Stay Secure While Using UPI: Key Steps to Avoid Payment Frauds

Unified Payments Interface (UPI) transactions climbed sharply in May 2025, reaching 18.68 billion in count and totaling Rs 24.77 lakh crore. That represents a year-on-year rise of 33 percent in transaction numbers and 23 percent in value, according to data released this week. While the surge underscores the country’s pivot to digital payments, it also highlights an uptick in cyber frauds that eat into consumer confidence and provider margins.

RBI data does not isolate losses from UPI-specific scams, but card, internet and digital payment frauds combined resulted in Rs 107.21 crore in losses during the 2024-25 fiscal year (up to December 2024). By comparison, the previous fiscal year saw Rs 177 crore lost, and in 2022-23, losses stood at Rs 69.68 crore; all figures cover frauds exceeding Rs 1 lakh per incident. During 2022-23, banks reported 6,699 such high-value cybercrimes. That number jumped to 29,082 in 2023-24, and in the first nine months of 2024-25, 13,384 were logged. Over the past decade, total fraud losses in digital payments have amounted to Rs 733.26 crore, as reported by Minister of State for Finance Pankaj Chaudhary on March 10, 2025.

With transaction volumes scaling new heights, fintech firms and banks have layered security measures to mitigate risks. “Our system applies AES-256-bit end-to-end encryption on all user data,” said Vijay Khubchandani, founder and chief executive of Seven, a startup building smart rings that process UPI payments. “Beyond encryption, we enforce multi-factor authentication using one-time passwords and biometric verification.” According to Khubchandani, real-time monitoring tools scan for suspicious activity, aiming to detect anomalies before a breach occurs.

Risk advisory experts point to evolving tactics by cybercriminals. “Growth in digital payments brings complexity and broader attack surfaces,” said Tarun Kher, partner in Risk Advisory Services at BDO India. “Fraudsters employ phishing schemes, fabricate payment handles, hijack OTPs and even leverage AI-driven impersonation. Their victims span individual users, businesses and intermediaries.” Kher added that auditors are crucial to identifying vulnerabilities. “Every transaction leaves a data trail; each touchpoint can become a potential exploit. Auditors must evaluate application interfaces, network security and cloud configurations to build a resilient ecosystem.”

Third-party platforms and cloud vendors often underpin payment rails, creating interdependencies. A security lapse in one provider’s infrastructure can ripple across the entire chain, Kher cautioned. “Due diligence on vendor practices and contractual data-security clauses is vital to minimise exposure.”

As UPI becomes ubiquitous—operating seamlessly across BHIM, Google Pay, PhonePe and other apps—consumer awareness remains critical. Financial crime units recommend the following precautions:

* Do not click or install links received via SMS, WhatsApp or email unless you verify the source. Even a single tap on a malicious URL can expose financial credentials.

* Confirm the recipient’s identity before initiating any transfer. Once funds leave your bank account, recovery is extremely challenging.

* If you suspect a cybercrime, freeze your UPI ID immediately and notify your bank. Early action can limit further loss.

* Under no circumstances should you share one-time passwords or PINs with anyone—not even bank officials.

Despite incremental fraud losses, industry stakeholders note that the percentage of compromised transactions remains low relative to overall volumes. Still, as digital payments scale into previously untapped rural and semi-urban markets, providers say they will continue to strengthen security layers and educate users to keep pace with fraudsters’ tactics.