Why You Never Enter Your UPI PIN to RECEIVE Money

Every week, across Karnataka and the rest of India, people lose money to a fraud so elegantly simple that it works even on educated, technically aware users. The script varies but the mechanism is always the same: a caller convinces someone that to receive money via UPI, they must enter their UPI PIN. The victim enters the PIN. Money leaves their account.

Understanding why this is impossible to happen accidentally — why the PIN can only ever cause a debit — requires a brief look at how UPI actually works.

How UPI Moves Money: The Architecture in Plain Terms

UPI, developed by NPCI (National Payments Corporation of India) and regulated by the RBI, is a real-time payment system that works on top of bank accounts. Every UPI transaction has two sides:

• Push transaction: You initiate a payment to someone else. You enter the recipient’s VPA (Virtual Payment Address), the amount, and then your UPI PIN to authorise the debit from your account.
• Pull / Collect transaction: Someone requests money from you. Your UPI app shows a “Collect Request” notification. You must actively approve it — by entering YOUR UPI PIN — and this sends money FROM your account TO the requester.

Notice what is absent from this list: there is no transaction type where receiving money requires your PIN. When someone sends you a push payment, the entire transaction happens on their device. Your bank receives the incoming transfer and credits your account. You get a notification. You do nothing.

The Fraud Script, Step by Step

Understanding the exact script helps you recognise it in any disguise:

1. You post something for sale on OLX, Quikr, or a Facebook group, or you respond to a job post.
2. A “buyer” or “HR representative” contacts you and says they want to send payment or a advance.
3. They send a Collect Request to your UPI app — this is a request for you to pay them, but they describe it as “I have sent you the money.”
4. They say “just enter your PIN to confirm receipt” or “your bank needs your PIN to unlock the incoming payment.”
5. You enter the PIN, approving the Collect Request. Your money goes to them.

Variations include sharing a QR code that encodes a fixed payment request, or asking you to “verify” your account by doing a ₹1 test payment that is actually a full amount. But the core deception is always the same: the PIN is for sending, never for receiving.

Why the Deception Is So Effective

Credit and debit cards operate on a pull model — merchants charge you, and you authorise by entering a PIN or OTP. Many people have internalised this mental model: “entering my PIN means the transaction goes through.” That is partially correct, but with UPI, what matters is which direction the transaction is going. The PIN always authorises the direction that takes money out of your account.

Fraudsters also layer in authority and urgency: “This is SBI customer care,” “Your KYC will expire in one hour,” “The NPCI system requires PIN verification to release the funds.” None of these are real. The RBI has explicitly stated that neither it nor any bank ever asks customers to share PIN, OTP, or passwords over the phone or via any digital channel.

What Receiving Money Actually Looks Like

When someone genuinely sends you a UPI payment:

• You receive an SMS from your bank: “Your a/c XXXX has been credited with ₹X by UPI Ref No…”
• You receive an in-app notification from your UPI app showing the incoming amount and sender name.
• Your bank balance increases.
• You do nothing. You do not tap anything. You do not enter any PIN. You do not call anyone back.

If someone tells you that you need to take any action to receive money already sent, they are either confused or they are lying to you.

Collect Requests: When Are They Legitimate?

Collect Requests do have genuine use cases — some utility billing services and certain B2B workflows use them. If you receive a Collect Request from a known, verified merchant or business you actively deal with, it may be legitimate. The key tests:

• Did you initiate this relationship or transaction?
• Does the VPA match the merchant’s official details?
• Is the amount exactly what you expected?

If any of these is uncertain, decline the request. You can always pay via a normal push transaction instead — search the merchant’s VPA and send the amount yourself, so you control every digit.

If You Have Already Been Scammed

If you entered your PIN on a fraudulent Collect Request and money has left your account, time matters more than anything else:

• Call 1930 (National Cyber Crime Helpline) immediately.
• Report at cybercrime.gov.in.
• Call your bank’s 24×7 helpline and request a freeze or recall of the transaction.
• Note the fraudster’s UPI ID (VPA) from the transaction history — this is crucial for the police report.

Recovery is not guaranteed, but prompt reporting gives authorities the best chance to freeze the recipient account before the funds are withdrawn.