UCyberSecurity

Hindi

New UPI Scam Alert Targeting SBI and HDFC Bank Customers in India: What You Need to Know to Protect Your Money

India’s digital payment ecosystem has transformed how millions of people handle money every day. UPI (Unified Payments Interface) now processes over 12 billion transactions monthly, making it one of the world’s largest real-time payment systems. But with this convenience comes a growing threat: sophisticated UPI scams that are increasingly targeting customers of major banks like State Bank of India (SBI) and HDFC Bank.

In early 2026, cybercrime cells across India reported a sharp rise in UPI-related fraud complaints. The Reserve Bank of India (RBI) has repeatedly warned customers that banks never ask for UPI PINs or OTPs over the phone, and it has updated its guidelines on customer liability in unauthorized electronic transactions to better protect users.

Millions of SBI and HDFC customers are being targeted by a new UPI scam. Stay alert and protect your money
Millions of SBI and HDFC customers are being targeted by a new UPI scam. Stay alert and protect your money

If you use UPI to pay bills, send money, or shop online, this alert is for you. Below are the verified facts about the current scam trend, how it works, and exactly what you can do to stay safe.

What’s Actually Happening: Verified Facts

There is no single “new” scam that started on a specific date in March 2026. Instead, cybercriminals are using a combination of well-established social engineering tactics that have become more refined and widespread in early 2026. Key verified facts include:

  • Rising Complaints: The National Cyber Crime Reporting Portal (cybercrime.gov.in) has seen a significant increase in UPI fraud complaints since the start of 2026, with many victims losing money within minutes of falling for a scam.

  • Targeted Banks: SBI and HDFC Bank customers are disproportionately affected, largely because these two banks have the largest UPI user bases in India—SBI alone has over 450 million customers.

  • RBI’s Ongoing Warnings: The RBI has consistently issued advisories (most recently updating its customer liability rules in March 2026) reminding users that no bank employee will ever ask for your UPI PIN, OTP, or password over a call.

  • New Security Rules: Starting April 1, 2026, the RBI enforced stricter two-factor authentication (2FA) norms for certain UPI transactions to reduce fraud risk.

How New UPI Scams Actually Work

Fraudsters use a predictable pattern to steal money through UPI. Here’s the step-by-step method that has been documented by cybercrime authorities:

1. The Fake Customer Care Call

You receive a call from someone claiming to be from SBI, HDFC, or your UPI app provider (like Google Pay or PhonePe). They say your account is “compromised,” a “wrong transaction” was made, or a “refund is pending.” They often know your name, account number, or last transaction details—information they may have obtained from past data leaks.

2. The Urgent Request

The caller creates a sense of urgency, saying you must “verify your account immediately” or “claim your refund within 30 minutes” or the money will be lost forever.

3. The UPI PIN Trap

They ask you to:

  • Click a link they send via SMS or WhatsApp (which leads to a fake UPI payment screen), or

  • Share your UPI PIN to “verify” or “reverse” a transaction, or

  • Share your OTP under the guise of “confirming your identity.”

4. The Instant Theft

The moment you enter your UPI PIN or share your OTP, the fraudster initiates a real UPI transfer from your account to their mule account. UPI transactions are instant and usually irreversible once completed.

What makes these scams dangerous is that they don’t rely on hacking or malware. They exploit trust, urgency, and lack of awareness.

Real Impact: What Victims Are Experiencing

While exact nationwide numbers for April 2026 are still being compiled, cybercrime reports from January through March 2026 show:

  • Average loss per victim ranges from ₹10,000 to ₹2.5 lakh.

  • Many victims are aged 25–55, digitally active but not fully aware of UPI security protocols.

  • People in urban and semi-urban areas are most targeted, especially those who recently used online shopping, bill payments, or new banking apps.

In cities like Pune, Mumbai, Delhi, and Bangalore, local cybercrime cells have reported dozens of cases weekly where victims lost money after believing a “refund” or “account verification” story.

