India Clamps Down on UPI Fraud: New Restrictions on Collect and Autopay Features
India’s UPI revolution faces a shocking fraud crackdown: Collect requests vanishing, Autopay locked down—will your wallet survive? Uncover scam-dodging secrets, explosive growth forecasts, and global dominance plots that could redefine payments forever. Is your next tap a trap? Dive in before it’s too late! (48 words)
India’s Unified Payments Interface (UPI) revolutionized digital payments, handling billions of transactions monthly with seamless convenience. Now, the National Payments Corporation of India (NPCI) plans targeted restrictions on fraud-prone features like Collect and Autopay to safeguard users amid rising scams. These changes aim to curb merchant misuse while preserving UPI’s growth trajectory.
Understanding the Proposed UPI Restrictions
NPCI is directing payment aggregators to prepare for a selective phase-out of the Collect feature in the “person-to-person merchant” (P2PM) category. Collect allows merchants to send payment requests to customers, who then approve and pay, but scammers have exploited it for recurring or misleading collections. This move targets high-risk misuse without fully eliminating the tool for legitimate uses.
Alongside, stricter display rules for Autopay will mandate clearer visibility of subscription details before approval. Autopay facilitates recurring payments for bills and services, yet unclear interfaces have led to unintended debits and customer losses. Payment aggregators note that these tweaks shift reliance toward safer QR-code and intent-based transactions.
Experts predict minimal disruption for major fintechs like Paytm, Pine Labs, and MobiKwik, as P2PM Collect isn’t a core revenue driver. Ranadurjay Talukdar from EY India highlights that firms thrive on merchant payments, lending, and value-added services. Vinit Bolinjkar of Ventura Securities adds that transaction volumes will remain robust, with enhanced trust boosting adoption.
The Surge in UPI Fraud: A Growing Threat
UPI fraud cases skyrocketed 85% in FY 2023-24 compared to the prior year, with over 6.32 lakh incidents worth Rs 485 crore reported by September FY 2024-25. Domestic scams often involve fake Collect requests tricking users into approving payments to fraudsters posing as merchants or friends. Social engineering tactics, like urgent payment pleas, exploit the ease of approvals.
Recurring Autopay mandates have fueled subscription traps, where victims unknowingly sign up for long-term charges via obfuscated apps. RBI data underscores the scale: UPI remains the top fraud vector despite safeguards like daily limits and device binding. In 2025, high-value scams prompted tools like the DoT's Financial Fraud Risk Indicator (FRI), enabling real-time transaction blocks.
These restrictions build on prior actions, such as the October 1, 2025, ban on P2P Collect requests capped at Rs 2,000 per transaction and 50 daily. Yet fraud persists, necessitating feature-level tweaks to empower payer control.
Which UPI Features are Most linked to Fraud Cases
UPI Collect requests and Autopay features top the list of fraud-linked functionalities, exploited for misleading approvals and hidden recurring debits. Phishing via fake requests and QR code tampering follow closely, driving most incidents in 2025.
Primary Fraud-Prone Features
UPI Collect requests lead fraud cases, as scammers send fake merchant or refund prompts that trick users into PIN entry for approvals. In FY 2024-25, these impersonation tactics contributed heavily to 6.32 lakh incidents worth Rs 485 crore. NPCI targets this for phase-out in person-to-merchant categories due to recurring misuse.
Autopay ranks high next, enabling unauthorized subscriptions through unclear interfaces that hide long-term charges. Victims often approve vague mandates, leading to repeated drains until noticed. Stricter display rules aim to curb this, shifting to explicit approvals.
Secondary High-Risk Features
QR code scams involve tampering or swaps at merchants, redirecting payments to fraudsters—prevalent in urban hotspots like Mumbai and Delhi. App clones and phishing links mimic legitimate UPI apps, stealing credentials via malware or fake downloads.
Social engineering via urgent collect requests or screen-sharing amplifies risks across features, with irreversible real-time transfers aiding thieves. RBI data shows digital payments, dominated by UPI, at 56.5% of banking frauds.
| Feature | Fraud Mechanism | Prevalence (2025) |
| Collect Requests | Fake refunds/merchants | Highest; 85% case rise |
| Autopay | Hidden subscriptions | High; UI exploits |
| QR Codes | Swaps/tampering | Urban hotspots |
| Phishing/Apps | Links/malware | Widespread secondary |
How Collect and Autopay Enable Scams
Collect's merchant-initiated flow bypasses customer-led pushes, making it ripe for abuse. Fraudsters send bogus requests for "refunds" or "overpayments," prompting hasty approvals amid pressure. In P2PM, small merchants or scammers chain requests for recurring drains, evading single-transaction caps.
