The dark, murky rise of UPI scams

India’s contactless payments mechanism is fast becoming a hotbed for scammers exploiting new users, fear, and intimidation.

On Friday, 2 February 2024, global Fintech platform Lyra started accepting payments in Indian Rupee at the iconic Eiffel Tower in Paris. The launch, which was scheduled for months now and was coordinated by the public-sector entity NPCI International Payments Limited, the global proliferation arm of the National Payments Corporation of India (NPCI) itself, was a grand success. It created plenty of spectacle, marked as a landmark technology moment for India.

This is important, since until now, India has been a user and applications developer of underlying fundamental technologies that the West develops. With UPI, India is now at the forefront of contactless payments and the offering of Digital Public Infrastructure (DPI).

However, behind the glorious rise of UPI and India’s cashless economy, an equivalent rise has also taken place in the dark, murky industry of scams centered around UPI itself. To be sure, while UPI itself is not to be blamed, the growth of UPI scams is undeniable, for it today contributes to a massive chunk of cybercrime volume affecting users all across India.

“The digital economy runs on digital identities, and fraudsters are banking on that. Out in the ether, anyone can be anybody.”- Ranjan R Reddy, Founder & Chief Executive Officer, Bureau

Why do scammers love UPI?

The sheer volume of scams affecting UPI users across India is based on the stunning volume and value of UPI transactions in India. Official data from NPCI itself, as of 31 December 2023, shows that the total volume of UPI transactions has crossed 12 billion per month. The value of these transactions was a whopping Rs 18.2 lakh crore, or nearly USD 220 billion in just December 2023 itself.

This figure has also seen a staggering year-on-year (YoY) growth. The volume of transactions rose by 53.5% over December 2022’s 7.83 billion monthly transactions on UPI. The value of UPI transactions also grew 42.2% since December 2022’s Rs 12.8 lakh crore or USD 154.5 billion for that month.

It is this that scammers are targeting. Cybersecurity experts in India say that even if scammers can capture 1% of the overall UPI transaction value every year, the total value of cybercrimes through UPI will be at least USD 1.8 billion, or at least Rs 15,000 crore. This, to be sure, is the lower end of estimates, and the actual value of money that Indians are losing to UPI scams is far, far higher.

“RBI has mandated both banks and merchants to establish a fraud monitoring framework, including preventive and detective measures.”- Dnyanesh Pandit, Managing Director, Protiviti Member Firm for India

According to the data released by the Ministry of Finance in May last year, more than 95,000 cases of UPI scams were recorded by the end of March 2023. A report by the IIT Kanpur’s Future Crime Research Foundation in September last year said that between January 2020 and March 2023, there were approximately 23,000 cybercrimes every day. Out of this, nearly 77% were financial scams and crimes, and a whopping 47% involved UPI scams.

A May 2023 report by private digital identity startup Bureau had even higher estimates, pegging 55% of all financial cybercrimes to be linked with UPI scams.

How does a UPI scam happen?

While the modus operandi may vary, the overall format of a UPI scam takes advantage of a user’s emotional vulnerability and technological awareness at the core. Scammers cash in with blanket strategies, such as luring users under the premises of lottery wins, bank account suspensions, and other such strategies. Then, they use a range of tactics that include intimidation, coaxing by using identity data from stolen databases to offer fraudulent authenticity for gaining trust, and finally, attempting to strike fear by threatening actions such as complete freezing of bank accounts and visiting residences for failing to comply with instructions.

From January 2020 till March 2023, there were nearly 23,000 cybercrimes every day; 77% of these were financial scams and crimes of which 47% involved UPI scams.

In most cases, users are often asked to make small-ticket payments under the pretence of ‘verification’. In most cases, scammers promptly refund such small amounts to gain trust. Once they have gained a user’s trust, they subsequently send requests for bulk UPI payments from users. In other cases, they also show QR codes to users, urging them to enter their security PINs when prompted to verify their identities. These QRs are prepared with bulk money requests—thereby duping users of their hard-earned money.

What do cybersecurity experts say?

In a press note issued on 3 October, global cybersecurity firm Palo Alto Networks noted that in less than six years before April 2023, over 20,000 such QR scam cases were registered with the Bengaluru city police. This would only be a fraction of the actual number of such cases since public statistics suggest that over 80% of such cases go unreported due to users fearing further consequences, shame and societal embarrassment.

Vicky Ray, Director, Cyber Consulting and Threat Intelligence at Palo Alto Networks, said at the time, “With QR codes now deeply integrated into our daily lives, related scams have surged in prominence. Cybercriminals exploit this by surreptitiously replacing QR codes in establishments such as bars, restaurants, lounges, shops, and clubs. This can result in unauthorised UPI payments and potential financial harm. Incidents of scanner replacement fraud are on the rise, and the threat may escalate in the future. Vigilance is paramount for both individuals and merchants. Regularly inspecting their QR code scanners and implementing essential precautions is crucial to thwarting these fraudulent activities.”

Vitaly Kamluk, head of research for Asia-Pacific at Russian cybersecurity firm Kaspersky’s Global Research and Analysis Team, GReAT, also concurred on growing concerns around UPI scams in a press note from January 2023.

Even if scammers capture 1% of the overall UPI transaction value each year, the total value of UPI scams will be at least USD 1.8 billion or Rs 15,000 crore.

The FCRF whitepaper on cyber scams listed several reasons behind the proliferation of these attacks, which include the proliferation of AI tools and easily accessible knowhow of such scams, targeting of unemployed or under-employed youth by crime syndicates in satellite towns near urban hubs, inadequate Know Your Customer (KYC) verification processes, availability of fake SIMs and leaked databases in unofficial marketplaces, and easily accessible Virtual Private Networks or VPNs, to mask attacker identities.

Other factors, which many cybersecurity experts also agree with, include a saturated workforce in police teams in India, which prioritise other crimes before cyber frauds, and are also often not adequately trained to handle cybercrimes rising out of non-metropolitan towns.

A large part of these scams are linked with the inability to verify or authenticate identities on platforms across the internet, said Ranjan R Reddy, Chief Executive Officer of Bureau, in the company’s May 2023 ‘Anatomy of a Fraud’ report mentioned earlier in this story.

“The digital economy runs on digital identities, and fraudsters are banking on that. Out in the ether, anyone can be anybody. Identity is the critical question that Chief Risk Officers, CTOs, CIOs, CISOs, and their teams in businesses around the world ask every day. Not being able to discern which digital identities are trustworthy is the inflexion point between growth and failure. All it takes is for one bad actor to launch a successful digital fraud incursion for businesses to also lose consumer trust, brand equity, and revenue,” he said.

What can users do?

Through all of this, the greatest challenge behind UPI scams lies in the fact that they are not direct forms of cyber breaches, but are done by scammers convincing users to make a fraudulent transaction. As a result, it is difficult for any law agency to track and trace attackers, since they are also very good at hiding the trace of the money being stolen by them.

However, everything is not bleak. Dnyanesh Pandit, