If you’ve ever hesitated before approving a UPI request or double-checked a QR code before scanning, you’re not alone. As UPI becomes central to everyday payments, concerns around fraud are rising alongside its growth.
As per government data shared in Parliament, 10.64 lakh UPI fraud cases worth ₹805 crore were reported in FY26 (till November).
The Reserve Bank of India’s proposal to introduce a one-hour cooling-off period for new or high-value UPI payments above ₹10,000 is the latest step aimed at curbing such frauds.
At the same time, another digital payment option has quietly evolved in the background: the e-rupee, or India’s central bank digital currency (CBDC). After nearly three years of pilot runs, the question arises — could this form of digital cash offer a safer alternative to UPI? The answer lies in understanding how differently the two systems work.
UPI vs e-rupee
For most users, paying via UPI and paying with the e-rupee can look similar. Both involve scanning a QR code and approving a transaction on your phone, after which money moves from the sender to the receiver.
But the underlying architecture is fundamentally different.
In a UPI transaction, money moves from one bank account to another through a network involving banks and settlement systems.
“UPI is an overlay payments system on bank accounts, cards and credit lines to transfer funds,” said Mihir Gandhi, partner and payments transformation leader, PwC India.
The e-rupee operates differently. It is retail CBDC issued by RBI — essentially digital cash.
So while UPI moves money between bank accounts, the e-rupee transfers value stored as tokens in a wallet, similar to physical cash, said Ranadurjay Talukdar, partner and payments sector leader, EY India.
“E-rupee, fundamentally, is no different from you taking out ₹500 from your wallet and handing it over to a merchant who accepts cash. No bank comes in between when the transaction is carried out. The only difference is that it is digital cash in tokenised form,” he said.
The RBI’s Annual Report 2024–25 showed e-rupee circulation at ₹1,016.5 crore as of March 2025, with around 60 lakh users participating in the pilot. More recent data suggests steady expansion. In December 2025, RBI Deputy Governor T. Rabi Sankar said retail e-rupee transactions had crossed 120 million in volume, with total value exceeding ₹28,000 crore and the user base rising to over 80 lakh.
While these figures are modest compared with UPI’s scale, they indicate gradual traction as the central bank tests use cases and expands interoperability.
The fraud question
UPI’s scale and ease of use have also made it a target for social engineering fraud.
A social engineering fraud is a technique that uses manipulation to deceive individuals into divulging sensitive financial information, transferring funds or providing access to restricted systems. In UPI scams, users are often tricked into approving “collect requests”, sharing OTPs or authorizing payments under false pretences.
The RBI’s proposed cooling-off period targets this behaviour. By introducing a pause for person-to-person (P2P) UPI transactions above ₹10,000, users would get the option to cancel suspicious or mistaken transfers before final settlement.
The proposal exempts person-to-merchant (P2M) transactions and payments under e-mandates, meaning a large share of everyday transactions below ₹10,000 would remain unaffected. Still, the move reflects a broader regulatory concern: instant payments leave little room to reverse mistakes.
Token model, different risks
Talukdar said transactions are typically tied more closely to the user’s device and require direct confirmation.
In many UPI fraud cases, users are tricked into approving a “collect request” or entering their PIN under the impression that they are receiving money, when in fact they are authorising a debit.
With the e-rupee, the flow differs. The user initiates the payment directly from their wallet, and digital tokens move from the sender’s wallet to the recipient’s wallet or account only after explicit confirmation through a PIN or biometric authentication.
There is no concept of a remote “collect request” that can be misused in the same way, reducing the scope for such scams.
However, this does not make the system immune. If someone gains access to your phone or wallet, the risk remains. The e-rupee alters the type of risk — it does not eliminate it.
Finality of payment
One key similarity between UPI and e-rupee lies in settlement finality.
“Once the funds are transferred via e-Rupee, then it is a final settlement, same as UPI. The money cannot be clawed back or the transaction stopped,” said Gandhi.
NPCI’s dispute resolution framework allows users to report and attempt recovery of funds in UPI fraud cases. However, the process can be cumbersome, making recovery difficult.
In that sense, both systems ultimately share the same challenge: prevention matters more than reversal.
How to use the e-rupee
To use the e-rupee, a consumer must first download the CBDC wallet mobile application of their bank and complete basic KYC.
The wallet is loaded by transferring money from a bank account, similar to adding funds to a prepaid wallet. Once funded, payments can be made by scanning any UPI QR code.
A banking official, who did not wish to be named, informed Mint that the e-rupee wallet works seamlessly with the existing UPI ecosystem. Users can scan any standard UPI QR code or use a virtual payment address to send money, provided the merchant’s bank supports CBDC acceptance and the wallet supports interoperability.
Sending money requires a PIN or device authentication, while receiving money only requires sharing a QR code.
Despite its functionality, the e-rupee has seen limited adoption, largely because of UPI’s dominance and familiarity.
Talukdar noted that CBDC has found stronger use cases in offline transactions — particularly in regions with patchy internet connectivity — and in programmable payments.
“In targeted payments, money can be programmed for specific uses, such as government subsidies,” he said.
UPI, despite vulnerabilities, remains more convenient and widely accepted. For now, regulators appear focused on making UPI safer rather than pushing for CBDC's adoption.