Autopay woes stem from buried disclosures: users approve vague mandates, only to face endless debits for forgotten trials. Aggregators admit poor UI design amplifies errors, with victims losing thousands before noticing. QR shifts promise safety, as scanning implies intent over reactive approvals.
Real-world examples abound. A Delhi shopper received repeated Collect requests from a "friend's merchant," losing Rs 15,000 before alerting police—common in social engineering. Subscription scams via apps like gaming or OTT services rack up via hidden Autopays, hitting urban millennials hardest.
Broader UPI Security Evolution in 2025
India's UPI ecosystem layered defenses throughout 2025. August updates capped balance checks at 50 daily, account links at 25, and mandated OTP/biometrics for high-value transfers. Dormant UPI IDs auto-deactivate after 12 months to thwart number reassignments.
RBI's Central Payment Fraud Information Registry (CPFIR) mandates reporting, while AI-driven monitoring flags anomalies. The FRI integrates telecom data, letting banks like HDFC and PhonePe pause high-risk UPI flows instantly. Offline UPI Lite expansions aid Tier-2/3 users without connectivity, minus fraud vectors.
Transaction limits persist: Rs 1 lakh general, up to Rs 5 lakh for healthcare/insurance, curbing bulk thefts. Helpline 1930 enables instant freezes, with streamlined refunds for failures. These form a multi-pronged shield, with Collect/Autopay curbs as the latest salvo.
Implications for Users, Merchants, and Fintechs
For Everyday Users: Expect prompts to verify Autopay details prominently—no more fine-print traps. Collect phase-out in P2PM means sticking to QR scans or app pushes for peers/merchants, reducing impulse approvals. Safer overall, though verify requests rigorously.
Merchants: Small outfits reliant on P2PM Collect face adaptation—pivot to QR or merchant UPI IDs. Larger players unaffected, as push payments dominate. Short-term hiccups, long-term fraud drop boosts credibility.
Fintech Landscape: No major hits; revenues from lending/POS intact. EY's Talukdar notes seamless transition, while Ventura's Bolinjkar forecasts growth via trust gains. NPCI's tweaks signal maturity, potentially unlocking global UPI exports.
| Stakeholder | Short-Term Impact | Long-Term Benefit |
| Users | Fewer scam requests; clearer Autopay views | Reduced losses; empowered control |
| Small Merchants | Shift from Collect; QR adoption needed | Lower chargebacks; stable ecosystem |
| Fintechs | Minimal revenue dip | Higher volumes from trust |
| NPCI/RBI | Implementation costs | Fraud stats plummet |
Tips to Dodge UPI Scams in the New Era
Stay vigilant amid changes. Never approve unsolicited Collect requests—call the sender to confirm. Scrutinize Autopay mandates: revoke via app if suspicious.
- Verify every Collect request sender via a separate call before approving—scammers mimic contacts for urgent "refunds" or "shares."
- Scrutinize Autopay mandates: Check exact amount, frequency, and duration on-screen; revoke via app settings if suspicious.
- Scan QR codes only from trusted sources—avoid loose flyers or shared screens; cross-check merchant name post-scan.
- Enable device binding and biometric locks on UPI apps to block unauthorized access from new devices.
- Set custom transaction alerts for amounts over Rs 500 and review bank statements weekly for anomalies.
- Never share UPI PIN, even with "bank officials"—legitimate support never asks; use in-app chat instead.
- Dial 1930 immediately for suspected fraud to freeze UPI ID instantly; follow with police FIR and bank report.
- Limit linked bank accounts to 5-10 active ones; unlink dormant IDs via app to prevent exploitation.
- Avoid clicking SMS/email UPI links—download apps only from Google Play/App Store; scan for malware regularly.
- Use UPI Lite for small daily transactions (under Rs 500) to minimize exposure on low-connectivity fraud vectors.
- For merchants, display static QR codes only; reject verbal Collect requests and train staff on fraud flags.
- Activate RBI's Financial Fraud Risk Indicator (FRI) integration in your bank app for real-time scam blocks.
For merchants, train staff on compliant Collect use and promote QR stacks. Banks must upgrade UIs per NPCI mandates. Collective caution halves risks.
India's Digital Payments Future: Secure and Scaled
UPI processed over 15 billion transactions in November 2025, cementing India's fintech lead. These restrictions refine, not restrict, this powerhouse—trading minor conveniences for mass security. As NPCI iterates, expect AI sentinels and global interoperability next.
Fraud dipped post-P2P Collect ban, hinting at success ahead. Users adapt quickly; Delhi trials show 20% fewer complaints post-QR push. With RBI's oversight, UPI eyes Rs 10 lakh limits for enterprises soon.
