The Other Side of the Counter: Why Merchants Are Fraud’s Forgotten Victims

Consumers get the warnings. Businesses bear the losses. Here’s what every merchant accepting digital payments needs to know.

When we talk about digital payment fraud, the conversation centres on consumers — the individual who lost savings to a phishing link, the professional trapped in a “digital arrest” scam.

But there’s a less visible victim in India’s fraud story: the merchant. The shopkeeper who handed over an iPhone because a “customer” flashed a fake Google Pay screenshot. The petrol pump attendant who gave out cash change against a PhonePe confirmation that never actually happened. The restaurant owner whose QR code was quietly replaced with a fraudster’s sticker overnight.

A CloudSEK report estimated that Indian businesses could lose up to ₹20,000 crore to cybercrime in 2025, with retail and e-commerce alone facing ₹5,800 crore in projected losses. Globally, e-commerce merchants lose nearly 3% of revenue to fraud annually. For a small Indian business on thin margins, even one fraudulent transaction can wipe out a month’s profit.

As the RBI observes Digital Payments Awareness Week 2026 with the theme “be alert to avoid frauds,” the message of thoda dhyan se applies to businesses just as urgently as it does to consumers. Perhaps more so — because merchants face fraud vectors that most consumer awareness campaigns never address.

The Four Frauds Every Indian Merchant Should Recognize

1. The Fake Screenshot

The most common merchant-targeted scam in India. The “customer” shows a fabricated payment confirmation — a doctored screenshot or a purpose-built fake UPI app with sound effects — and walks away with the goods. In Gujarat, fraudsters used a fake Paytm app to take an iPhone from a store. At petrol pumps in Indore, scammers pocketed cash change against phantom payments. A screenshot is never proof of payment. Only a confirmed credit in your bank account or merchant dashboard is.

2. QR Code Tampering

Fraudsters paste their own QR code sticker over a merchant’s legitimate one — typically during off-hours. Every customer who scans it sends money to the fraudster. The merchant doesn’t realize until reconciliation doesn’t add up. Inspect your QR display daily — and ideally use dynamic QR codes that are generated per transaction rather than static ones.

3. The Reverse Collect Request

A “customer” sends a UPI collect request claiming it’s a payment. In the rush of a busy counter, the merchant approves it — and money leaves their account instead of arriving. NPCI has discontinued the P2P collect feature to curb this, but variations persist. The golden rule: you never enter your PIN to receive money.

4. Fake Customer Care & Supplier Impersonation

Someone calls posing as “UPI support” or your payment provider, claiming a problem with your merchant account. They ask for OTPs or remote screen access. A related variant targets B2B payments: fraudsters impersonate suppliers and redirect invoices to new bank details. A Delhi MSME lost ₹10 lakh to exactly this attack. Verify every payment redirection request through your existing, known contacts — never through details provided in the request itself.

Five Habits That Protect Your Business

• First, never release goods or services until you see the credit confirmed in your own system — not on the customer’s screen, not in a screenshot, not in a WhatsApp message. Your bank app, your merchant dashboard, or your payment soundbox are the only sources of truth.
• Second, enable real-time payment alerts. SMS notifications, in-app alerts, and UPI soundbox devices eliminate your dependence on what the customer shows you.
• Third, inspect your QR code daily. Make it the first thing you check when opening. If possible, switch to dynamic QR codes generated per transaction — they can’t be tampered with.
• Fourth, train every staff member who handles payments. The best payment infrastructure can’t protect you if your counter staff doesn’t know that entering a UPI PIN means sending money, not receiving it.
• Fifth, put it in writing. A simple sign at checkout — “We verify every transaction through our system. Screenshots are not proof of payment” — sets expectations and deters scammers.

The Bigger Picture

India’s 7.3 crore registered MSMEs are the backbone of the economy, and UPI has been transformational for them. But as digital adoption surges, fraud awareness at the merchant level hasn’t kept pace. The government’s Financial Fraud Risk Indicator and RBI’s proposed compensation framework are strong systemic steps.

At Toucan Payments, we see the merchant side of this equation daily — processing transactions across multiple markets, we know that trust is built one verified transaction at a time.

But until fraud prevention becomes as routine as opening the cash register, the onus falls on every business owner. The RBI’s message this week is simple: thoda dhyan se. For merchants, that means: verify before you hand over, alert before you assume, and train before you trust.

Because in a country processing 700 million UPI transactions daily, every counter and every QR code is a potential point of attack. The merchant who pauses to verify is the merchant who doesn’t become a statistic.