PhonePe Collect Request Scam in India 2026: The "Wrong Transfer" UPI Refund Trick

Published: 31 May 2026 8 min read By ScanTotal Security Team
Last reviewed: 31 May 2026 by Kumari Rajapaksha, Founder, ScanTotal

The SMS arrives at 4pm. “PhonePe: You have received ₹1,500 from Rajesh Kumar. Available balance: ₹X,XXX.” A minute later a phone call: an anxious-sounding man says he transferred money to the wrong number while paying his daughter’s school fees. Could you please return it? He sends a collect request. You see a notification, ₹1,500, and you tap it without reading it carefully. You enter your UPI PIN. The ₹1,500 leaves your account.

There never was a wrong transfer. The SMS was spoofed. Rajesh Kumar doesn’t exist. The screenshot you saw on WhatsApp was Photoshopped. You just sent ₹1,500 to a fraud network, and because UPI transactions settle instantly, the money is gone within seconds.

This is the UPI collect-request scam, and in 2026 it’s the most-reported UPI fraud category to NPCI and the national cyber-financial-fraud helpline. The mechanics are subtle, the visual cues are unfair, and the speed of UPI means the window to react is measured in seconds. This guide walks through how the scam actually works, the difference between a real incoming payment and a collect request, the three signals that catch every variant, and what to do if you’ve already approved.

What a collect request actually is

UPI supports two transaction directions. You send money by entering someone’s UPI ID or scanning their QR code, typing the amount, and entering your PIN. You receive money when someone else does that, no action from you needed. The transfer just arrives.

A collect request is the third option, sitting awkwardly between the two. It is a request from someone asking YOU to send THEM money. They send the request, you see a notification, and if you approve it (by entering your PIN), the money flows from your account to theirs.

Collect requests have legitimate uses, a merchant invoicing you, a friend asking for a split bill, your landlord requesting rent. They exist because UPI was designed to handle pull-payment use cases that card networks already supported.

The problem is the interface. PhonePe, Google Pay, and Paytm all show a collect-request notification in a layout that visually resembles an incoming-payment notification: green colour, prominent amount, requester’s name. The one-word difference, “Requesting” vs “Received”, is what separates “tap and pay” from “you have new money”. A user who is busy, hurried, or distracted, i.e. most users most of the time, can easily approve an outgoing payment thinking they’re acknowledging an incoming one.

The three variants of the scam in 2026

Variant 1, the wrong-transfer story. The most common. Scammer claims they accidentally sent you money meant for someone else, sends a collect request to “recover” it. No money ever arrived in your account, the SMS or screenshot was fake.

PhonePe: You have received ₹2,500 from RAJESH KUMAR. Available balance: ₹XX,XXX. - PhonePe

Followed by a call: “Sir, I was paying my brother’s scholarship fees and I entered your number by mistake, that’s the second time this week. Please ma’am help, the deadline is tonight, my brother will lose his place.” You feel sympathetic. The collect request arrives. You approve.

Variant 2, the OLX / Quikr / Facebook Marketplace deposit. You listed an old phone for sale on OLX. A buyer messages: “Interested, I’ll send a small deposit via UPI to confirm.” They send a collect request for ₹500 framed as a “security deposit acknowledgment”. You tap to approve thinking you’re confirming the buyer’s seriousness. You just paid the “buyer” instead.

Variant 3, the prize / refund release. SMS or WhatsApp: “Congratulations! You have won ₹25,000 from [Amazon / Flipkart / Big Bazaar]. To release your prize, please process the request in your UPI app.” The collect request is for a small “processing fee” (₹199 or ₹599). You approve thinking it’s a confirmation step. The “prize” never arrives because it never existed.

The three signals that catch every variant

1Read the verb in the notification

Every UPI app uses slightly different language but the principle is the same:

  • PhonePe:Requesting ₹500” (collect, outgoing) vs “Received ₹500” (incoming)
  • Google Pay:Requests ₹500” (collect, outgoing) vs “Paid you ₹500” (incoming)
  • Paytm:Requested ₹500” (collect, outgoing) vs “Received ₹500” (incoming)
  • BHIM:Send ₹500” (collect, outgoing) vs “Received ₹500” (incoming)

Any notification with “Requesting”, “Requests”, or “Send” in it requires you to send money. Pause and reread before tapping.

2If you’re receiving money, you never need to enter your UPI PIN

This is the single most important rule. A real incoming payment requires nothing from you, the money just appears in your bank account. If a screen is asking you to enter your UPI PIN, the transaction is OUTGOING, regardless of what the screen text says, the colour of the buttons, or how persuasive the caller sounds. Stop and reread.