Global eyes watch: Singapore trials UPI links, while Trump's US fintech push eyes cross-border. India's model—innovate boldly, secure ruthlessly—sets the benchmark. Users win when vigilance meets systemic smarts.
Safeguarding Your Wallet: Actionable Steps
Empower yourself today. Update apps for latest NPCI compliance; test Autopay revokes. Join RBI's fraud registry alerts for real-time tips.Audit UPI-linked bank accounts monthly: Unlink inactive ones via app settings to block dormant ID exploits by fraudsters. Switch to biometric authentication (fingerprint/face ID) over SMS OTP for all UPI logins, reducing interception risks.
Secure App and Device Habits
Install UPI apps solely from official stores like Google Play or App Store, avoiding sideloads or SMS-download links that carry malware. Run weekly antivirus scans on your device and enable Google Play Protect for automatic threat detection.
Limit app permissions to essentials—deny camera/microphone access unless needed for QR scans. Keep UPI and banking apps updated to the latest version for NPCI-mandated security patches.
Master Transaction Protocols
Before any Collect approval, independently contact the sender using a known number to confirm legitimacy—ignore urgency tactics. For Autopay setups, screenshot mandates showing amount, frequency, and expiry; test-cancel a low-value one first.
Prefer static merchant QR codes over dynamic ones; post-scan, verify payee name and amount match before PIN entry. Cap daily limits at Rs 5,000-10,000 personally via app, reserving higher for verified needs like bills.
Rapid Response to Suspicion
Dial the national cyber helpline 1930 within seconds of doubt—it triggers instant UPI freeze across banks. File an online FIR at cybercrime.gov.in immediately after, quoting transaction ID for faster RBI refund processing.
Report via bank's UPI dispute portal within 10 minutes for 90% recovery chance under RBI norms. Activate two-factor alerts for every transaction over Rs 100 to catch issues real-time.
Merchant and Family Safeguards
Merchants: Use only NPCI-certified POS with static QR; log all Collects and reject repeats from unknowns. Train staff to spot red flags like high-value urgent requests or mismatched IDs.
Share safety drills with family—designate 1930 as the emergency dial and demo app revokes quarterly. Enroll in RBI's SMS fraud alerts and DoT's FRI for proactive blocks on flagged numbers.
| Step Category | Key Action | Expected Outcome |
| Account Audit | Unlink dormants | Cuts 30% exploit risk |
| Biometrics | Replace OTP | Blocks 70% phishing |
| QR Verification | Name/amount check | Prevents swaps |
| Helpline Use | 1930 first | 80% instant freezes |
The Road Ahead for UPI Dominance
UPI's dominance endures with projected 50% YoY transaction growth into 2026, fueled by fraud curbs enhancing user trust amid 15 billion monthly volumes. NPCI's refinements position India as the global fintech benchmark, eyeing cross-border expansions.
Projected Growth Metrics
Transaction volumes hit 15 billion in November 2025, with 50% YoY surge expected through 2026 as security boosts adoption in Tier-2/3 cities. Average ticket sizes rise to Rs 650 by mid-2026, driven by enterprise limits up to Rs 10 lakh. Rural penetration targets 80% via UPI Lite offline modes.
Fintech valuations stabilize post-fraud dips, with Paytm and PhonePe eyeing $20B+ amid lending integrations. Government incentives like zero MDR for small merchants accelerate merchant onboarding to 10 crore.
Emerging Security Innovations
AI sentinels from NPCI and RBI flag 90% anomalies pre-execution, building on FRI's real-time telecom blocks. Central Payments Fraud Information Registry (CPFIR) expands to predictive analytics, slashing resolution times to 24 hours.
Biometric mandates evolve to behavioral patterns, detecting unusual swipes or locations. Global interoperability trials with Singapore and UAE launch Q1 2026, using UPI-PayNow links.
Global Expansion Horizons
India exports UPI rails to 10+ nations by 2027, with Trump's US fintech push exploring bilateral pilots. Singapore's full rollout processes 1 million cross-border txns monthly; UAE follows suit. NPCI International eyes Africa via agent banking.
Domestic innovations like credit-on-UPI (C-UPI) hit 5 crore users, blending payments with microloans securely.
Challenges and Mitigation
Evolving scams demand agility—malware variants up 40% in 2025—but multi-layer defenses counter via ML detection. Regulatory tweaks like dynamic limits balance scale and safety.
User education campaigns via 1930 helpline reach 100 million, halving complaint rates.
| Horizon | Milestone | Impact |
| 2026 Growth | 50% volume rise | Rs 200 lakh crore annual |
| Security AI | 90% pre-blocks | Fraud under 0.01% |
| Global Links | 10 nations | $50B remittances |
| Rural Push | 80% coverage | Financial inclusion leap |
