It started with a WhatsApp message from someone who seemed to know her. A delivery issue with a package. A link to "verify her address." She clicked it. Within four minutes, Rs 47,000 was gone from her business account — two client payments she'd just received, transferred out through three transactions to accounts she'd never heard of.

She reported it immediately. The bank acknowledged it. The cybercrime helpline logged it. Ninety-two percent of fraud complaints in India are addressed within 30 days — addressed, meaning reviewed, either approved for recovery or rejected. Her case was rejected. The money had moved too fast, across too many accounts, to recover.

This story is not unusual. It's the median UPI fraud story. The sophistication varies — sometimes it's a fake QR code, sometimes a "collect" request that looks like a payment incoming, sometimes a screen-sharing scam, sometimes a voice call from someone who knows your name and your bank. What doesn't vary much is the outcome. The money goes. Most of it doesn't come back.

The numbers the UPI story doesn't always include

India processed over 18 billion UPI transactions monthly by late 2025. On that scale, 13.42 lakh fraud cases in a year sounds like a rounding error. It isn't — it's one in every thousand transactions, and it represents real people, real businesses, real money that disappeared.

Only 6% of stolen UPI fraud funds were successfully recovered during April–September 2025, despite 92% of complaints being reviewed within 30 days. Being reviewed is not the same as being recovered.
Rs 1,087 cr lost to UPI fraud in FY24 alone — across 13.42 lakh reported cases. These are the cases reported. 51% of victims don't report at all.

The 6% recovery rate is the number worth sitting with. It means that for every Rs 100 stolen through UPI fraud, Rs 94 is gone permanently — regardless of how quickly it was reported, how thorough the complaint, how cooperative the bank. The system is designed to process billions of transactions instantly. That speed is also what makes recovery structurally difficult. By the time a fraud is detected, the money has been split, moved, and withdrawn through a chain of mule accounts that's deliberately designed to be untraceable.

Why women are targeted specifically

Women have driven a significant portion of UPI's growth — as first-time digital payment users, as small business owners collecting payment for products and services, as household finance managers making daily transactions. This growth has been good. The targeting that came with it is the uncomfortable part.

The fraud patterns that hit women hardest are not the technically sophisticated ones. They're the social engineering ones — the ones that exploit trust, urgency, and unfamiliarity with exactly what a legitimate payment request looks like versus a fraudulent one.

Fake "collect" requests — where someone sends you a UPI collect notification designed to look like an incoming payment — are particularly common in women-run small businesses. The seller expects money to arrive; the request looks like money arriving; she approves it. The money moves in the wrong direction. By the time the confusion clears, the transaction is done.

The handmade jewellery seller

A woman running a handmade jewellery business from home received a "payment" notification on her UPI app for Rs 28,000 — the price of a custom order. She confirmed it. Two hours later she realised the notification was a collect request, not an incoming transfer. She had authorised sending Rs 28,000, not receiving it.

Amount lost: Rs 28,000. Reported within the hour. Bank reviewed the complaint — rejected as "authorised transaction." Recovery: zero.

The freelance consultant's business account

A management consultant received a call from someone claiming to be from her bank's fraud department — her account had been flagged for suspicious activity, she needed to verify. The caller knew her name, her approximate balance, her registered phone number. She shared a one-time password while being walked through a "verification process." Rs 85,000 was transferred out before the call ended.

Amount lost: Rs 85,000. Reported to cybercrime helpline 1930. Case registered, investigation ongoing at six months. Recovery: zero.

What the complaint process actually looks like

Knowing this in advance is useful — because the first hours after fraud matter, and most people waste them in shock rather than action.

Immediately after discovering fraud
1
Call your bank's 24-hour fraud helpline immediately. Ask them to flag the transaction and attempt a chargeback. The faster this happens, the marginally higher the chance of recovery.
2
Call the national cybercrime helpline: 1930. Available 24/7. Report the fraud and get a complaint number — this is essential for any follow-up claim.
3
File a complaint at cybercrime.gov.in. Include the transaction ID, screenshots of the transaction, any messages or calls received, and timeline of events.
4
File a police FIR at your local station. Many banks require an FIR number before processing fraud claims. Get it even if the police seem unhurried about it.
5
Document everything — save all messages, screenshots, call logs. This is your evidence trail for both the bank and any insurance claim.

This process is exhausting, time-consuming, and — in most cases — doesn't get your money back. The 6% recovery rate exists even when complaints are made quickly and correctly. What the complaint process does is create the documentation trail that makes an insurance claim possible.

What cyber insurance actually covers

For individuals and small business owners, cyber insurance in India has become affordable and covers more than most people realise. The typical policy costs Rs 2,000–5,000 a year for individuals, Rs 5,000–15,000 for small businesses. What it covers:

Financial fraud recovery
Covers losses from UPI fraud, phishing, unauthorised transactions, and identity theft — up to the policy limit. This is the main gap that the banking system's 6% recovery rate creates.
Data breach costs
For businesses: covers the cost of notifying affected customers, regulatory compliance, forensic investigation, and data restoration after a breach.
Business interruption
If a cyberattack takes your systems, website, or payment infrastructure offline, covers lost revenue during the recovery period.
Legal and reputation costs
Covers legal defence if a third party claims your systems caused their data exposure. Also covers crisis PR costs for managing reputational damage.

What it doesn't cover: losses from investments or trading, losses from sharing your own PIN or password voluntarily (the "authorised transaction" problem), and in most policies, losses from cryptocurrency scams.

The authorised transaction exclusion is important. If you were tricked into approving a transaction — as in the collect request scam — many policies treat it as authorised and won't pay. Read your policy's definition of "unauthorised" carefully. The better policies cover social engineering fraud explicitly.

The protection that doesn't cost money

Before insurance, the most effective protection is knowing exactly what legitimate bank and payment requests look like — because most UPI fraud works by creating something that looks almost right.

Your bank will never call and ask for your OTP. Ever. For any reason. A UPI collect request is a request for you to send money — not receive it. Any payment request that asks you to enter your PIN is asking you to send money, not receive it. If someone calls claiming to be from NPCI, your bank, or any government authority and asks for any code, hang up immediately and call your bank directly on their official number.

These are things most people know in theory. They stop working in practice when the call is well-scripted, the caller knows your name and account details, and the urgency is manufactured convincingly. That's why cyber insurance exists — not as a substitute for awareness, but as the financial backstop for the moment when awareness wasn't enough.