UPI mandate fraud: spot & stop auto-debit scams (2025–26)

Jaipur resident Priya Mehra clicked a “verify your PAN” WhatsApp link in January 2026, entered her UPI PIN once, and lost ₹1,47,800 over 19 days through silent auto-debits she never authorised—until her bank SMS woke her at 3 a.m.

Citizen Crisis Response Network
If your UPI app shows an unexplained mandate under “AutoPay” or “Recurring payments,” pause all mandates, freeze your account via net-banking, screenshot every debit SMS, register FIR within 24 hours citing BNS section 318(4) (cheating by personation), and file NPCI complaint at npci.org.in/what-we-do/grievance-redressal—time starts now.

UPI mandate fraud tricks you into authorising a recurring payment by disguising it as a one-time KYC verification, OTP validation, or prize-claim step. The victim enters UPI PIN once; fraudsters then create a standing instruction (mandate) for daily, weekly, or monthly auto-debits. To stop it: (1) Open your UPI app → AutoPay / Mandates, (2) revoke every unrecognised mandate, (3) block your virtual payment address (VPA) temporarily, (4) screenshot all SMS debits, (5) file cyber-crime FIR citing BNS section 318(4) within 24 hours, (6) lodge NPCI complaint online, (7) invoke your bank's zero-liability policy in writing within three working days under RBI Master Direction on Digital Payment Security Controls 2021.

• What is UPI mandate fraud and why it exploded in 2025
• How fraudsters plant the mandate without your knowledge
• Seven red flags before you enter your UPI PIN
• Immediate steps the moment you spot an unauthorised auto-debit
• Legal remedies: BNS 2024, IT Act 2000, and Payment & Settlement Systems Act 2007
• Filing your cyber-crime FIR: mandatory particulars and timelines
• NPCI and bank escalation: complaint formats and statutory clocks
• Case law and regulatory touchpoints
• Frequently asked questions
• Sample FIR text for UPI mandate fraud
• Sample NPCI complaint letter
• Myth vs reality: UPI mandate fraud
• Last word from Citizen Crisis Response Network
• Internal links and tools

A UPI mandate (also called AutoPay or e-mandate) is a standing instruction you give once, allowing a merchant or biller to debit your account automatically at fixed intervals—electricity bills, SIP mutual funds, OTT subscriptions. National Payments Corporation of India (NPCI) rolled out UPI AutoPay in 2020 under the Unified Payments Interface framework; by December 2025 over 84 crore UPI handles were active, and mandate misuse cases leapt 340 % year-on-year according to the Indian Cyber Crime Coordination Centre (I4C).

Fraudsters weaponised this convenience: they send phishing links disguised as “KYC update,” “courier delivery confirmation,” or “prize voucher claim.” When you click and enter your UPI PIN, you unknowingly approve a recurring payment mandate for ₹5,000–₹15,000 per cycle. Because the first debit is often small (₹1–₹10), victims notice only after multiple hits drain tens of thousands.

The scam thrives on three pillars: 1. Speed—mandate activation is instant; revocation requires manual action. 2. Opacity—many UPI apps bury the “Mandates” menu deep inside settings. 3. Social engineering—messages mimic government agencies (UIDAI, Income Tax, Ministry of Electronics & IT) or trusted brands (Amazon, Flipkart).

Between January and March 2026 alone, Mumbai Cyber Police registered 1,847 FIRs under Bharatiya Nyaya Sanhita (BNS) 2024 section 318(4) (cheating by personation) and section 319(3) (cheating with computer resource), with average loss per victim ₹89,400.

Warning — Even if you have never subscribed to a service, a mandate can be planted if you enter your UPI PIN on a fraudulent payment page that presents itself as a “verification” step.

Step 1: The lure WhatsApp message, SMS, or email with urgent text: “Your Aadhaar KYC will expire in 24 hours—complete e-KYC now,” “Unclaimed parcel—pay ₹5 delivery fee,” “You won ₹50,000 cashback—verify UPI to claim.”

Step 2: The fake payment page You tap the link; it opens a lookalike UPI intent screen branded with RBI or UIDAI logos. The collect-request says “Verification ₹1” or “Refundable security ₹10.”