3Verify through your bank, not your UPI app

Open your bank app (SBI YONO, HDFC, ICICI iMobile, Axis Mobile) and check whether the supposed incoming transfer actually shows up in your bank statement. UPI notifications can be spoofed or photoshopped; your bank’s account ledger cannot. If the bank shows no incoming transaction, no money has reached you, the SMS or screenshot you saw was fake.

What the scam does once you tap

The instant you enter your UPI PIN to approve the collect request, the transfer completes. UPI settles in real-time through NPCI, so within a few seconds the money has left your account and arrived in the scammer’s account. They typically move it on within minutes, to another UPI ID, to an e-wallet, sometimes converted to USDT through an unregistered P2P exchange, to make recovery impossible.

Single-incident losses are usually small (₹500-₹5,000) because scammers calibrate the amount to be plausible. But the same victim is often hit multiple times, the scammer tries again with a different story, the “wrong transfer” today, the “OLX deposit” tomorrow. Habitual victims have reported losing ₹50,000+ over a few weeks before stopping.

The scam network buys lists. Once your UPI ID is flagged as a successful conversion (you paid the first scam), expect more attempts. Lock your account with the steps below the moment you realise what happened.

If you’ve already approved

  1. Call 1930 within the first hour. National cyber-financial-fraud helpline. Have the transaction reference number (visible in your UPI app under “Transaction history”) and the receiving UPI ID ready.
  2. Report inside the app. PhonePe: Help → Report fraud or scam. Google Pay: Help → Report a problem → Suspicious activity. Paytm: 24x7 Help → Report fraud. The PSP-side report has a direct channel to NPCI that the helpline doesn’t always reach as fast.
  3. File at cybercrime.gov.in. Online, takes 10 minutes. The case number from this filing unlocks formal bank-side recovery.
  4. Block the UPI session if you suspect screen sharing. If you installed AnyDesk or TeamViewer during the call (some scammers escalate to this), uninstall it immediately and remove your UPI ID from the app for 24 hours.
  5. File an FIR at your local cyber-crime cell. Required for the formal recovery process and for insurance claims if you have one.
  6. Preserve evidence. Screenshot the UPI transaction, the fake SMS, the WhatsApp chat, the caller’s number. Don’t delete anything until the case is closed.

How to lock down your UPI app to make this harder

Two changes that meaningfully reduce your exposure:

1. Set a low UPI transaction limit. Default limits on PhonePe and Google Pay are typically ₹1,00,000 per transaction. If you don’t actually need that, lower it through your bank app (most banks let you set a daily UPI cap). A ₹5,000 daily cap means even if you’re tricked once, you cannot lose more than that in a single day.

2. Disable collect requests from unknown senders. PhonePe, Google Pay, and Paytm all let you toggle this, only people you’ve previously transacted with can send you a collect request. Most legitimate use cases (merchant invoices) come through registered UPI handles rather than ad-hoc requests, so disabling unknown-sender collects rarely breaks anything you actually use.

If you mostly use UPI for paying merchants (QR codes at shops), you rarely receive money via UPI, your salary goes to your bank account directly. For most users it’s safe to disable collect-from-unknown entirely, and almost nothing breaks.

The respectful reality about PhonePe, Google Pay, and Paytm

India’s UPI ecosystem processes about 15 billion transactions a month, and the vast majority of them are routine, fast, and safe. PhonePe, Google Pay (operated by Google Pay India), Paytm, BHIM, and the dozen other PSPs operating on the UPI rails are not failing their users, they are being targeted because the system they operate is universal and trusted.

The collect-request feature itself is genuinely useful for merchant collections and split-bill use cases. The visual ambiguity between collect and receive is what scammers exploit, not the underlying protocol. The PSPs have been progressively tightening the interface, newer versions of PhonePe and Google Pay show clearer “Requesting”/“Pay” labelling than they did two years ago, but for now, defending against this scam is largely on you, the user, paying close attention to the verb in the notification.

The defence is the same regardless of which PSP you use: read the verb, check your bank, never enter your PIN to receive money. Three rules cover every variant of this scam in every UPI app.

Got a "PhonePe wrong transfer" SMS?

Paste any link in the SMS into ScanTotal first, we’ll tell you whether the domain is real PhonePe or impersonation.

Open URL Scanner

More India scam guides

16 free guides covering the most-reported India scams of 2026.

Browse India scam guides

Sources & Further Reading

Related India scam guides

UPI Scams in India
Broader UPI fraud patterns and how to recognise them.
KYC Update Scam SMS in India
Real examples and the three tells.
Aadhaar Phishing in 2026
Fake-UIDAI SMS, mAadhaar clones, OTP-relay calls.
How Fake Apps Steal OTPs
Accessibility Service abuse and the 4 defences.