UPI has redefined the digital payment ecosystem in India. In May 2025 alone, UPI processed 18.68 billion transactions worth ₹25.14 lakh crore, with 684 banks now live on the platform. This was a 33% year-on-year increase from May 2024. With 622.6 million daily transactions, UPI holds an impressive 83.4% market share of India’s digital payments landscape.
However, this remarkable growth comes with an equally concerning factor – UPI fraud. Cases of UPI fraud in FY 2024-25 were reported at 6.32 lakh incidents valued at ₹485 crore. Even more alarming, 1 in 5 UPI users have experienced fraud in the past three years, with 51% of victims not filing complaints.
UPI Domestic Fraud Report
Why Banks Struggle with UPI Frauds
- 1. Onboarding Challenges due to banking infrastructure
Banks face sophisticated synthetic identity frauds and mule account creation during customer onboarding. Traditional KYC processes struggle to detect fake identities created using stolen or altered documents. Fintechs, working with lighter regulations, find it hard to implement strong verification compliances without making the process too difficult for customers.
- 2. Real-Time Fraud Detection Limitations due to legacy banking systems
Most financial institutions rely on outdated fraud detection systems designed for card-based transactions, not real-time payments. These systems generate high false alerts, blocking legitimate transactions while advanced ones slip through. This inefficient system of the current fraud detection systems leads to banks often missing out on coordinated attack patterns.
- 3. Settlement and Dispute Resolution Complexities
UPI’s instant settlement nature creates challenges when fraudulent transactions occur. Unlike traditional banking where reversals can be processed within business hours, UPI fraud victims expect immediate resolution. The 24-hour reversal policy puts pressure on banks to investigate and resolve disputes rapidly, often without data-driven analysis.
- 4. Technology Infrastructure Strain
- Banks are unable to function with the required uptime while processing millions of transactions daily. Legacy core banking systems often struggle with this scale, leading to performance issues during peak periods.
- The recent NPCI rule requiring 15-second response times for UPI transactions adds more pressure on the infrastructure.
NPCI's Updated Regulations
NPCI has come up with a set of regulation to combat UPI frauds that banks and NBFCs have been facing.
NPCI's UPI Fraud Prevention Measures
CBS Verified Beneficiary Name Display
UPI apps must show the beneficiary’s official name to reduce fraud.
Disabling International UPI via Shared QR Codes
International users cannot use shared QR codes for payments.
Restrictions on Non Financial API Use
Limits set on API calls to mitigate financial crimes.
Reduction in UPI Response Time
UPI transactions and status checks are faster.
Discontinuation of P2P Collect Requests
P2P collect feature is discontinued to reduce fraud.
Starting June 30 2025, NPCI, through integration with CBS(Core Banking System) mandated that UPI apps must show the beneficiary’s bank-registered name.
NPCI has disabled international QR-based “share and pay” functionality to restricts international users from executing payments via shared QR codes, permitting only on-site live scanning through geolocation or physical QR access.
NPCI has also mandated a daily cap of 50 balance inquiry API calls per user per application and limits account discovery to 25 requests per user per application per day.
UPI transactions processing time is reduced to 15 seconds and the status check and reversal is reduced to under 10 seconds.
The UPI collect feature of P2P transactions will be discontinued starting October 1, 2025. NPCI aims to make all transactions payer initiated.
NPCI's AI Powered Risk Management Module
- Federated AI Model
NPCI launched a pilot project with leading banks to combine their internal risk scores with NPCI’s transaction data. This “federated learning” approach allows the banks to evaluate fraud risk in real-time without sharing sensitive customer information.This is a more secure and privacy-friendly method.
- ML Tools and Advanced Analytics
NPCI provides free AI and machine learning tools (like MuleHunter.AI) to its partner banks. These tools analyze transaction patterns, device details, and behavioral anomalies to spot fraudulent activities. The system processes real-time transactions and provides instant risk assessments and gives the bank a risk score for each transaction, helping banks react quickly.
iServeU's Preventive Approach For UPI Fraud Mitigation
Partnering with NPCI as a certified Technology Service Provider (TSP), iServeU stands at the forefront of implementing robust fraud prevention mechanisms to secure the UPI ecosystem. With NPCI mandating stringent fraud detection protocols across all Payment Service Providers (PSPs) and fintechs, iServeU has developed a multi-layered security architecture that addresses the evolving landscape of UPI fraud threats.
