Do I ever need to enter my UPI PIN to receive money?

No. The UPI PIN only authorises money leaving your account. To receive money you just share your UPI ID, QR code, or mobile number — nothing more. If an app screen or a caller asks you to enter your PIN to 'accept', 'collect', or 'verify' an incoming payment, it is a scam designed to debit you.

Is it safer to use a separate bank account for UPI?

Yes, this is one of the most effective habits. Keep a secondary savings account with a small working balance linked to UPI for everyday payments, and keep your salary and savings in a primary account that is not linked to any UPI app. Even if the UPI account is compromised, the exposure is limited to the small balance.

Should I use the bank's website or its app for net banking?

Both can be safe if used correctly. On a phone, the official banking app from the Play Store or App Store is generally safer than a browser because it is harder to spoof. On a computer, type the bank's address yourself or use a saved bookmark — never reach net banking through a link in an email, SMS, or search ad.

What is the single most dangerous thing to do?

Installing an app that a stranger on a call asks you to install — usually a screen-sharing or 'support' app like AnyDesk or TeamViewer. It lets them see your OTPs and operate your phone. No genuine bank, payment app, or government office will ever ask you to install such an app.

UPI and Net Banking Safety: A Setup Guide

UPI and net banking have made moving money almost frictionless. The same frictionlessness is what fraudsters exploit. The technology underneath both is genuinely secure — UPI is built and operated by the National Payments Corporation of India (NPCI), and banks run net banking on encrypted, regulated infrastructure. What gets people into trouble is almost never a broken lock. It is being persuaded to open the lock themselves.

That distinction matters because it tells you where to spend your effort. You cannot out-engineer a payment system from your sofa, and you do not need to. What you can do is set up your accounts so that a single mistake cannot drain everything, and build a handful of habits that make the common tricks fail. This guide walks through both — the one-time setup and the everyday discipline — for a typical Indian user with a salary account, a couple of UPI apps, and net banking.

If you want the broader picture of how fraud works in India and how to report it, read our companion piece on protecting yourself from financial fraud. This article is the narrower, hands-on version: the screens to tap, the limits to set, and the rules to never break.

The One Rule That Stops Most UPI Fraud

Before any settings, internalise this: your UPI PIN authorises money leaving your account. It is never needed to receive money.

When someone sends you money on UPI, it simply arrives. You do nothing. You certainly do not enter a PIN. So the moment any screen, link, or caller asks you to "enter your PIN to receive the refund", "approve to collect the cashback", or "verify with your PIN to accept the payment", you are looking at a payment request dressed up as an incoming credit. If you enter your PIN, you are sending money out, not taking it in.

The classic version: you list something on a marketplace, a "buyer" calls, says they have paid, and sends you a "collect request" or a QR code, insisting you approve it to get the money. Approving it pays them. A QR code is always for paying, never for receiving. This single misunderstanding is behind a large share of UPI losses, and understanding it inoculates you against the whole family of scams.

Set Up Your UPI Apps Safely

A few minutes of configuration removes most of the risk surface.

Lock the app itself. Every UPI app lets you set an app lock — a separate PIN, fingerprint, or face unlock that is asked each time you open it. Enable it. This protects you if your phone is unlocked and out of your hand for a moment.

Set transaction limits low. UPI has a network-level per-transaction cap (₹1 lakh for most payments, higher for specific categories), but you can usually set your own lower daily limit inside the app or at the bank. For an everyday-spending app, a daily limit of ₹25,000–₹50,000 is plenty and caps the damage from any single bad moment. You can always raise it temporarily for a genuine large payment.

Use a separate, low-balance account for UPI. This is the highest-impact structural choice. Link UPI to a secondary savings account that you keep topped up with a small working balance — say ₹10,000–₹20,000 — and keep your salary, emergency fund, and savings in a primary account with no UPI link at all. When you need to spend, you move money into the UPI account; the rest stays out of reach of any UPI-based attack.

Turn off "UPI collect" requests if you can. Many apps let you disable or restrict the ability of strangers to send you collect/payment requests. If yours does, switch it off. You will still be able to pay merchants by scanning their codes; you simply stop receiving unsolicited "approve this to get paid" prompts.

Register on every UPI handle deliberately. It is fine to have more than one app, but every app linked to an account is another door. Keep the number small, and delete apps you no longer use after first de-registering the UPI ID inside them.

Set Up Net Banking Safely

Net banking holds more money and more power than a UPI app — fund transfers, beneficiary management, cheque-book and card requests — so it deserves stricter hygiene.

Use a long, unique password and a password manager. Your net banking password must not be reused anywhere else. The realistic way to manage a genuinely unique, long password is a password manager. Our guide to protecting yourself from financial fraud covers the case for this in more depth; for net banking specifically, it is close to non-negotiable.

Enable every alert the bank offers. SMS and email alerts on every debit, every login, every beneficiary addition, and every limit change are your early-warning system. The faster you notice an unauthorised transaction, the stronger your position — both practically and under the regulatory framework.

Reach the site the right way. On a computer, type the bank's web address yourself or use a bookmark you created. Never click through from an email, an SMS, or a sponsored search result — these are the prime channels for fake look-alike login pages. On a phone, prefer the official app over the browser.

