UPI has closed a chink in its security armour: Its payment request feature is finally gone
For years, scamsters exploited a UPI feature that was designed for convenience but enabled them to prey on unsuspecting users who could be tricked into sending them money. On 1 October, NPCI killed that option. This is good news for India’s booming cashless economy.
The National Payments Corporation of India (NPCI) has phased out a major feature of the Unified Payments Interface (UPI) that has long made peer-to-peer (P2P) transactions both convenient and risky. From 1 October, the “collect request" option for P2P transactions has been withdrawn. This is a decisive step to combat a surge in financial fraud within India’s digital payments ecosystem.
UPI has revolutionized the way Indians transfer money, making payments instant, secure and cashless. Yet, the “collect request" or “pull transaction" option, which would let a UPI user request money from another user, proved to be a double-edged sword.
Unlike conventional ‘push’ transactions, where the payer initiates and authorizes a bank transfer, ‘pull’ transactions require the recipient to send a request and the payer to approve it via a UPI PIN code.
The feature had promised UPI users convenience, but it also opened the door to exploitation by fraudsters who prey on human psychology, trust and digital inexperience.
Scammers had perfected numerous tactics to exploit that vulnerability. Sellers in online marketplaces would be duped by people posing as buyers and sending them collect requests disguised as payments, tricking them into entering their PIN codes and inadvertently transferring money out of their accounts.
Prize and lottery scams had begun to abound: victims were told they had won large sums but needed to verify their account by responding to small-value collect requests. Once fraudsters found a responsive victim, they would double down on their deceit.
These scams were designed to manipulate perceptions, exploiting the subtle difference between UPI’s mechanisms to send and request money, often done by crafting notifications that mimic legitimate payment confirmations.
Even digitally savvy users fell victim to it. Fraudsters have shown a knack for creating a false sense of urgency through messages of expiring offers, limited-time deals or immediate verification requirements that pressure individuals into approving requests without scrutiny.
In a society that values speed and convenience, this psychological manipulation has proven remarkably effective, leaving thousands of users distressed.
In 2019, NPCI attempted to limit abuse by capping pull transactions at ₹2,000. But fraudsters adapted quickly, proving that partial restrictions were insufficient. The decision to eliminate the feature altogether has now placed full control back in the hands of payers. By ensuring that a UPI PIN is only required when money is being sent, the security framework of digital payments has been significantly strengthened.
This move reflects a broader principle: in digital finance, control over money must never leave the hands of its owner.
The impact of NCPI’s decision extends beyond fraud prevention. Businesses, digital platforms and fintech firms will need to redesign workflows that once depended on collect requests, while consumers will need to grow more familiar with initiating push transactions for every payment.
This recalibration also highlights the urgency of financial literacy in a rapidly digitizing economy to ensure that users understand transaction flows and risks.
For ordinary UPI users, the loss of convenience is outweighed by the gain in security. Push transactions are inherently safer, requiring deliberate action by the payer and minimizing the risk of falling prey to scams framed as incoming payments. This platform’s structural shift supports the broader national vision of a robust and fraud-resistant financial ecosystem that fosters trust while enabling innovation.
UPI is not just a payment mechanism; it has become an economic enabler across India, powering small businesses, supporting gig workers and aiding the government’s cashless economy initiatives. However, as with any technology at scale, features built for convenience can be turned into tools of exploitation. NPCI had done well to address this.
The story of UPI pull transactions illustrates how fraud is about human psychology no less than technology. Fraudsters exploit urgency, trust and misconceptions, luring their victims into making costly errors. A redesign of the system to eliminate this weak link not only protects UPI users, but also encourages healthy digital habits. In the digital age, safety is the foundation on which trust is fostered and growth pursued.
The move also highlights the evolving role of regulators in shaping the digital economy. Financial innovation must be balanced with safeguards and NPCI’s decision demonstrates that India is willing to make the trade-offs needed to secure user trust. Internationally, regulators will watch the move’s impact closely as other countries grappling with digital payment fraud consider similar steps. NPCI’s initiative could well set a global precedent.
As for UPI users, with the feature now withdrawn, they should update their understanding of UPI interactions and ensure that every payment they make is consciously initiated. For regulators and innovators alike, the shift in how this platform works underscores the need for technology and policy to evolve together to safeguard financial integrity.
The sun has finally set on pull transactions, leaving us with a more secure UPI landscape. If fraud levels drop, as expected, it will reinforce India’s reputation as a global leader in using technology to ease and improve the lives of large numbers.
The authors are, respectively, assistant professor, Shyam Lal College, University of Delhi, and senior visiting fellow, PIF; and a Delhi-based technocrat.
topics
