The National Payments Corporation of India (NPCI) is preparing to pull the plug on a key feature of the Unified Payments Interface (UPI) that has long made peer-to-peer (P2P) transactions both convenient and, increasingly, risky. Starting October 1, 2025, the NPCI will phase out the “collect request” feature for P2P transactions; a move aimed squarely at curbing the rising tide of financial fraud in the digital payments ecosystem. While UPI has revolutionised the way Indians transfer money, enabling instant, secure, and cashless transactions, the decision to eliminate this particular functionality marks a significant shift in how the country’s most widely used payment system operates.
The “collect request”, or “pull transaction”, allows a user to request money from another person. Unlike a conventional UPI transaction, where the sender initiates payment and enters the UPI PIN to authorise the debit, a pull transaction requires the recipient to approve the request by entering their PIN. At first glance, it seems a convenient feature: instead of waiting for payment, one can request funds directly, prompting the payer to act. However, the convenience has a darker side. Fraudsters have exploited this mechanism in a variety of ingenious ways, leveraging human psychology, trust, and digital naivety to siphon funds from unsuspecting users.
Cashback scam
Perhaps the most notorious example is the “refund” or “cashback” scam. A scammer posing as a customer service representative from a popular e-commerce platform contacts a user with the promise of a pending refund or cashback. The victim is assured that money is on its way, but instead of receiving it directly, they are prompted to approve a collect request. Many, assuming they are about to receive funds, enter their UPI PIN, inadvertently authorising a debit transaction that transfers money straight to the fraudster’s account. Simple as it sounds, this scam exploits a fundamental misunderstanding between the act of sending and receiving money, preying on users’ expectations and trust in established brands.
The second common variant targets online marketplaces and classified platforms. An unsuspecting seller, listing items ranging from bicycles to electronics, receives a message from an alleged buyer who agrees to pay via UPI. The buyer sends a collect request for the agreed-upon amount, often with a note implying that the payment has already been made. Confused by the phrasing and eager to complete the sale, the seller enters their PIN, thinking they are confirming receipt of funds. In reality, the money is debited from their account and disappears into the hands of the scammer. The cycle of trust, urgency, and misdirection that fraudsters create in such scenarios underscores just how vulnerable digital payment users can be.
Prize money scam
Even seemingly trivial interactions, such as the “lottery” or “prize money” scam, expose users to financial risk. Fraudsters reach out to individuals, claiming they have won a contest or lottery, sometimes involving sums that are wildly enticing. To claim the prize, users are instructed to “verify” their account via a nominal UPI transaction, often just ₹1 or ₹10. While the amount is small, it accomplishes a crucial objective for scammers: confirming the account is active and that the user is willing to respond to requests. Once this foothold is established, more elaborate ploys follow, gradually escalating the financial damage.
These scams share a common thread: they manipulate perception. The distinction between a push transaction, where funds are sent, and a pull transaction, where funds are requested, is subtle yet critical. Fraudsters exploit the inherent ambiguity in UPI notifications, creating a sense of urgency that compels users to act without careful scrutiny. Trusted identities, whether mimicking customer service teams or known marketplaces, lend credibility to the scam, further lowering the victim’s guard.
Recognising the gravity of the threat, NPCI has decided to eliminate P2P pull transactions entirely. The move is not without precedent. In 2019, NPCI had capped pull transactions at ₹2,000 to limit potential exposure, but fraudsters adapted quickly, continuing to exploit even small-value transactions. By removing the feature altogether, the regulator shifts the balance of control decisively to the payer, ensuring that the UPI PIN is required only when a user initiates a debit. This fundamentally strengthens the security framework of India’s digital payments ecosystem, reducing the scope for deception and restoring user confidence.
Control matters
Critically, this change also reflects a broader philosophy: in digital finance, control must rest with the individual authorising the outflow of money. The pull request mechanism, while designed to simplify transactions, inadvertently handed over control to third parties, relying on users to correctly interpret the flow of funds. In practical terms, many people were unaware that approving a collect request could result in a debit from their account, a gap that fraudsters exploited ruthlessly. NPCI’s policy revision closes this loophole and sends a clear signal: simplicity cannot come at the cost of security.
The implications of this decision extend beyond fraud prevention. It will also influence how businesses, digital platforms, and fintech start-ups design their payment interactions. Merchant-facing applications may need to adjust workflows that relied on collect requests, while social commerce and peer-to-peer platforms will have to guide users towards push-based transactions. Financial literacy campaigns will gain renewed importance, as the shift will require users to understand the nuances of transaction initiation in a cashless economy.
For the average UPI user, the immediate impact is largely positive. While the convenience of sending a collect request will disappear, the likelihood of being scammed through a deceptively framed payment request diminishes significantly. Push transactions, where the sender fully initiates the transfer, are inherently safer because they require conscious intent and action from the party whose money is at stake. This structural change aligns with broader efforts to create a more robust, fraud-resilient financial ecosystem, one that supports both innovation and security.
In a country that has embraced digital payments at an unprecedented scale, UPI is more than a payment method; it is a social and economic enabler. It fuels small businesses, empowers gig workers, and supports government initiatives promoting cashless transactions. Yet, as with any transformative technology, the very features designed for convenience can be weaponised in the wrong hands. NPCI’s decision to disable pull transactions is a timely and necessary recalibration, one that prioritises the security and trust of users over marginal convenience.
Ultimately, the story of UPI pull transactions is a cautionary tale about the intersection of human behaviour, technology, and regulation. Fraudsters exploit not just systems, but also the natural instincts of trust, haste, and expectation. By redesigning the rules of engagement, NPCI is not only thwarting fraudsters but also nudging the public towards safer digital habits. The shift reinforces a vital lesson: in the digital age, security is not an optional feature; it is the foundation upon which convenience and growth must be built.
As the October deadline approaches, users are advised to recalibrate their understanding of UPI interactions, ensuring that every payment is consciously initiated. For the ecosystem at large, the move is a reminder that technology and regulation must evolve hand-in-hand to protect the integrity of financial systems. The sun may be setting on pull transactions, but the dawn of a safer, more secure UPI landscape is clearly on the horizon.
Jain is Assistant Professor, Shyam Lal College, University of Delhi, and Gupta is a seasoned technocrat based in Delhi. Views are personal
Published on September 25, 2025
