UPI Fraud Patterns in 2026: Collect-Request, QR-Swap, SIM-Swap

Last updated: April 26, 2026

UPI processed over 100 billion transactions in 2024. With volume comes fraud — collect-request scams, QR-swap, SIM swap, OTP scams. This article covers the dominant UPI fraud patterns in 2026, the NPCI-mandated controls, and what banks and PSPs should detect.

The fraud patterns

1. Collect-request scam (most common)

Fraudster sends UPI collect request disguised as “incoming payment confirmation”. Victim approves believing they are receiving money — actually authorising a debit.

# NPCI mandate (2022 onwards): collect requests cannot be auto-approved
# UPI app must show clear DEBIT vs CREDIT direction
# Despite UI improvements, social-engineering remains effective
# Detection in PSP backend:
SELECT vpa, COUNT(*) collect_attempts, SUM(amount) total
FROM upi_collect_requests
WHERE source_vpa = ? AND timestamp > NOW() - INTERVAL '24 hours'
  AND status='rejected'
GROUP BY source_vpa
HAVING COUNT(*) > 10;
-- Source VPAs sending many rejected collects = fraud-suspect

2. QR-swap fraud

At physical merchants, fraudster places sticker over legitimate merchant QR. Customer scans, money goes to fraudster. Common at petrol pumps, kiranas, restaurants.

Mitigation: dynamic QR (regenerated per transaction), merchant-side amount confirmation, visible merchant name in payment screen.

3. SIM swap → OTP capture

Fraudster social-engineers telecom operator to issue duplicate SIM. Victim’s number is now controlled by fraudster, who receives banking OTPs.

NPCI / RBI 2024 guidelines:

• SIM-swap detection: telecom + bank data exchange to flag recently-swapped numbers
• 72-hour transaction freeze on accounts where SIM swap detected
• Out-of-band confirmation channel (call to old number, branch verification)

4. KYC / Aadhaar update scams

“Your KYC will expire” SMS leads to fake page collecting Aadhaar + biometric / OTP. Used to enroll fraudster’s UPI or initiate Aadhaar-linked transactions.

5. Mule account chains

Fraudsters recruit “mules” (often students, unemployed) who open accounts. Fraud proceeds flow through 3-7 mule accounts before cashout, complicating tracing. RBI’s mule-account detection program in 2024 onwards uses cross-bank data sharing for behavioural detection.

NPCI controls (current as of 2026)

• UPI Lite: low-value transactions without 2FA but limited daily / per-transaction caps
• Cooling period for new VPAs registered to existing accounts
• Bank-side velocity limits per VPA
• UPI 123 (feature phone) with separate fraud-detection thresholds
• UPI for credit-line products with additional KYC gates

PSP-side detection

-- High-velocity collect-request senders
SELECT source_vpa, COUNT(DISTINCT target_vpa) targets, SUM(amount) total_attempted
FROM upi_collect_requests
WHERE timestamp > NOW() - INTERVAL '1 hour'
GROUP BY source_vpa
HAVING COUNT(DISTINCT target_vpa) > 50;

-- New VPA + immediate large credit
SELECT vpa, registration_time, first_credit_time, first_credit_amount
FROM upi_vpas v JOIN upi_transactions t ON v.vpa = t.target_vpa
WHERE first_credit_amount > 50000
  AND first_credit_time - registration_time < INTERVAL '10 minutes';

Customer-side defences

• Never approve collect requests from unknown VPAs
• Verify recipient name in transaction screen, not just VPA
• Use UPI Lite for small payments at unfamiliar merchants
• Set per-transaction and daily limits
• Enable transaction notifications
• Report fraud immediately via NPCI 1930 hotline + bank app

The takeaway

UPI fraud is a volume game — small per-transaction amounts at scale. NPCI controls have raised the floor; behavioural detection on PSP backends catches the rest. For banks and PSPs, the high-leverage detections are: collect-request volume from single VPA, new-VPA + immediate-large-credit, mule-account behavioural signatures.