I heard that as long as the transaction is on unconfirmed status the sender can manipulate it and get back the money.
is that true ?
it's called double spending. it's done by broadcasting another transaction and have it confirmed before the first one does. but nodes will reject transactions that have same input(s) as the one that is already on their mempool, so you'll need to wait for the majority of the network to drop the first transaction before broadcasting the second transaction.