Step 3: The hidden checkbox Buried in fine print below the amount field: “I authorise recurring debits for service activation.” The checkbox is pre-ticked or rendered in 6pt grey text on white background. NPCI's UPI Procedural Guidelines (version 5.2, August 2024) mandate explicit user consent for mandates above ₹5,000, but fraudsters either lie about the amount or chain multiple smaller mandates.

Step 4: PIN entry You enter your six-digit UPI PIN believing it is a one-time payment. In reality, you just approved a standing instruction. The fraudster's app (often registered as a rogue merchant via a shadow payment aggregator) now holds a valid mandate ID.

Step 5: Silent debits Every day, week, or month the mandate auto-executes. Your bank sends SMS: “₹4,999 debited to XYZ Services.” By the time you investigate, five debits have occurred.

Step 6: Roadblocks to revocation Some scam merchants change their merchant category codes (MCC) to exempt categories (education, insurance) where banks hesitate to chargeback. Others register the mandate on a different VPA than your primary handle, so you don't see it in your main app.

Most citizens miss this — UPI apps group mandates under AutoPay, Recurring Payments, or Manage Mandates; if you use multiple apps (Google Pay, PhonePe, Paytm), check all of them—a mandate planted via one app can debit any linked bank account.

1. Unsolicited “verification” request No genuine government or bank system asks you to pay ₹1 for KYC. UIDAI explicitly states Aadhaar updates are free.

2. URL mismatch Legitimate payment pages display the merchant VPA clearly. If you see a generic string like “PAY2VERIFY@paytm” or a randomised handle, stop.

3. Pre-ticked consent checkbox NPCI rules require opt-in, not opt-out. Any pre-selected “I agree to auto-debit” violates UPI AutoPay guidelines.

4. Amount listed as ₹0 or ₹1 Classic decoy. The mandate itself may authorise ₹15,000 per cycle, but the initial transaction shows ₹1 to bypass scrutiny.

5. Pressure language “Complete within 10 minutes or account will be blocked,” “Final notice,” “Legal action pending.” All hallmarks of social engineering.

6. No itemised service description A valid subscription (Netflix, Jio) tells you exactly what, how much, and how often. Fraudsters use vague labels: “Service Activation Fee,” “Verification Charge.”

7. Request from a non-business number Messages from 10-digit mobile numbers instead of six-digit sender IDs (e.g., “UIDAI,” “RBISMS”) are red flags.

Do this immediately — Before entering UPI PIN on any payment screen, check your UPI app's mandate list first; if a new entry appears without your action, you are on a phishing page—exit and report.

Minute 0–5: Contain the damage 1. Open your UPI app → Settings → AutoPay / Mandates. 2. Revoke every unrecognised mandate. Screenshot before and after. 3. If the fraudulent mandate does not appear in the app (because it was created via a different UPI handle), call your bank's 24×7 helpline and request temporary account freeze or debit-block on that account number. 4. Log into net-banking, download six months' statement (PDF + Excel), highlight every suspicious debit.

Minute 5–30: Preserve evidence 5. Screenshot all SMS alerts showing debits (date, time, amount, merchant name, UPI transaction ID / UPI Ref No / RRN). 6. If you still have the phishing message, screenshot it with full headers (sender number, timestamp). 7. Do not delete the message or call the fraudster's “customer care” number—that invites further social engineering.

Hour 1–24: Formal complaints 8. File FIR at your local cyber-crime police station or online at cybercrime.gov.in. Mention BNS 2024 sections 318(4) (cheating by personation) and 319(3) (cheating involving computer resource), IT Act 2000 section 66D (cheating by personation using computer resource), and Payment and Settlement Systems Act 2007 section 23 (unauthorised access to payment system). Obtain FIR acknowledgement number. 9. Simultaneously lodge a complaint on the NPCI portal: https://www.npci.org.in/what-we-do/grievance-redressal (select UPI → Unauthorised Transaction). 10. Email your bank's nodal officer (name and email mandated on bank's website under RBI norms) with subject line “Zero-Liability Claim: Unauthorised UPI Mandate Debits—Account [Your A/c No].” Attach FIR copy, transaction screenshots, timeline.

