The Evolving Landscape of Merchant Fraud in India: What Businesses Should Know

Merchant fraud in India has grown sharply in recent years. Industry reports indicate a significant surge in digital payment scams targeting small and medium businesses. As UPI transactions hit new highs, fraudsters are quickly finding new ways of exploiting unsuspecting merchants across online marketplaces, service outlets and retail stores.

For Indian Small & Medium-size businesses (SMBs), the stakes are even higher. A single fraudulent transaction can lead to compromised customer trust, financial losses, operational disruptions, and in some cases, chargebacks and account freezes.

This article explains the common types of merchant fraud in India and how merchants and businesses can protect themselves.

1. UPI & QR code scams: QR code scams are among the most common fraud tactics targeting small businesses in India. Fraudsters use vishing calls, paste fake QR codes over legitimate ones, share them via WhatsApp/SMS or email, and even display doctored payment screenshots to trick merchants. These scams often strike during peak hours, causing merchants to hand over goods without receiving actual payments. Key red flags include requests to “verify” or “reverse” payments, reliance on screenshots, or QR codes received digitally instead of being scanned from merchant’s official standee.

Pro tip: Merchants must always verify transactions directly in the bank or payment app and wait for official confirmation before completing the sale.

1. Fake orders, friendly fraud & chargebacks: These frauds are increasingly impacting both online and offline merchants in India as e-commerce grows. Customers dispute payments after receiving goods, sometimes as deliberate “friendly fraud,” other times driven by organized groups placing bulk fake orders. Merchants not only lose the delivered goods but also bear refund costs, chargeback fees, and the risk of penalties or stricter scrutiny from payment gateways.

Pro tip: Clear refund policies and strong documentation can significantly strengthen merchants’ defence against fraudulent claims and payment disputes.

1. Identity & KYC fraud: As digital adoption accelerates, a growing category of merchant fraud involves Identity & KYC misuse, where fraudsters use forged documents or stolen business credentials to create fake merchant accounts. These accounts often appear legitimate, enabling further fraud such as unauthorised withdrawals and fake refunds. For genuine businesses, such identity misuse can lead to regulatory scrutiny, operational blocks, and serious reputational damage. 

Pro tip: Platforms should strengthen merchant onboarding with mandatory physical and owner verification, dedupe (data duplication) checks, and secure digital signatures - standards followed by reliable partners such as PhonePe.

1. Aadhaar Card fraud: With increasing dependence on digital identity systems, scammers are misusing or falsifying Aadhaar-linked documents through fake websites, vishing calls, phishing links, and SIM-swap attacks to steal sensitive details. Once compromised, attackers can initiate unauthorised transactions, open fraudulent accounts, or even use shell entities for money laundering. Beyond financial loss, merchants also face potential regulatory and legal consequences.

Pro tip: Robust, official-channel identity verification with API-based KYC and live photo checks are the strongest defences against Aadhaar-related fraud.

1. Invoice scam: Invoice manipulation is a growing threat for SMBs, with scammers posing as trusted vendors or executives, sending fake invoices, or claiming updated bank details. In more advanced cases, attackers intercept email exchanges and change payment instructions. The risk also comes from within, as employees with billing access can manipulate invoices or divert funds for personal gain.

Pro tip: Direct vendor confirmation, secure channels, and automated reconciliation tools can significantly reduce a merchant’s exposure to invoice manipulation.

1. Phishing, smishing & malware attacks: These are some of the most common online threats, with fraudsters sending fake emails, messages, or smishing alerts that mimic banks or payment platforms to steal UPI PINs, login details, or device access. These messages often appear legitimate, framed as urgent KYC updates or reward notifications, and may also direct merchants to malware-infected apps or websites. Once credentials are compromised, attackers can access payment dashboards and other sensitive business information.

Pro tip: Merchants should be cautious of unsolicited messages, verify all requests, and never share confidential information like UPI PINs, CVV, or OTPs, no matter how legitimate a message appears.

Payment platforms such as PhonePe never ask for sensitive information via calls or messages and offer in-app security alerts to educate merchants about emerging scam tactics.

Emergency Fraud Response Checklist

If merchants ever find themselves being targeted by a fraud attempt, the first step is not to panic. Here’s what can be done next:

1. Conduct a verification through official portals by calling the bank or payment provider using details listed on their official website or app
2. Documentation is very important. Take screenshots of messages, links, caller IDs or any suspicious activity.
3. Report the incident immediately to the payment provider so they can secure the merchant’s account.
4. Reporting on PhonePe:
   1. PhonePe app: Go to the Help section and raise a complaint.
   2. PhonePe customer care: Call 80-68727374 / 022-68727374
   3. Social media reporting:
      1. Twitter: PhonePe Support
      2. Facebook: PhonePe Official
   4. Grievance Redressal: File a complaint at PhonePe Grievance Portal.
5. File a complaint on the National Cyber Crime Reporting portal (cybercrime.gov.in)
6. Inform customers if there is any chance their data or invoices were exposed.
7. Change passwords and PINs, log out of all devices, and review who has access to business accounts.

Read More: Shilpa Shetty Breaks Silence On Fraud Allegations In ₹60 Crore Cheating Case: Mischievous Attempt To Impute Criminal Liability On Me