UPI KYC Scam Explained — How Fake KYC Links Steal Your Money
UPI KYC scam explained: how fake 'KYC expiry' SMS and WhatsApp links steal your UPI PIN. Real 2025 examples + how to report to NPCI, RBI & cybercrime.gov.in.
How the scam actually works
- The scammer sends a bulk SMS or WhatsApp message impersonating SBI, HDFC, PhonePe or Google Pay.
- The link opens a page that looks like your bank or PSP app and asks for your UPI PIN, debit card number, CVV and OTP.
- The moment you enter the UPI PIN, the scammer triggers a UPI collect-request on their end. Your PIN authorises the debit.
- Money leaves your account within seconds. There is no 'reverse' button.
Red flags — what to look for
- Any SMS or WhatsApp claiming your KYC will 'expire in 24 hours'. Real KYC never has that urgency.
- A link that opens a page asking for UPI PIN, debit card CVV, or OTP — legitimate apps ask for these inside the app, never through a browser link.
- The sender ID looks like 'AX-SBIUPI' or 'VM-KYCUPD' — banks send from 6-character IDs registered with TRAI, not random ones.
- The URL uses shorteners (bit.ly, tinyurl, t.co) or a lookalike domain (sbi-kyc-upd.in, phonepe-verify.co).
How to report in India
- Call the cybercrime helpline 1930 within 24 hours — that's the golden window for chargeback.
- File a complaint at https://cybercrime.gov.in with the SMS screenshot and transaction ID.
- Report the UPI transaction to your bank via the official app (not the scammer's link).
- Forward the phishing SMS to 1909 (TRAI's DND / spam reporting) so the sender ID gets blacklisted.
How to protect yourself going forward
Prevention is boring but works. Enable UPI transaction alerts on SMS + email (both, not just one). Set a daily UPI cap of ₹10,000 unless you actively need more — you can raise it back in 30 seconds when required. Add a separate low-balance current account for online payments and keep the salary account off UPI entirely. Lock your Aadhaar biometric at resident.uidai.gov.in — that alone stops most eKYC-based downstream fraud even if your OTP is leaked. Finally, tell one family member every time you get a suspicious message. Fraud thrives on isolation.
What actually helps recovery
Time. The single strongest recovery factor is reporting to 1930 within the first hour. RBI's Turnaround-Time framework requires banks to freeze beneficiary accounts within specific windows and the 1930 number is plugged directly into that flow. After 24 hours, freeze probability drops sharply. After 72 hours, recovery is rare. Screenshot everything: the SMS, the caller number, the UPI ID, and the debit alerts. All of these become evidence on cybercrime.gov.in.
Frequently asked questions
Does UPI have a KYC?
No. UPI is a payment rail run by NPCI; there is no separate KYC for UPI. Your bank does periodic KYC updates but always through the bank app or branch — never through an SMS link.
What if I already entered my UPI PIN?
Immediately open your UPI app and disable the UPI ID (or block the debit card), then call 1930 and your bank's official helpline. File on cybercrime.gov.in within 24 hours for the best chance of recovery.
Can the police recover my money?
If you report within 24 hours through 1930 and cybercrime.gov.in, the bank can freeze the beneficiary account before the money is withdrawn. After 72 hours, recovery drops sharply.
How do I verify a KYC message is real?
Ignore the message. Open your bank's official app directly and check the notifications section. If there's a real KYC pending, it will show inside the app.
Is PhonePe / GPay responsible for the loss?
Under RBI's limited-liability circular (2017), if you report within 3 working days and it wasn't caused by your negligence, your loss is capped. UPI PIN sharing is treated as negligence, though — which is why never sharing the PIN matters.