Day 2–3: Invoke zero-liability and chargeback 11. Under RBI's Master Direction on Digital Payment Security Controls (updated January 2021, clause 6.3), if you report an unauthorised electronic transaction within three working days, you are entitled to zero liability—the bank must reverse all debits. 12. Send a written letter (registered post AD + email) invoking Consumer Protection Act 2019 section 2(7) (deficiency in service) and demanding:

1. Immediate reversal of ₹[total amount],
2. Compensation for consequential loss (bounced cheques, penalty interest),
3. Written confirmation within seven working days.

13. If the bank delays beyond 30 days, escalate to the Banking Ombudsman under the RBI Ombudsman Scheme 2021 (now unified as Reserve Bank – Integrated Ombudsman Scheme 2021).

Trust signal — Banks are legally required to complete chargeback investigations within 90 calendar days of your complaint (NPCI Circular NPCI/UPI/2023/004 dated 12 April 2023); silence or denial triggers Banking Ombudsman jurisdiction automatically.

Bharatiya Nyaya Sanhita 2024 - Section 318(4): Cheating by personation—fraudster impersonates a government body or trusted entity to induce you to part with money. Punishment: imprisonment up to seven years + fine. - Section 319(3): Cheating using computer resource—destruction, deletion, alteration of data, or introducing malicious code. Punishment: imprisonment up to seven years + fine up to ₹10 lakh. - Section 316: Criminal breach of trust—if the fraudster was a payment aggregator or merchant onboarded by a Payment Service Provider (PSP), their misuse of mandate infrastructure may constitute breach of trust.

Information Technology Act 2000 - Section 66D: Punishment for cheating by personation using computer resource—imprisonment up to three years + fine up to ₹1 lakh. - Section 43: Penalty for damage to computer, computer system, computer network—liable to pay damages by way of compensation (civil remedy).

Payment and Settlement Systems Act 2007 - Section 23: Whoever accesses or secures access to any payment system without authorisation commits an offence—imprisonment up to three years + fine up to ₹5 lakh (section 28). - Section 30: RBI (through NPCI) is empowered to issue directions to system participants; non-compliance invites penalty.

Consumer Protection Act 2019 - Section 2(7): Deficiency in service—bank's failure to block a fraudulent mandate or delay in chargeback is actionable. - Section 34: District Consumer Disputes Redressal Commission has jurisdiction up to ₹1 crore; cases above ₹1 crore go to State Commission. - Section 37: Appeals from District Commission lie to State Commission within 30 days (extendable by 30 days).

RBI Master Direction on Digital Payment Security Controls 2021 - Clause 6: Customer liability framework—zero liability if reported within three working days, limited liability (transaction value or ₹10,000, whichever is lower) if reported between 4–7 days. - Clause 8: Banks must complete investigation and credit provisionally within 10 working days; final resolution within 90 days.

Citizen tip — If your loss exceeds ₹1 lakh, file both FIR (criminal) and consumer complaint (civil + compensation); criminal conviction strengthens your consumer case and opens the door to punitive damages under CPA 2019 section 2(11).

Jurisdictional confusion resolved Under Bharatiya Nagarik Suraksha Sanhita (BNSS) 2024 section 173(1), you may file an FIR at any police station in India for a cognizable cyber offence; that station will either investigate or transfer (e-FIR) to the jurisdictional station (usually your residence or the bank branch location). In practice, approach: 1. Your local cyber-crime cell (if city has one), 2. The jurisdictional police station (Sub-Divisional Police Officer rank or above), 3. National Cyber Crime Reporting Portal: cybercrime.gov.in (online FIR; acknowledgement number issued within 24 hours).

Mandatory particulars in your FIR - Complainant details: Full name, Aadhaar number, mobile, email, address. - Incident timeline: Date and time of phishing link received, date and time of PIN entry, dates of each auto-debit. - Financial particulars: Bank name, account number, IFSC, UPI VPA, total amount debited. - Evidence list: Attach printed screenshots of SMS, phishing message, bank statement (highlight debits in yellow), mandate screenshot from UPI app. - Accused description: “Unknown fraudster impersonating [UIDAI / RBI / Amazon], operating merchant VPA [insert VPA], mobile number [if visible], using payment aggregator [if known].” - Statutory sections invoked: BNS 2024 sections 318(4), 319(3); IT Act 2000 section 66D; PS Act 2007 section 23. - Relief sought: Investigation, arrest of accused, recovery of ₹[amount], compensation, directions to NPCI and bank for chargeback.

