Security and Privacy Advice for UPI Users in India

Unified Payments Interface (UPI) payment systems are widely used in India and are also gaining global traction. UPI enables people to make quick everyday transactions and recurring payments, including rent, gas, and electricity, using the same app. The widespread adoption of UPI has sparked significant concerns regarding users' security and privacy, especially due to an alarming number of UPI-related scams and fraudulent transactions. While prior work has explored the technical security of UPI, to address security threats effectively, we must understand user mental models, concerns, security information sources, and behaviors. In a mixed-methods study of 26 semi-structured interviews with UPI users from India and content analysis of 16 security information sources from regulatory bodies, UPI apps, and banks offering UPI, we explore user mental models, concerns, where and how they receive security advice, as well as their security-relevant behaviors. We provide an analysis of users' concerns and threats around UPI security and privacy and highlight gaps where official advice falls short. Further, we recommend UPI providers and banks to curate accessible and useful advice to better alleviate users' concerns, and increase their reach. We also recommend individual security and privacy practices for UPI users to protect themselves.