What SBI, HDFC Bank, and RBI Are Actually Doing

SBI and HDFC Bank Alerts

Both banks have issued public alerts through their websites, mobile apps, and SMS broadcasts:

  • SBI has placed banners on its official website warning against “fake customer care calls” and “UPI PIN requests”.

  • HDFC Bank has sent SMS messages to millions of users stating: “Our bank will never ask for your UPI PIN, OTP, or password over the phone or email.”

RBI’s Official Stance

The RBI’s March 2026 updated guidelines on customer liability in unauthorized electronic transactions clarify:

  • Customers are not liable for unauthorized transactions if reported within 3 days.

  • Banks must investigate and resolve complaints within 90 days.

  • Financial institutions must proactively educate customers about fraud risks.

The RBI also reinforced a core rule that appears in all its advisories:
“Banks and their employees will never ask for your UPI PIN, OTP, or password.”

How to Protect Yourself: 7 Verified Safety Rules

These are not opinions—they are the exact recommendations from the RBI, SBI, HDFC Bank, and cybercrime authorities:

  1. Never share your UPI PIN – No bank employee, customer care agent, or government official will ever ask for it.

  2. Never share your OTP – OTPs are for your use only. Sharing them is like giving away your password.

  3. Verify callers independently – If someone claims to be from your bank, hang up and call the official number on your bank card or the bank’s official website.

  4. Don’t click unknown links – Even if the message looks official, do not click links sent via SMS or WhatsApp. Open your banking app directly instead.

  5. Check transaction details before confirming – Always verify the recipient’s name and amount on the UPI screen before entering your PIN.

  6. Enable transaction notifications – Turn on SMS and app alerts for every transaction so you know immediately if money moves.

  7. Report immediately if suspicious – If you suspect fraud:

    • Call your bank’s official helpline right away.

    • File a complaint at the National Cyber Crime Portal: cybercrime.gov.in

    • Report to your bank’s fraud email ID (found on their official website).

What to Do If You’ve Been Scammed

If you realize you’ve shared your UPI PIN or OTP, or money has been deducted without your consent:

  1. Call your bank immediately – Request an emergency freeze on your account or card.

  2. Change your UPI PIN – Do this only through your official banking app, not any link.

  3. File a cybercrime complaint – Visit cybercrime.gov.in and submit all details (transaction ID, caller number, message screenshots).

  4. Contact your bank’s fraud cell – Provide all evidence.

  5. Monitor your account – Check for any other unauthorized transactions in the following days.

Acting quickly improves your chances. If you report an unauthorized transaction within 3 days, RBI guidelines state you may not be liable for the lost amount.

The Bigger Picture: Staying Safe in India’s Digital Payment Era

India’s UPI system remains one of the safest and most efficient payment systems in the world. In early 2026, the RBI introduced stronger fraud safeguards, including mandatory two-factor authentication for certain transactions and updated customer liability rules.

But technology alone cannot stop fraud. The most powerful defense is awareness. Scammers rely on people not knowing the rules. When you know that:

  • Banks never ask for your UPI PIN or OTP, and

  • Real transactions never require you to share secret details,

you become much harder to trick.

Final Thoughts

The rise in UPI scams targeting SBI and HDFC Bank customers in early 2026 is real, but so are the tools to protect yourself. There is no single “magic date” or one-time alert that solves this. Instead, security comes from:

  • Knowing the facts (banks never ask for your PIN or OTP),

  • Following verified safety rules from the RBI and your bank, and

  • Acting quickly if something seems wrong.

Share this article with your family, especially older relatives who may be less familiar with digital banking. The more people know, the harder it becomes for scammers to succeed.

Remember: Your UPI PIN and OTP are yours alone. Never share them. Ever. When in doubt, hang up and call your bank directly using the number on your card or official website.

More Articles Click Here

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top