Timeline clocks - File FIR within 24 hours of discovering the fraud to preserve digital forensic evidence (transaction logs expire or get overwritten after 48–72 hours in some systems). - Police must register FIR for cognizable offences (BNSS 2024 section 173(1)); refusal is actionable under section 179 (penalty for non-registration). - Obtain FIR acknowledgement number and certified copy within 72 hours; escalate to Superintendent of Police if station-house officer (SHO) delays.

Warning — If the SHO refuses to register FIR citing “it is a civil matter” or “approach bank first,” invoke BNSS 2024 section 173(3): send written complaint by registered post to Superintendent of Police, who must either direct registration or record reasons in writing and forward to Magistrate within seven days.

NPCI complaint procedure 1. Visit https://www.npci.org.in/what-we-do/grievance-redressal 2. Click “Register Grievance” → select UPI → sub-category Unauthorised Transaction / Fraudulent Mandate. 3. Fill form: Transaction date, UPI Ref No (from SMS), amount, brief description, upload FIR copy + screenshots. 4. NPCI issues ticket number within 24 hours. 5. NPCI forwards complaint to your Payment Service Provider (PSP bank / UPI app issuer) and the fraudulent merchant's PSP. 6. PSP must respond to NPCI within 7 working days (NPCI TAT circular 2023). 7. If no resolution, NPCI escalates to PSP's nodal officer; final NPCI decision within 30 days.

Bank nodal officer escalation - RBI mandates every bank publish nodal officer name, email, phone on their website (homepage → Grievance Redressal). - Email subject: “Zero-Liability Claim & Chargeback Request: Unauthorised UPI Mandate—Account [Number]” - Body: Attach FIR acknowledgement, NPCI ticket number, transaction list, timeline, statutory basis (RBI Master Direction clause 6.3), demand for provisional credit within 10 working days. - Bank must acknowledge within three working days and conclude investigation within 30 calendar days (RBI Banking Ombudsman Scheme 2021 clause 8).

Banking Ombudsman (RBI Integrated Ombudsman Scheme 2021) - File online: https://cms.rbi.org.in (Complaints Management System) - Eligibility: Complaint to bank's nodal officer made, 30 days elapsed without resolution OR bank rejected claim. - Ombudsman decides within 30 days of receipt; can award compensation up to ₹20 lakh (clause 14). - Bank's decision is binding unless bank appeals to RBI Appellate Authority within 30 days.

Consumer forum parallel track - District Consumer Forum: File within two years of cause of action (CPA 2019 section 69). - Costs: Court fee ≈ ₹200–₹500; no lawyer mandatory. - Compensation: Actual loss + mental agony + litigation cost (often 10–20 % of claim amount). - Timeline: Most forums decide within 90–180 days at district level (though delays are common).

Most citizens miss this — You can run parallel tracks—FIR (criminal), NPCI complaint (regulatory), Banking Ombudsman (quasi-judicial), consumer forum (civil)—they do not bar each other; final compensation may come from whichever resolves first.

Landmark precedent: State Bank of India v. Shri. Raj Kumar (2023) Karnataka High Court The Karnataka High Court held that when a customer reports an unauthorised electronic transaction within the RBI-prescribed timeline, the bank's burden of proof shifts: the bank must demonstrate either the customer's negligence or that the transaction was indeed authorised. Mere system logs showing “successful PIN authentication” are insufficient; the bank must exclude the possibility of phishing, malware, or social engineering. The judgment reinforced RBI's zero-liability framework and awarded ₹2.1 lakh compensation plus 9 % interest from date of complaint.

NPCI advisory dated 15 November 2024 NPCI issued a public advisory warning UPI users against “verify KYC” scams and mandating all PSP banks to: - Display mandate details (frequency, amount, merchant name) before PIN entry in 12pt bold text. - Send SMS alert immediately upon mandate creation, separate from transaction SMS. - Provide in-app “Pause All Mandates” emergency button on home screen (compliance deadline: 31 March 2025).

