Phishing Scams in India
India's rapid digital financial adoption — driven by UPI, NEFT, and digital banking — has created a large attack surface for phishers impersonating NPCI, major banks, and government tax and pension portals.
Part of: Phishing
Last reviewed: 1 June 2026
India's mass migration to digital payments through the Unified Payments Interface (UPI) has created a high-value phishing target: hundreds of millions of users now conduct financial transactions on smartphones, many for the first time. Phishers exploit the novelty of digital payments for newer users and the ubiquity of UPI for all users, impersonating apps like PhonePe, Google Pay, and Paytm, as well as NPCI, income tax portals, and major banks.
Vishing — phone-based phishing — is also extremely prevalent in India, where callers impersonate bank customer service, KYC update services, and income tax officials.
How this scam works on India
UPI phishing exploits a common misconception that QR codes and UPI 'receive money' requests can be sent as well as payment requests. Phishers send UPI 'collect' requests framed as payments to victims who do not recognise that approving the request sends money rather than receiving it.
IT department phishing peaks around the ITR filing season (June–July), with SMS and email messages claiming recipients owe additional tax or are eligible for refunds that require bank detail verification on spoofed income tax e-filing pages.
Bank KYC phishing is a persistent threat: SMS messages claim the recipient's account will be suspended unless KYC is completed immediately via a link that harvests account credentials and OTPs.
Common red flags
- UPI collect request framed as a payment being sent to you
- SMS claiming your bank account will be frozen unless KYC is completed via a link
- Income tax refund email asking for bank details on a spoofed e-filing page
- Call from someone claiming to be from the bank's customer service asking for OTP
- Any message creating urgency around digital payment account verification
How to protect yourself
- Understand that UPI collect requests require you to pay — approve only requests from known sources
- Never share OTPs with anyone — banks never ask for OTPs over the phone
- Access income tax e-filing only at incometax.gov.in — never via SMS links
- Report phishing to the Cyber Crime reporting portal at cybercrime.gov.in
- Report bank phishing to the bank's official fraud number and to RBI Ombudsman if needed
How to report it
- Report to cybercrime.gov.in
- Contact the National Cyber Crime Reporting Portal helpline: 1930
- Contact your bank's fraud number immediately if OTP or credentials were shared
Frequently asked questions
How do UPI phishing scams work in practice?
Scammers send a UPI 'collect' request — which looks similar to a payment notification — to victims who approve it thinking they are receiving money. Approving a collect request authorises a payment from your account, not into it. Only approve UPI collect requests from sources you have verified independently.