Add a cooling-off on new beneficiaries. Most banks impose a short delay and a lower limit on a newly added payee before full transfers are allowed. Do not ask the bank to remove this. The delay is precisely what gives you time to catch a fraudulent beneficiary that a scammer talked you into adding.

Log out and avoid shared or public devices. Always use the explicit log-out button rather than just closing the tab, and never do net banking on a public or borrowed computer.

A Quick Comparison: Where the Risks Differ

Different channels fail in different ways. Knowing the failure mode tells you which habit protects you.

Channel	Main risk	What it can cost you	Your strongest defence
UPI payment	Tricked into approving a payment / collect request	The linked account balance	Separate low-balance account; never approve to "receive"
UPI on a new phone	SIM/number takeover, then app re-registration	Whatever the account holds	SIM lock, app lock, alerts on registration
Net banking	Fake login page; OTP shared with a caller	Larger transfers, beneficiary fraud	Password manager, bookmark the site, never share OTP
Screen-sharing app	Attacker sees your screen and OTPs live	Everything visible during the session	Never install an app a caller asks for
Card on UPI/online	Card details captured on a fake page	Card limit	Use UPI or virtual cards; watch alerts

The pattern across the table is consistent: the technology rarely breaks, but your participation can be engineered. Limits and separation reduce the blast radius; habits stop the trigger being pulled.

A Worked Example

Take Ananya, a 31-year-old salaried professional in Pune. Before her cleanup, she had one salary account linked to two UPI apps and used the same password for net banking that she used for an online shopping site that had been breached a year earlier. Her daily UPI limit was the default ₹1 lakh, and she had alerts only on transactions above ₹5,000.

She restructures over a single weekend:

She opens a separate savings account purely for UPI and keeps about ₹15,000 in it. Her salary account is de-linked from both UPI apps.
She sets the UPI daily limit on the spending account to ₹30,000.
She changes her net banking password to a long, unique one stored in a password manager, and enables alerts on every debit and on beneficiary additions.
She deletes one of the two UPI apps she rarely used, de-registering the UPI ID first.

A month later she gets a call: someone claims a ₹2,000 refund is "stuck" and sends a collect request, asking her to approve it with her PIN. Because she now knows that no PIN is ever needed to receive money, she declines and hangs up. Even if she had slipped, the most exposed was the ₹15,000 in her UPI account — not her salary, not her emergency fund. The structure turned a potential disaster into, at worst, a small one.

If you want to see how this kind of account structure fits into a wider system of automation and reviews, our piece on how to automate your savings shows how the primary and secondary accounts can work together.

Protecting the Phone Itself

Both UPI and net banking increasingly live on your phone, which makes the phone a single point of failure worth hardening. Two threats matter most.

SIM and number takeover. Much of your security flows through your mobile number — OTPs, app re-registration, account recovery. If an attacker takes control of your number (through a fraudulent SIM swap or by tricking your operator), they can attempt to register your UPI on a new device or intercept OTPs. You reduce this risk by setting a SIM PIN so the SIM cannot simply be moved to another phone and used, by acting fast if your signal mysteriously drops for an extended period (a possible sign of a SIM swap), and by never sharing the OTPs your operator sends for SIM-related changes.

A lost or stolen unlocked phone. If your phone is taken while unlocked, every app on it is exposed. The defences stack: a strong device lock (PIN or biometric, not a swipe pattern), a separate app lock on each UPI and banking app, and the discipline of not staying logged into net banking in a browser. Together these mean that even physical possession of your phone does not hand over your accounts. Keep your bank's helpline and 1930 saved somewhere you can reach from another device, so a stolen phone does not also cost you the means to report it.

The phone is the device you guard least and use most for money. A few minutes spent on SIM and app locks closes the gap that the most damaging takeovers depend on.

Common Mistakes

Entering the UPI PIN to "receive" money. The single most expensive misunderstanding in Indian digital payments. The PIN only ever sends money out.

Sharing an OTP with anyone, for any reason. An OTP is a one-time key to your transaction. No bank officer, no payment-app "support", no government office ever needs it. Reading it out loud is handing over the key.

Installing a "support" or screen-sharing app on request. AnyDesk, TeamViewer, QuickSupport and similar are legitimate tools being weaponised. If a caller wants you to install one to "fix" or "verify" anything, end the call.

Reusing your net banking password. If that password leaks anywhere else, your bank login leaks with it. Unique-per-site is the only safe model, and a password manager is what makes it practical.

Keeping everything in one UPI-linked account. A single compromised moment then exposes your entire balance. Separation caps the loss.

Trusting the caller ID or a "verified" badge. Phone numbers and sender IDs are trivially spoofed. The fact that a call appears to come from your bank's number proves nothing.

Reaching net banking through links and search ads. Fake login pages are most often delivered this way. Type the address or use your own bookmark.

Ignoring small alert SMSes. That ₹1 "test" debit you almost dismissed can be a fraudster checking the account is live before a larger hit. Read your alerts.

What to Do Next: A Checklist

Tighten these once and your day-to-day use of UPI and net banking stays exactly as convenient as before — only with far less of your money exposed when something goes wrong. Pair this with a clear view of your overall finances using a net worth tracker and the broader habits in protecting yourself from financial fraud, and you have a quietly resilient setup.

Disclaimer: This article is for educational and organisational purposes only and is not financial or legal advice. For legal or estate matters, consult a qualified professional.