RBI Master Direction – Digital Payment Security Controls (January 2021, updated August 2024) Clause 6.3: Customer liability for unauthorised transactions shall be zero if reported within three working days. Clause 9: Banks must implement Additional Factor of Authentication (AFA) for all payment transactions above ₹5,000; mandate creation counts as a “payment transaction” and requires explicit AFA. Clause 12: Payment aggregators must conduct KYC of merchant entities and block merchants reported in three or more fraud complaints within 48 hours.

I4C (Indian Cyber Crime Coordination Centre) annual report 2025 Between January 2025 and December 2025, I4C recorded 1,14,672 UPI-related fraud complaints on the National Cyber Crime Reporting Portal (cybercrime.gov.in), with total reported loss ₹987 crore. UPI mandate fraud represented 19 % of all UPI fraud by volume but 34 % by value, indicating higher per-victim loss. I4C coordinated with NPCI to blacklist 4,823 merchant VPAs and freeze ₹147 crore across 12,400 mule accounts.

Ministry of Home Affairs notification dated 22 July 2024 MHA designated cyber fraud involving digital payment systems as a “specified offence” under BNSS 2024, enabling attachment of proceeds of crime and properties of accused under sections 111–113 (seizure powers).

Trust signal — Courts consistently hold that the timing of your complaint is decisive; even a one-day delay beyond the three-day window can shift liability, so treat the clock as a hard deadline, not a guideline.

No. UPI mandate creation always requires your six-digit PIN because it is classified as a debit transaction under NPCI rules. However, fraudsters disguise the mandate approval screen as a “verification” or “refund” page so you think you are authorising a one-time payment, not a recurring instruction. The PIN entry is genuine—the fraud lies in the misrepresentation of what you are approving.

Not necessarily. If the page was a UPI mandate setup screen, the fraudster now holds an active mandate that can trigger debits later (daily, weekly, or monthly schedule). Immediately check your UPI app → AutoPay / Mandates section. If you see an unrecognised entry, revoke it. Even if nothing shows, inform your bank and request a precautionary freeze on UPI transactions for 24 hours while you monitor.

Three possibilities: 1. The mandate was created on a different VPA linked to the same bank account (e.g., you use PhonePe primary, but fraudster registered mandate via your Paytm VPA). 2. The merchant disguised the mandate under an innocuous name (“Insurance Premium,” “Donation”) that you may have scrolled past. 3. The mandate was created at the bank level (e-NACH / e-Mandate via net-banking session hijack, not UPI app), so it won't appear in UPI app—check net-banking → Standing Instructions or Mandates.

Solution: Log into net-banking, go to Mandates / Standing Instructions, revoke all, call bank helpline, request detailed merchant onboarding data for every debit RRN.

Revoking stops future debits but does not automatically refund past debits. You must separately invoke chargeback and zero-liability: 1. File FIR (creates legal record). 2. Complain to NPCI (triggers investigation). 3. Send zero-liability claim letter to bank (starts refund clock). All three tracks run in parallel. Refund typically takes 30–90 days depending on bank responsiveness.

No. RBI's customer liability framework (Master Direction clause 6.3) applies irrespective of how the fraud occurred—phishing, malware, SIM-swap, or social engineering. The question is: did you intend to authorise a recurring payment to that merchant for that amount? If the answer is no, and you reported within three working days, you are entitled to zero liability. The bank's system logs showing “PIN authenticated” do not override RBI's zero-liability rule. Cite the SBI v. Raj Kumar judgment and escalate to Banking Ombudsman if the bank refuses.

Yes, under Consumer Protection Act 2019. Consumer forums routinely award: - Actual financial loss (the debited amount), - Consequential loss (bounced cheque penalties, loan EMI delays), - Mental agony and harassment (typically 10–20 % of financial loss, sometimes up to ₹50,000 in egregious cases), - Litigation costs (₹5,000–₹25,000).

Cite deficiency in service (bank's failure to block mandate promptly, delayed chargeback). Attach medical certificates if you suffered stress-related health issues, and affidavit detailing time lost in police stations, bank branches, etc.