For early detection and prevention:
- AI/ML powered Fraud Detection Engine helps banks instantly flag high-risk UPI transactions, minimizing potential fraud losses. It is a sophisticated & dedicated rule-based risk-scoring engine that evaluates every incoming UPI transaction in real-time. It also uses AI & ML algorithms to analyze critical parameters including transaction behavior patterns, velocity metrics, geographical location data, and device trustworthiness indicators.
- Geolocation Monitoring assists in identifying suspicious transactions based on location mismatches. It analyses a transaction’s geolocation details like IP address and GPS, effectively preventing location-based fraud scenarios through sophisticated geographical correlation algorithms.
Callback Validation Framework: The decrypt-validate-read sequence provides strong protection against tampering and man-in-the-middle attacks. The checksum verification ensures data hasn’t been altered during transmission, which is critical for preventing fraudulent status modifications.
Automated Reversal Management: Our time-bound reversal mechanism addresses one of the most common UPI fraud scenarios—failed transaction disputes where customers amount is debited but merchants don’t receive funds. Automatic reversals without manual intervention reduces friction and prevent complaint escalation.
Audit Trail Maintenance: Comprehensive logging of reversal events creates a permanent record for investigating issues, meeting NPCI and RBI compliance requirements, and resolving customer disputes. Every transaction reversal is documented with complete details, ensuring transparency and accountability across the payment ecosystem.
Real-Time Duplicate Transaction Detection: It has deduplication logic that checks for identical requests within short timeframes (same amount, same beneficiary, same originator). This prevents replay attacks where fraudsters intercept and resend valid transaction requests multiple times.
Callback Source Authentication: Beyond checksum validation, verification of the callback source IP address against whitelisted bank/payment gateway IPs, the mutual TLS authentication where both system and the callback sender verify each other’s certificates.
Payer VPA Checks: Prevents specific VPAs from initiating UPI payments on your platform, helping to stop repeated fraud and manage high-risk users. By temporarily or permanently blocking a payer’s VPA, the system prevents further transactions until the issue is resolved, thereby protecting merchants and the payment ecosystem from misuse and recurring disputes. This feature effectively restricts potentially fraudulent payers from initiating transactions, minimizing financial losses for merchants and reducing operational and risk management costs for banks.
Status Polling Frequency Controls: NPCI now mandates maximum three transaction status check attempts with 90-second minimum intervals we ensure pending transaction monitoring adheres to these limits to avoid API throttling while maintaining timely status updates.
- Timeout Threshold Optimization: The reversal trigger based on “set time frame” aligns with NPCI’s technical guidelines, we have tiered timeouts:
- Immediate failures (0-30 seconds):Network/technical errors requiring instant reversal
- Pending confirmations (30 seconds-5 minutes):Normal processing delays with status polling
- Auto-reversal threshold (5-15 minutes):Maximum wait before automatic fund credit
- Idempotency Key Implementation: A unique idempotency keys is assigned to each transaction request. If a retry occurs due to network timeout, the same key ensures the transaction isn’t duplicated on the banking side. This prevents scenarios where customers are debited multiple times for a single intended transaction.
- Customer Notification Workflow: Real-time SMS/push notifications at key stages:
- Transaction initiated
- Pending status beyond normal timeframe
- Reversal triggered
- Funds successfully credited back
This transparency reduces users anxiety and support queries while demonstrating proactive monitoring.
Fraud Score Integration: Risk scoring for callback validation:
- Transactions flagged as high-risk receive additional human review before final status marking
- Suspicious patterns trigger enhanced verification even if checksum is valid
- Integration with FRI (Financial Fraud Risk Indicator) to check beneficiary risk levels
Conclusion
As digital transactions rise, so do UPI fraud risks. Through secure practices, preventive tools, and collective security actions, fintechs can strengthen the use case and reliability safety and reliability on UPI payments. India’s UPI network is projected at 1 billion daily transactions by FY 2027. Proactive fraud prevention is the key to combat UPI fraud. iServeU enables fintechs to leverage our UPI stack that includes advanced fraud detection and transaction monitoring, ensuring safer UPI transactions at scale.
Author
Dibendu Saha
Payments product professional, driving end-to-end product strategies and leading development across platform integration, compliance, transaction processing, and scalable digital payment solutions.
