Online Transaction Frauds – Akhil Bhartiya Cyber Suraksha Sangathan (Regd.)

💳 ONLINE TRANSACTION FRAUDS — OVERVIEW

India processed over 13,000 crore digital transactions worth ₹200 lakh crore in 2023 — making it the world's largest real-time payments market. But this explosive growth has brought with it an equally explosive rise in online transaction fraud. Cybercriminals exploit the speed, irreversibility and complexity of digital payments to steal money before victims even realise what has happened. Online transaction frauds include UPI collect request scams where victims unknowingly authorise payments instead of receiving money, fake payment screenshots used to deceive merchants, card-not-present fraud using stolen credit/debit card credentials, payment gateway phishing redirecting checkout payments to fraudsters, and cashback / refund scams that trick users into paying to receive money. The average time between a fraudulent transaction being initiated and the money leaving the victim's account is under 90 seconds — making immediate reporting to 1930 critical. All online transaction frauds are prosecutable under the IT Act 2000, Bharatiya Nyaya Sanhita 2023 and RBI's Payment and Settlement Systems Act 2007.

₹2,400 Cr+

Lost to Transaction Fraud (2023)

11 Lakh+

Online Payment Fraud Complaints

48%

Frauds via UPI Platform

1930

National Cyber Helpline 24×7

⚠️ How Online Transaction Frauds Are Carried Out

Sending fake UPI collect requests disguised as money-sending links
Creating fake payment confirmation screenshots to deceive sellers
Stealing card credentials via skimming devices, data breaches or phishing
Redirecting checkout payment pages to cloned payment gateways
Posing as buyer on OLX/Quikr and sending fraudulent "advance payment" via QR
Social engineering victims into entering UPI PIN "to verify" an incoming transfer
Fake cashback / lottery SMS with payment links that charge instead of credit
Using stolen card details for international CNP (Card Not Present) transactions

✅ How to Protect Yourself from Transaction Frauds

Remember: Receiving money via UPI requires NO PIN entry and NO QR scan
Always verify payment in your bank account — never trust screenshots as proof
Set a daily UPI / card transaction limit matching your typical usage
Enable transaction alerts on SMS and email for every debit immediately
Never click payment links received via SMS, WhatsApp or email
Use virtual credit cards for online shopping — never real card details
Enable 2FA on all payment apps — PhonePe, Google Pay, Paytm, BHIM
Block international transactions on your debit/credit card if not needed

🔍 Types of Online Transaction Frauds

📲

UPI Collect Request Scam — "Scan to Receive Money"

The most widespread online transaction fraud in India. Fraudsters send a UPI "Collect Request" — a payment demand — and convince victims it is a money transfer. They say "I am sending you ₹5,000 — approve the request on your UPI app." The victim sees an OTP or PIN prompt, assumes it's for receiving, and enters their PIN — completing a payment TO the fraudster. On UPI, entering your PIN always means you are PAYING, never receiving. No PIN is ever needed to receive money.

📸

Fake Payment Screenshot Fraud

Fraudsters use screenshot editing apps to create convincing fake UPI, PhonePe, Google Pay or BHIM payment success screenshots — showing the seller's name, correct amount and a fake transaction ID. They share the fake screenshot immediately after placing an order and pressure the seller to dispatch goods urgently before the "payment reflects." By the time the seller checks their actual bank account, the fraudster has disappeared with the goods. Extremely common on OLX, Facebook Marketplace, Instagram shops and WhatsApp businesses.

💳

Card Not Present (CNP) Fraud — Stolen Card Data

Criminals obtain credit or debit card numbers, expiry dates and CVV through data breaches, phishing, skimming or dark web purchases — and use these to make online purchases on websites that don't require OTP authentication, especially international sites. Victims discover the fraud only when they check their statement and see transactions for purchases they never made, often in foreign currencies on overseas platforms.

🌐

Fake Payment Gateway / Checkout Redirect Fraud

Fraudsters create fake e-commerce websites or inject malicious code into legitimate checkout pages — redirecting the payment step to a cloned payment gateway that captures card details and OTPs. The victim believes they are paying on a legitimate website. Their card is charged, no goods are received, and their full card credentials are stored by the fraudster for future misuse across multiple platforms.

🛒

OLX / Classifieds "Advance Payment" Army / Defence Scam

A deeply documented fraud where fraudsters pose as Army officers or defence personnel on OLX, Quikr or Facebook Marketplace — claiming to urgently sell vehicles, electronics or furniture as they are being "posted to a new location." They claim to have already paid "Army transport charges" and ask the buyer to pay advance via UPI QR code to "reserve the item." Once payment is sent, they vanish. No item exists. No defence personnel sells personal items this way.

