into sharing their PIN or approving collect requests they misidentify as incoming money — not through technical hacking.

Q: I received a message saying I’ve won a prize and need to pay a small fee to claim it. Is it genuine?
A: No. This is a classic advance-fee fraud. Legitimate prizes do not require you to pay anything to receive them. Any message asking you to pay to “unlock” winnings, a refund, or a reward is a scam — block and ignore.

Q: Is it safe to do UPI transactions on public Wi-Fi?
A: Avoid it where possible. UPI apps use encryption, but public Wi-Fi networks can expose your device to other risks. Use mobile data for financial transactions when you can, and never do transactions on someone else’s phone or a shared device.

Q: How do I know if a QR code is genuine?
A: After scanning, check the name displayed on the confirmation screen before entering your PIN. The name shown is the registered account holder name — it should match the shop or person you intend to pay. If it doesn’t match, don’t proceed.

Conclusion

India’s UPI system is technically one of the most secure payment infrastructures in the world — instant, encrypted, and bank-account-linked. The weak point isn’t the technology; it’s human behaviour under pressure. Fraudsters know this, which is why almost every successful scam relies on urgency (“your account will be blocked”), authority (“I’m calling from your bank”), or confusion (“approve this to receive your money”).

Slow down, verify, and remember the core rule: your UPI PIN and OTPs are yours alone. No legitimate person or institution will ever ask you for them. Keep that boundary firm and you eliminate the vast majority of your fraud risk — regardless of which payment app you use.

Have you come across a new type of scam or have a question about a suspicious transaction? Share it in the comments — it might help someone else avoid the same trap.