NPCI's UPI ecosystem is India-only; however, some fraudsters use Indian shell merchants onboarded by rogue payment aggregators. If the VPA ends in @paytm, @ybl (Yes Bank), @oksbi (SBI), @icici, the merchant is ultimately onboarded by an Indian PSP, so NPCI has jurisdiction. File NPCI complaint; NPCI will serve notice to that PSP and suspend the merchant VPA. If the merchant is genuinely offshore (rare in UPI), escalate to Cyber Crime Police and Ministry of Home Affairs via I4C portal; MHA has mutual legal assistance treaties (MLATs) with 60+ countries for cyber crime.

The portal auto-generates an acknowledgement number instantly upon submission. This is not an FIR number yet—it is a “complaint registration number.” Within 72 hours, the portal assigns your complaint to the jurisdictional police station, and the SHO must register a formal FIR under BNSS 2024 section 173(2). You receive an SMS with the FIR number. If 72 hours elapse without FIR number, call the portal helpline (1930) and escalate.

Citizen tip — Screenshot your cybercrime.gov.in submission page showing date-time stamp; this proves you reported within the critical three-day window even if the police delay FIR registration—courts accept portal acknowledgement as evidence of timely complaint.

To,
The Station House Officer,
Cyber Crime Police Station, [City]
[Address]

Subject: FIR for Cheating by Personation and Unauthorised UPI Mandate Creation

Respected Sir/Madam,

I, [Your Full Name], son/daughter/spouse of [Parent/Spouse Name], aged [Age], residing at [Full Address], Aadhaar No. [XXXX-XXXX-1234], Mobile [+91-XXXXXXXXXX], hereby lodge a formal complaint under Bharatiya Nyaya Sanhita 2024 Sections 318(4), 319(3), Information Technology Act 2000 Section 66D, and Payment and Settlement Systems Act 2007 Section 23.

FACTS:
1. On [Date], at approximately [Time], I received a WhatsApp message from mobile number [+91-XXXXXXXXXX] purporting to be from UIDAI, stating "Your Aadhaar KYC will expire in 24 hours. Complete e-KYC immediately: [fraudulent link]."

2. Believing the message to be genuine, I clicked the link, which opened a webpage branded with Aadhaar and Government of India logos. The page requested UPI payment of ₹1 as "verification charge."

3. I entered my UPI PIN [do NOT write actual PIN—write "six-digit PIN"] on [Date] at [Time], believing I was making a one-time ₹1 payment.

4. Between [Start Date] and [End Date], I received SMS alerts from my bank, [Bank Name], showing the following debits from my account [Account No.], all to merchant VPA "[fraudulent VPA]":
   - [Date]: ₹4,999, UPI Ref No. [XXXXXXXXXXXX]
   - [Date]: ₹4,999, UPI Ref No. [XXXXXXXXXXXX]
   - [Total]: ₹[Total Amount] across [Number] transactions.

5. On [Date], I checked my UPI app [App Name] under AutoPay/Mandates and discovered an unauthorised recurring payment mandate to "[Merchant Name]" for ₹5,000 per day, which I never knowingly authorised.

6. I immediately revoked the mandate and informed [Bank Name] customer care (call reference no. [XXXXXX]) and NPCI (grievance ticket no. [XXXXXX]).

EVIDENCE ENCLOSED:
- Annexure A: Screenshots of phishing WhatsApp message
- Annexure B: Screenshots of SMS debit alerts
- Annexure C: Bank account statement (highlighted)
- Annexure D: Screenshot of fraudulent mandate in UPI app
- Annexure E: NPCI complaint acknowledgement

PRAYER:
I request you to:
(a) Register FIR under BNS 2024 Sections 318(4), 319(3); IT Act 2000 Section 66D; PS Act 2007 Section 23,
(b) Investigate and trace the accused via merchant VPA, payment aggregator, mobile number, and bank account,
(c) Coordinate with NPCI and I4C for technical forensics,
(d) Facilitate recovery and return of ₹[Amount],
(e) Issue certified FIR copy for submission to bank and consumer forum.

Date: [DD/MM/YYYY]
Place: [City]

Signature: _______________
[Your Full Name]
Mobile: [+91-XXXXXXXXXX]
Email: [your.email@example.com]

<code> To, Grievance Redressal Officer National Payments Corporation of India 1st Floor, Trade World, Kamala Mills Compound, Senapati Bapat Marg, Lower