🎁

Fake Cashback / Refund / Prize Transaction Scam

Victims receive SMS or WhatsApp messages claiming "You have won ₹15,000 cashback from Amazon/Flipkart/your bank — click here to collect." The link leads to a fake page asking for UPI ID and PIN "to credit the cashback." Entering the PIN completes a payment to the fraudster. Also includes fake "processing fee" demands — "pay ₹99 as processing fee to receive your ₹10,000 refund" — where the ₹99 is stolen and no refund ever materialises.

🏠

Fake Rental / Property Advance Payment Fraud

Fraudsters post fake rental properties on housing portals at below-market rates — targeting people searching for accommodation in new cities. They claim to be the "owner" living abroad and ask for 1–2 months advance payment via bank transfer "to hold the flat" before the victim can view it. Once the advance is transferred, the fraudster becomes unreachable. The property either does not exist or belongs to someone else entirely.

🔗

Fake Payment Link Fraud via WhatsApp / SMS

Fraudsters send payment links via WhatsApp, SMS or email that appear to be from legitimate sources — banks, Paytm, Amazon, IRCTC, electricity boards — saying "your bill is due, pay now to avoid disconnection" or "complete your KYC payment here." The link leads to a cloned payment page that captures card details and OTP. The victim receives no service and their card is used for further fraudulent transactions.

🤝

Business / Vendor Invoice Manipulation Fraud

Fraudsters intercept email communications between businesses and their vendors — monitoring the conversation until a large invoice is due. They then send a spoofed email from a near-identical address as the vendor, stating "our bank account has changed — please make this payment to the new account." The business transfers the payment to the fraudster's account. Losses in single incidents regularly exceed ₹50 lakh. Also called Business Email Compromise (BEC) fraud.

🪙

Cryptocurrency / Digital Asset Transaction Fraud

Victims are lured into sending cryptocurrency payments — Bitcoin, Ethereum, USDT — through fake investment platforms, romance scams or "Bitcoin doubling" schemes. Cryptocurrency transactions are irreversible by design — once sent to a fraudster's wallet, recovery is virtually impossible. Fraudsters specifically choose crypto to exploit this irreversibility and cross-border anonymity, making law enforcement recovery nearly impossible compared to bank transfers.

🚨 UPI COLLECT REQUEST SCAM — SPECIAL ALERT — INDIA'S FASTEST GROWING FRAUD

The UPI Collect Request Scam exploits a fundamental misunderstanding of how UPI works — most victims believe that entering their PIN "approves receiving" money. In reality, your UPI PIN is ONLY used to authorise payments you are making. Here is exactly how this scam unfolds — and why educated, tech-savvy people fall victim:

📞

Step 1 — Establishing the Context

Victim has listed something for sale on OLX/Quikr, or is expecting a refund, or responded to a job/freelance ad. Fraudster contacts them as a genuine buyer, employer or bank official — building trust through normal conversation and correct personal details.

💬

Step 2 — "I Am Sending You the Money Now"

Fraudster says: "I am transferring ₹10,000 right now. You will get a notification on your PhonePe / Google Pay — just approve it and the money will be in your account in 2 minutes." Victim is told to "accept" the incoming transfer.

📲

Step 3 — Collect Request Arrives

A UPI Collect Request arrives — which is a payment DEMAND, not a transfer. The notification says "₹10,000 requested from [fraudster's name]." Victim sees the amount they were promised and believes this is confirmation of the incoming payment.

💸

Step 4 — PIN Entry Completes the Payment

Victim enters their UPI PIN to "accept the money." This PIN entry authorises an outgoing payment of ₹10,000 FROM the victim TO the fraudster. Money leaves the victim's account instantly and irreversibly. The fraudster immediately disconnects and blocks all contact.

⚠️ THE GOLDEN RULE: ENTERING YOUR UPI PIN ALWAYS MEANS YOU ARE PAYING MONEY OUT OF YOUR ACCOUNT. NO PIN ENTRY IS EVER NEEDED TO RECEIVE MONEY ON UPI. IF SOMEONE SAYS "ENTER YOUR PIN TO RECEIVE MONEY" — IT IS 100% FRAUD.

🔒 SAFE TRANSACTION CHECKLIST — VERIFY BEFORE EVERY PAYMENT

Before completing any online transaction — especially to a new recipient — run through this checklist. Most transaction fraud victims skipped one or more of these steps. Each check takes seconds but can save lakhs.

