UPI Safety: 10 Rules Every PhonePe and Google Pay User Should Follow

UPI has transformed the way Karnataka residents pay — from the neighbourhood kiryana store in Rajajinagar to the organic market in Indiranagar. Yet that same convenience draws fraudsters. The rules below are drawn from advisories by the Reserve Bank of India (RBI) and NPCI, plus patterns observed in reported cases across Indian consumer forums.

The 10 Rules

Rule 1: Treat Your UPI PIN Like Your ATM PIN

Your UPI PIN authorises a debit from your account. No bank employee, UPI app support agent, or NPCI representative will ever ask for it. If someone asks, end the call immediately.

Rule 2: You Never Enter Your PIN to Receive Money

This deserves its own rule because it is the single biggest misconception that fraudsters exploit. Receiving a payment requires nothing from you — not a PIN, not an OTP, not a “confirmation tap”. If a screen is asking for your PIN and someone told you it is to receive money, it is a fraud attempt.

Rule 3: Download Apps Only From Official Stores

Use only the Google Play Store or Apple App Store. Search for the app by its exact name — PhonePe, Google Pay, Paytm — and check that the developer name matches the official company. APK files shared via WhatsApp or Telegram can carry malware that reads your screen or intercepts OTPs.

Rule 4: Enable App Lock on Every UPI App

Both PhonePe and Google Pay support fingerprint or face-lock at the app level, separate from your phone’s screen lock. Enable it. If your phone is snatched while unlocked, this is your last line of defence before someone tries to initiate a transaction.

Rule 5: Verify the VPA Before Every New Transfer

UPI Virtual Payment Addresses (VPAs) like name@okicici or merchant@ybl are case-insensitive but typos are common. Always cross-check the recipient’s name shown after you enter the VPA — most UPI apps display it before you proceed to the PIN screen. If the name does not match, stop.

Rule 6: Never Accept Screen-Share Requests

Apps like AnyDesk, TeamViewer, or Screenshare have legitimate uses — but a stranger calling to “help you” with a UPI issue and asking you to install one of these is almost certainly a fraudster. Once screen-share is active, they can see your OTPs, app screens, and PIN entry. Hang up and call your bank directly.

Rule 7: Link UPI to a Dedicated Low-Balance Account

Open a separate savings account and transfer only what you need for weekly spending. Link your UPI apps to this account. Even if fraud occurs, the exposure is limited. Your salary account and fixed deposits should not be linked to any UPI app unless absolutely necessary.

Rule 8: Review Transaction Permissions Regularly

Both Android and iOS let you review which apps have access to your SMS, contacts, and camera. UPI apps legitimately need SMS access to auto-read OTPs — but an unrecognised app having SMS access is a red flag. Check your app permissions every few months via Settings > Apps > Permissions.

Rule 9: Use Strong, Unique UPI PINs

Avoid PINs that are your birth year, phone number last four digits, or any sequence like 1234 or 0000. UPI PINs are 4 or 6 digits — use 6 digits wherever the bank allows it. Change the PIN if you ever suspect someone saw you entering it.

Rule 10: Know the Escalation Path

If you suspect fraud or see an unauthorised transaction:

• Call 1930 (National Cyber Crime Helpline, 24×7) immediately — the faster you report, the higher the chance of a freeze.
• Report on cybercrime.gov.in.
• Call your bank’s 24×7 helpline and ask for a temporary hold on UPI transactions.
• Raise a dispute in the UPI app itself: both PhonePe and Google Pay have in-app dispute flows.

A Word on Merchant QR Fraud

The Karnataka Police Cyber Crime Division has documented cases where fraudsters place a sticker QR over a legitimate merchant’s QR code — especially at petrol bunks and street stalls. The payment goes to the fraudster’s account. The merchant has no idea. Before scanning at a new place, check whether the QR sticker appears freshly applied or sits oddly over a printed background.

Social Engineering Remains the Biggest Risk

Technical vulnerabilities in UPI itself are rare. NPCI and participating banks invest heavily in infrastructure security. The weak link is almost always human: a convincing phone call, a fabricated urgency (“your account will be blocked in 30 minutes”), or a QR code that promises a reward. The ten rules above are primarily about recognising and resisting social engineering, not about protecting yourself from hacking in the Hollywood sense.

Stay sceptical of unsolicited calls about your UPI or bank account. Legitimate institutions contact you through registered channels and will never pressure you for your PIN, OTP, or remote access to your device.