A WhatsApp message warning about a new UPI scam has been circulating, and it’s causing quite a stir. The message describes a sinister technique called "Jumped", where scammers send a small amount of money to UPI accounts on Phone Pe, Google Pay or Paytm, tricking you into thinking it’s a legitimate deposit.
But the catch? As soon as you check your balance, the scammer is able to withdraw money from your account—because you entered your PIN while doing so.
The message warns, “The moment you enter your PIN to check your balance means you have validated his withdrawal request on your account. Your account will automatically allow his withdrawal request and take out the money.”
To protect oneself, the message advises that when you receive an unexpected deposit, you should first enter an incorrect PIN to check your balance. This will cancel any withdrawal requests. Once that's done, you can safely check your balance using your correct PIN.
However, is this the latest digital fraud to watch out for or just another unfounded rumour? Decode explains.
Screenshot of the viral WhatsApp message
Is this scam possible?
Decode spoke to experts who said that they do not believe the claim to be “technically feasible”. According to Akshay, an independent security researcher, a scammer, in the worst case, can only initiate a payment request using the Unified Payments Interface (UPI) and there is no such thing as a "withdrawal", without consent.
Even so, the user flow to check bank balance and to approve a collect request are totally different, in all of the UPI apps which the message mentions, he added.
“Those are two independent transactions, and even checking the balance during an active payment request only fetches the balance and does not approve or deny the request,” Akshay explained.
Cybersecurity expert Venkat Guttula also explained why it is unlikely for UPI users to fall for the scam.“When a fraudster sends a withdrawal or payment request, UPI apps display a clear notification. Clicking on this notification does not immediately prompt the user to enter their UPI PIN,” he said.
He further said, “Instead, the app shows the requestor's name, the requested amount, and a visible 'Pay' button. Users are only asked to enter their PIN after they actively click 'Pay'."
Akshay debunked another misleading claim in the widely circulated WhatsApp message, which suggested that entering an incorrect PIN on the balance check screen would cancel any pending UPI collect requests. He stated that this claim is "completely inaccurate".
He explained, “Entering the UPI PIN incorrectly for 3 times causes a lockout at the account-level for 24 hours and does not affect any UPI payment requests - unless they automatically expire within that window; but instead, affects legitimate transactions.”
What are the commonly known UPI scams?
While the warning about the "Jumped" UPI scam in the WhatsApp message may be an exaggerated scare, there remains a growing concern over digital fraud in India. UPI scams are becoming increasingly common, with fraudsters constantly devising new ways to exploit users' trust.
From phishing attacks to fake payment links, these scams can happen in a variety of ways. As mobile payments continue to rise in popularity, it is crucial to stay informed about the real threats and learn how to protect yourself from these evolving tactics.
Speaking to Decode, experts highlighted several common UPI scams that users need to be cautious about:
Fake Refunds or Cashbacks: Scammers often promise cashback or refunds for a prior transaction and request payment or PIN entry to "process" the offer. Security expert Akshay warned, “This results in unauthorised deductions. It's crucial to verify cashback or refund requests independently with the concerned company or service provider.”
One such incident involved a Bengaluru techie who narrowly escaped falling for this ploy. A scammer called her, claiming he needed help transferring money to her father due to issues with his bank account.
Shortly after the call, the techie received an SMS alert that appeared to confirm a deposit. The scammer then claimed he had mistakenly transferred Rs 30,000 instead of Rs 3,000 and asked her to return the excess amount. However, upon carefully examining the SMS, she noticed discrepancies and realised it was a fraudulent scheme.
Phishing Links: Scammers frequently use phishing links that mimic the appearance of payment apps or official bank websites. When these links are clicked, they redirect users to fake UPI apps or websites that steal credentials and UPI PINs if entered. These stolen details are then used to carry out unauthorised transactions.
In one instance reported by Decode, a woman lost nearly Rs 2 lakh after a scammer, pretending to be a rental car service provider, sent her a phishing link via WhatsApp. The link, disguised as their app "soon to be available on the Playstore," captured her banking details and OTPs, leading to the financial loss.
Fake QR Code Scams: Scammers create counterfeit QR codes that resemble legitimate ones. When these codes are scanned, users are redirected to fraudulent websites or payment apps, enabling scammers to steal financial information or siphon money directly.
A recent example involved a 23-year-old man in Aizawl, Mizoram, who was arrested for replacing a QR code sticker at a petrol pump with his own Google Pay QR code. This simple yet deceptive act allowed him to divert payments intended for the petrol pump into his own account.
How to stay safe?
As our reliance on digital payment apps grows, so does the sophistication of scams targeting users. Cybersecurity expert Guttula urged caution, advising users to always verify the amount and recipient before approving any UPI transaction.
“Never send money to someone claiming they transferred funds by mistake,” he said. “Advise them to resolve the issue with their bank directly.”
Akshay echoed similar advice, stressing that a UPI PIN is only needed for sending money or checking account balances. “It’s important to remember that scanning a QR code and entering your UPI PIN is only for making payments, not receiving them,” he explained, urging users not to enter their PIN when expecting money.
He also cautioned against using predictable PINs, such as birthdates, phone numbers, or common sequences. “It’s crucial to have unique PINs for each bank account and keep them secret,” Akshay emphasised.
By carefully verifying payment requests, users can add an extra layer of security, as scammers may impersonate trusted contacts, such as family members or businesses, to deceive victims, he added.