✅

Verify Recipient's UPI ID / Account Number

Before sending any large amount, send ₹1 first and confirm the recipient's name that appears on the UPI confirmation screen. If the name doesn't match who you expect to pay — do not proceed.

✅ ALWAYS DO THIS FOR NEW RECIPIENTS

🏦

Check Your Bank Account — Not the Screenshot

Never release goods or services based on a payment screenshot. Log in to your actual bank account or check your SMS alert to confirm the credit before proceeding. Screenshot can be faked in seconds.

⚠️ NEVER TRUST SCREENSHOTS AS PAYMENT PROOF

🔗

Never Pay via Links in SMS / WhatsApp

Legitimate payment requests from banks, utility companies and e-commerce platforms are made through their official apps — not through SMS links or WhatsApp messages. Any payment link received this way is almost certainly fraud.

⚠️ EXTREMELY HIGH RISK — NEVER CLICK

🌐

Check Website URL Before Card Payment

Before entering card details on any website, verify the URL is correct and shows "https://". Check for small spelling differences — "amaz0n.in" or "flipkart-sale.com" are fake. Bookmark genuine sites and use only those.

⚠️ CHECK URL — ONE WRONG LETTER MEANS FRAUD

📱

UPI PIN Is for Paying — Never for Receiving

This is the most important UPI rule. You NEVER need to enter any PIN, OTP or password to receive money. If any action requires PIN entry, it is a payment going out. Receiving money is completely passive — it just arrives.

⚠️ PIN = PAYING. NO PIN NEEDED TO RECEIVE.

💰

No Genuine Buyer Asks for Advance Before Viewing

On OLX, Quikr, Facebook Marketplace or any classifieds — no genuine buyer of a high-value item sends advance payment via QR code before physically seeing the item. Any request for advance payment, especially with urgency, is fraud.

⚠️ MEET IN PERSON — COLLECT CASH OR PAY ON DELIVERY

🔔

Enable Instant SMS Alerts for Every Transaction

Register your mobile number with your bank for instant SMS transaction alerts for every debit, even ₹1. This ensures you know immediately if an unauthorised transaction occurs — giving you maximum time to call 1930 and freeze the money.

✅ ENABLE THIS — IT COSTS NOTHING

🚫

Set Daily Transaction Limits on UPI and Cards

In your bank's mobile app or net banking, set daily UPI and card transaction limits to match your typical usage. Even if a fraudster gains access to your credentials, a low daily limit caps the maximum possible loss significantly.

✅ SET LIMITS IN YOUR BANKING APP TODAY

🚩 RED FLAGS — HOW TO IDENTIFY AN ONLINE TRANSACTION FRAUD

🔴

Someone Asks You to "Enter PIN to Receive Money" on UPI

This is the single clearest sign of UPI collect request fraud. There is no situation — ever — where entering your PIN results in money coming into your account. If any caller, WhatsApp contact or online message instructs you to enter your PIN "to receive a transfer," immediately disconnect and do not comply. This is 100% fraud without exception.

🔴

Payment Screenshot Shared Before You See the Credit in Your Account

Any buyer, client or customer sharing a payment screenshot and urging you to dispatch goods or services immediately — before you have verified the credit in your own bank account — is likely attempting fake payment fraud. Payment screenshots are trivially easy to fabricate using free apps. Your bank account SMS credit is the only valid payment confirmation.

🔴

OLX / Online Buyer Claims to Be Army / Defence / Government Personnel

The "Army officer posting" scam is one of India's most documented classifieds frauds. Fraudsters specifically claim military or government identity because it generates trust and discourages questioning. No military or government policy requires personnel to sell items urgently via classified ads to strangers. This combination — claimed defence identity + urgency + advance UPI payment request — is a confirmed fraud pattern.

🔴

Seller / Service Provider Asks for "Small Advance" Before Delivery or Meeting

Fraudsters selling non-existent rental properties, vehicles, electronics or jobs always ask for a "token advance" or "booking amount" before the buyer can view or verify the item. This advance is the fraud — no legitimate seller of high-value goods requires payment before the buyer can inspect. Once the advance is transferred, communication ceases permanently.

🔴

"Pay Small Fee to Receive Your Large Refund / Cashback / Prize"

No legitimate cashback, refund or prize requires upfront payment processing fees. Amazon, Flipkart, IRCTC, banks and government departments never ask customers to pay money to receive refunds, cashback or compensation. Any such request — regardless of how official the SMS or website looks — is a fraud designed to extract a small "fee" while delivering nothing in return.

