NPCI, which stands for National Payment Corporation of India, was the organisation behind the idea of UPI, a user-friendly system in which funds can be directly transferred from the bank account to the account using a mobile phone. UPI is based on the concept of 1 click 2-factor authentication. The first factor is the user’s mobile phone itself, and the second factor is MPIN or bio-metrics. It is based on the IMPS(Immediate Payment Service), but there are considerable differences between both services, and we will observe it. With a foresight to make the Indian economy cashless, it helps people transfer funds in an immediate and real-time process. It has played a major role in the revolution of cashless transactions in India. Although significant UPI users are minor and much lesser compared to the Indian population, over 2.07 billion transactions per month have been made by UPI by October 2020, which makes it our essential part of our day-to-day life. This paper will discuss the working of UPI, how UPI is different from conventional cashless transaction methods. After that, we will discuss how the attacker can find the UPI’s loopholes (here we reviewed UPI BHIM 1.0) and empty the victim’s bank account. The attacker can make these attacks remotely, and these attacks can affect a single user to multiple users. We will also discuss how the attacker can achieve his/her goal using a malicious App. In the end, we will see how UPI BHIM 2.0 update was successful in covering this security loophole.