Payment scam websites — 12 red flags fraudsters hope you miss.

• Cheap, disposable infrastructure A scammer registers a domain, throws up a cloned store, runs a week of ads, takes the money, abandons the domain before law enforcement moves. The whole cycle costs less than $50.
• Bait is paid traffic, not spam email Most victims land on a fake checkout via a Google Ad, Instagram promotion or sponsored Telegram post — sources they implicitly trust.
• Payment rails are irreversible UPI, crypto and bank transfer can't be charged back the way card payments can. Scammers route you toward these rails on purpose.

Fastest checks happen before you even read the page. Look at the URL bar:

• #1 — Domain is brand-new Less than 90 days old is suspicious. Less than 30 days old on a site that is actively selling is a near-certain scam. WHOIS shows registration date in seconds.
• #2 — WHOIS is fully redacted Privacy services are normal — most real domains use them. What is not normal is a redacted record on a domain claiming to be a registered Indian company with a GSTIN. Real businesses verify registrant details for credibility.
• #3 — TLD is obscure Real Indian retailers use .com, .in or .co.in. Be cautious of .xyz, .top, .shop, .online, .store on sites pretending to be major brands. Cheap TLDs dominate scam registrations.
• #4 — URL is brand-name plus a suffix flipkart-deals.store, amazon-india-offer.xyz, myntra-sale.top. Real brands own their root domain — they don't run promotions on a separate suspicious URL.

Once you are on the page, the next signals are visual and structural:

• #5 — Discounts that don't match the brand's history 80–90% off iPhones, branded shoes "clearance" sales, ₹999 PS5s. Real brands have margin floors. If the price breaks the floor, the page is fake.
• #6 — Mismatched logos and trust badges Look closely. Fake sites grab logos from Google Images and shove them in. Resolution is off, colors slightly wrong, badges link nowhere or to dead URLs. Click "Verified by Visa" — on a real site it goes somewhere.
• #7 — No working customer support Phone numbers that don't connect, email on free Gmail accounts, chat widgets that auto-respond with generic text. Real retailers, even small ones, have at least one channel that actually replies.
• #8 — Trust signals point nowhere "Trusted by 50,000 customers" with no reviews. A Trustpilot widget that doesn't link to a real Trustpilot profile. "Featured in Forbes" with no actual article. One alone is weak signal; three together is a pattern.

The moment you click Pay is when the scam earns its money — and where it is most obvious if you know what to watch for:

• #9 — Checkout URL changes to a different domain Real payment gateways open in a subdomain of the merchant or in a clearly-branded gateway page (Razorpay, Stripe, PayU). If the URL jumps to something unrelated mid-checkout, stop.
• #10 — Site insists on bank transfer or UPI only Scammers avoid card payments because cards can be charged back. If a site refuses cards, refuses cash on delivery, pushes hard toward direct UPI or NEFT — that is deliberate.
• #11 — UPI ID looks personal vinod.kumar1987@oksbi on a checkout page claiming to be a registered company. Real merchants have business UPI handles ending in @axisb, @razorpay or @hdfcbank — never a personal Gmail-style handle.
• #12 — Pressure tactics during payment Countdown timers that reset, "only 1 left in stock", popups saying someone else is buying it right now. Real e-commerce uses urgency too — scam sites lean on it because urgency stops people running the checks above.
• Hard rule If the site refuses card payments and only accepts UPI / bank transfer / crypto — walk away. Even if the offer is real, you have no recovery path if anything goes wrong.

• The collect-request flip You are trying to receive money (refund, prize, sale proceeds). The scammer sends a UPI collect request that looks like an incoming credit. You approve and you are actually authorizing a debit. Always read the request — "Pay ₹X to Y" means you are paying.
• The dynamic QR Scammers print QR codes that lead to a fake payment page, not a real UPI intent. The fake page asks you to enter your UPI PIN to "confirm" — a real UPI flow only ever asks for the PIN inside your bank's app, never on a webpage.
• The "test transaction" The scammer offers to send a small amount to verify your account. They send ₹1, ask you to send ₹1 back to "confirm" — and now they have your UPI handle, phone number and willingness to transact. The real attack comes next.

Spotting one red flag means slow down. Two means run a full check. Three or more means leave the site without paying, and report it.

• Don't pay Even if you have already added items to a cart, losing a few minutes is nothing compared to losing the money.
• Run a domain health scan WHOIS, SSL, DNS, blacklist — all in one place. Takes under a minute and confirms what your gut is already telling you.
• Report it File on cybercrime.gov.in if you are in India. Report to Google Safe Browsing. Report to the brand being impersonated — most have security teams that take these down within hours.
• Warn the next person Post the URL (with hxxp:// instead of http:// so links don't auto-render) in any group where the same scam might spread.

• What is the most common payment scam pattern in India? The brand-impersonation discount page: a clone of a major retailer (Flipkart, Amazon, Myntra, Croma) on a lookalike domain, advertising 70–90% off via paid ads, accepting only UPI. Highest-volume pattern by far.
• Can a website with HTTPS still be a scam? Yes. HTTPS only encrypts the connection. It doesn't verify the operator's honesty. Most payment scam sites in 2026 carry valid SSL certificates from free authorities like Let's Encrypt.
• How fast can a fake checkout page disappear? Often within 7–14 days. Scammers run a domain for as long as it takes to get noticed, then move to a fresh one. Domain age is such a strong signal because the scam is racing against detection from day one.
• Are UPI scams reversible? Rarely, and only if you act fast. Report to your bank within 24 hours, file on the national cybercrime portal, request a hold on the recipient's account. Recovery rates drop sharply after the first day and approach zero after a week.