🔴

Vendor / Supplier Emails You a "Revised Bank Account" for Invoice Payment

If a regular vendor, supplier or business partner emails that their bank account has changed and you should use the new account for an upcoming payment — verify this directly by calling the vendor on their known phone number before transferring. Business Email Compromise (BEC) fraud specifically targets large invoice payments by intercepting email chains between companies and their trusted vendors.

🔴

Too-Good-to-Be-True Price on a High-Value Item with Urgency

A new iPhone for ₹8,000, a car for ₹50,000, a branded laptop for ₹5,000 — items priced at 20–30% of market value on classifieds sites with sellers adding urgency ("posting tomorrow, need to sell today") are almost always non-existent. The price is bait. The urgency prevents due diligence. Any payment made before physically verifying the item is irreversibly lost.

🔴

Investment Platform Showing Unusually High Daily Returns

Cryptocurrency trading apps, stock market platforms and "passive income" schemes showing 3–5% daily returns (1000%+ annual) are fraud. Initial small withdrawals are permitted to build trust and encourage larger deposits. Once a significant amount is deposited — the platform freezes withdrawals and demands "tax payment" or "unlocking fees" that lead to additional losses. No legitimate investment guarantees daily profits of any kind.

🚨 If You Have Been a Victim of Online Transaction Fraud

Call National Cyber Helpline 1930 IMMEDIATELY — the faster you call, the higher the chance of freezing the money before it is withdrawn
Note the exact transaction amount, time, UTR number, recipient UPI ID or account number — have this ready when you call
Call your bank's 24×7 helpline and report the fraudulent transaction — request a chargeback or transaction freeze
File complaint at cybercrime.gov.in immediately — select "Online Financial Fraud" — fill all transaction details accurately
If fraud occurred on a UPI app (PhonePe, GPay, Paytm) — report via in-app complaint feature and also email their fraud support team
Preserve all evidence — screenshots of messages, transaction SMS alerts, WhatsApp conversations, call logs
If card fraud — immediately call your bank to block the card and dispute all unauthorised transactions
Under RBI Customer Liability Circular — report within 3 working days for zero/limited liability on unauthorised transactions
File FIR at nearest police station or Cyber Crime Cell — bring printouts of all evidence, your Aadhaar and account statement
If OLX / classifieds fraud — also report the fraudulent listing to the platform to prevent others from being victimised

📰 REAL ONLINE TRANSACTION FRAUD CASES — INDIA

2024 — Delhi — UPI Collect Request Scam

School Teacher Loses ₹95,000 Selling Old Furniture on OLX — "Entered PIN to Receive Money"

A Delhi school teacher listed her household furniture for ₹95,000 on OLX before relocating. A "buyer" contacted her, agreed to the price and said he would send an advance via GPay immediately. She received a UPI collect request notification showing ₹95,000 — the exact amount she was selling for. The "buyer" called her simultaneously saying "approve it and the money will come in 2 minutes." She entered her UPI PIN. ₹95,000 was instantly debited from her account. She called 1930 within 20 minutes — ₹60,000 was frozen in the fraudster's account. Investigation revealed the fraudster had run 43 similar scams over 3 months from a rented room in Rajasthan using 7 different UPI accounts.

2023 — Mumbai — Fake Payment Screenshot

Jewellery Shop Owner Hands Over ₹1.8 Lakh in Gold After Seeing Fake GPay Screenshot

A Mumbai jewellery shop owner sold gold ornaments worth ₹1.8 lakh to a well-dressed customer who paid via "Google Pay" and immediately showed a convincing payment success screenshot on his phone. The shopkeeper did not verify his actual bank account as the shop was busy. The customer left with the jewellery. 40 minutes later the shopkeeper checked his account — no credit had arrived. Police investigation found the fraudster used a screenshot editing app to create perfect fake GPay confirmations. The same individual had defrauded 11 other shops across Maharashtra over 2 months using the same method.

2024 — Bengaluru — OLX Army Scam

Software Engineer Loses ₹2.3 Lakh Paying "Army Posting Advance" for Non-Existent Royal Enfield

A Bengaluru software engineer found a Royal Enfield Thunderbird listed on OLX for ₹65,000 — well below market value. The seller introduced himself as a CRPF officer being urgently posted to Ladakh who needed to sell his bike immediately. He shared convincing images of the bike and his fake CRPF ID card. He asked for ₹25,000 advance "to hold the bike" before the engineer could come to see it. When the engineer paid, the fraudster said "Army transport is now scheduled, pay remaining ₹40,000 to confirm pickup slot." Total ₹2.3 lakh was lost across multiple transactions before the engineer realised. Police identified the fraudster as part of a 12-member OLX fraud gang operating from UP.

