A stranger messages you saying they sent money to your UPI ID by mistake, and asks you to send it back. It sounds honest — even kind. But in most versions of this scam, either no real money ever reached your account at all, or the scammer sent a small real amount on purpose just to make the story convincing — and either way, the "refund" QR code or link they send you next is designed to debit you, not credit them. If this is happening right now: do not scan any QR code or click any link they send. Open your own bank app, check your actual account balance and statement, and if you truly received an unexpected credit, return it only by typing the recipient's UPI ID yourself in your own banking app — never through a QR or link sent by the stranger.
How the scam actually works
This scam has a few common versions, but the script follows the same shape. A typical version goes like this:
Step 1 — The fake or deliberately staged credit. You get a message, sometimes even a bank-style SMS or notification sound, saying money has landed in your account. In some versions, a small amount genuinely does land in your account — the scammer sends it as a real, completed transfer purely to make the story believable before asking for a much bigger "refund." In other versions, no money moves at all; the "notification" is fake, or a screenshot, sent to make you believe you have unspent money sitting in your account. Either way, the real theft happens later, when they ask you to send the money "back" through a QR code or link that they control.
Step 2 — The urgent, apologetic ask. Within minutes, the stranger calls or messages: "I'm so sorry, I sent that by mistake, wrong number, please return it, I really need it back today." The story is designed to trigger sympathy and urgency at the same time — a common trick used across scam types because it stops you from pausing to verify.
Step 3 — The "convenient" refund method. Instead of asking you to simply enter their UPI ID and send money the normal way, they say it will be "faster" if you scan a QR code they send, or tap a payment link, or use a "refund request" they claim to have raised. This is the trap: a UPI QR code or a payment collect request is built to pull money FROM your account, not push money out normally. If you scan it thinking you are sending a refund, you may actually be approving a debit for whatever amount is embedded in that code or request — sometimes larger than what you supposedly received.
Step 4 — You are debited, not the other way round. By the time you realise what happened, money has left your account — usually far more than whatever "credit" you were shown in Step 1. The "stranger" is unreachable, and there was never a genuine refund owed in the first place.
Why this trick works
It exploits two very human instincts at once: the urge to be honest and return money that "isn't yours," and the urge to help someone who sounds panicked. Scammers count on you acting fast out of decency, before your normal caution kicks in. This is not a flaw in your character — it is exactly why the scam is effective on careful, honest people. Anyone can fall for it in a busy moment.
The red flags
| What you see | What it usually means |
|---|---|
| A stranger contacts you claiming a "wrong transfer" | Legitimate senders contact their own bank first, not the recipient, to reverse a mistaken transfer |
| They ask you to scan a QR code to "send back" money | A UPI QR/collect request is built to debit you — a genuine refund needs you to manually enter their UPI ID and pay |
| They create urgency — "I need it back right now" | Urgency is used deliberately to stop you from checking your bank statement first |
| The "credit" is only a screenshot or notification sound | Not proof of money in your account — check your own bank app or passbook |
| They refuse to let you verify with your bank first | A genuine party has nothing to lose by you confirming the transaction independently |
| A "customer care" or "bank official" gets involved to "process the refund" | Real banks never coordinate a refund through a stranger's WhatsApp message or a third-party QR code |
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanIf it is happening right now
- Stop. Do not scan any QR code and do not tap any link they send you, no matter how convenient it sounds or how much they insist it is "the fastest way."
- Open your own bank's app or net banking — not a screenshot, not a message — and check your real balance and transaction history. If there is no confirmed credit from them, there is nothing to return.
- If a credit genuinely appears in your statement, return it the safe way: open your own UPI app, manually type in their UPI ID (do not use any QR or link they provide), enter the exact amount, and pay yourself. You control the flow of money — never let a stranger control it through a code they generated.
- If you are unsure whether a "collect request" notification is a request TO you for money, or a genuine incoming payment, do not approve it. UPI apps clearly separate "send money" from "collect/request money" screens — read the screen carefully before you enter your UPI PIN. Your UPI PIN is only ever needed to send or authorise money, never to receive it. NPCI, which runs UPI, confirms this basic rule: receiving money never requires a PIN.
- Hang up or stop replying if they escalate pressure, mention "bank officials," or threaten consequences for not returning money fast. Genuine banks resolve wrongly sent transfers through their own systems, not through a random individual under time pressure.
Checking the QR before you pay
Since this scam relies entirely on the victim scanning a QR code or opening a payment link, it is worth building the habit of checking a code before you ever act on it. The free Bachao UPI Scanner app lets you scan a UPI QR code first and see the payee's UPI ID, their name, and the exact amount — before any money moves. It also gives a plain-English risk score and flags look-alike or typo-squatted UPI handles and suspicious pre-filled amounts, and it never auto-pays; it simply hands the details to your own UPI app so you make the final call. It also lets you report a suspicious UPI ID so others are warned. Be clear about its limits, though: it does not verify who a person actually is or check their real bank records — it only tells you what the QR code itself contains and whether that content looks risky. It is one useful layer against exactly this kind of QR-based trick, not a guarantee, and it does nothing to confirm that a "wrong transfer" story is true in the first place. That judgement is still yours.
If you have already paid or shared details
Speed decides whether you get your money back. Every hour matters, so act immediately and in this order:
- Call 1930 — the National Cyber Crime Helpline — right now. This is the fastest route to flag the transaction to banks before the money is moved further.
- File a complaint at cybercrime.gov.in, the official portal run by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs. Have your transaction ID (UTR) ready.
- Call your bank's official helpline (use the number on the back of your card or on the bank's own website — never a number the scammer gave you) and ask them to flag the transaction, freeze the receiving account if possible, and open a dispute.
- Preserve every piece of evidence: screenshots of the chat, the UPI transaction ID / UTR number, the phone number or UPI ID used, and the time of the transaction. Do not delete the conversation.
- Do not respond further to the same contact demanding "more money to release the refund" or any similar follow-up — that is a very common second attempt.
Protecting family, especially elderly parents
Elderly parents and less tech-familiar family members are frequent targets because scammers assume they will be less likely to check their bank statement carefully or question a "helpful bank official." Sit down with them once and cover three simple rules: never scan a QR code or click a link to "return" money, always check the actual bank app or passbook before believing a credit happened, and never enter a UPI PIN to "receive" anything. Save the 1930 helpline number in their phone contacts under an easy name like "Cyber Helpline," and tell them it is always fine to call you first before acting on any urgent money message — a two-minute pause is what these scams are designed to prevent.
Bachao.AI, built by Dhisattva AI Pvt Ltd, exists to help ordinary people spot exactly these kinds of traps before money moves — starting with checking what a QR code or payment link actually does before you act on it.