2023 — Pune — Business Email Compromise

Manufacturing Company Transfers ₹38 Lakh to Fraudster After "Vendor Changed Bank Account"

A Pune-based auto components manufacturer received an email from what appeared to be the email address of their long-term raw material supplier — informing them of a bank account change effective immediately for all pending invoices. Two invoices totalling ₹38 lakh were due. The company's accounts team processed both payments to the "new account" without calling the supplier to verify — as they had a trusted 4-year relationship. The supplier's email had been compromised 3 weeks earlier. The fraudster had been silently monitoring all email conversations to time the interception perfectly. ₹12 lakh was recovered after immediate reporting; ₹26 lakh was withdrawn through a network of mule accounts before freezing.

⚖️ APPLICABLE LAWS

IT Act Sec 43 IT Act Sec 66 IT Act Sec 66C IT Act Sec 66D BNS Sec 318 BNS Sec 319 BNS Sec 316 PSS Act 2007 RBI Customer Liability Circular 2017 Consumer Protection Act 2019

IT Act Section 43: Any person who, without permission, accesses or causes wrongful financial loss through fraudulent use of digital payment systems — including UPI, card networks, payment gateways and banking portals — is liable for compensation up to ₹1 crore. This civil remedy provides victims a direct route to claim compensation without waiting for criminal proceedings to conclude.

IT Act Section 66: Dishonestly or fraudulently accessing payment systems, manipulating transaction data, intercepting OTPs and using stolen card credentials — imprisonment up to 3 years or fine up to ₹5 lakh or both. The primary criminal provision for all forms of online payment fraud involving unauthorised system access.

IT Act Section 66C — Identity Theft: Using stolen card credentials, net banking passwords, UPI PINs or digital identities to fraudulently initiate transactions — imprisonment up to 3 years and fine up to ₹1 lakh. Directly applicable to card not present fraud, credential theft via phishing and UPI account takeover for fraudulent transactions.

IT Act Section 66D — Cheating by Impersonation: Posing as banks, payment companies, government departments, army officers or genuine buyers/sellers using computer resources to fraudulently extract payments — imprisonment up to 3 years and fine up to ₹1 lakh. Covers UPI collect scams (posing as genuine buyers), OLX army scams and fake payment gateway fraud.

BNS Section 318 — Cheating: The primary criminal provision for all forms of transaction fraud that involve deceiving a person to deliver money or property — imprisonment up to 7 years and fine. Covers the full spectrum of online transaction fraud including UPI collect scams, fake payment sites, advance payment fraud and business email compromise.

BNS Section 319 — Cheating by Personation: Fraudulently assuming the identity of an army officer, bank official, RBI representative or genuine buyer/seller to extract payments — imprisonment up to 3 years and fine. Specifically applicable to the OLX Army scam, RBI impersonation calls and fake buyer fraud on classifieds platforms.

BNS Section 316 — Criminal Breach of Trust: Where insiders at payment companies, banks or e-commerce platforms assist fraudsters by leaking customer data used to target victims for transaction fraud — imprisonment up to 7 years and fine. Also applicable to payment gateway operators who fail to implement adequate fraud prevention despite knowing their platform is being misused.

Payment and Settlement Systems Act 2007 (PSS Act): Governs all payment systems in India including UPI, IMPS, NEFT, RTGS and card networks. Fraudulent manipulation of payment instructions, interception of payment flows and operation of unauthorised payment collection platforms are criminal offences. The RBI can impose significant penalties on regulated payment operators who fail to prevent or report fraud on their platforms.

RBI Customer Liability Circular 2017: Victims of unauthorised electronic transactions are entitled to zero liability if they report within 3 working days of receiving communication about the fraud — the bank must reverse the amount within 10 days. For delayed reporting (4–7 days), liability is capped at ₹5,000 or the transaction amount, whichever is lower. Victims must report immediately and formally invoke this circular in written complaints to their banks.

Consumer Protection Act 2019: E-commerce platforms, payment aggregators and digital service providers that fail to adequately protect customers from fraud or that facilitate fraudulent transactions through negligence can face complaints before District Consumer Commissions. Victims can claim compensation for mental agony, financial loss and deficiency of service — providing an additional civil remedy alongside criminal and RBI channels.

📝 Report This Crime

📝 Report Transaction Fraud to ABCSS

Cyber Links

Important Links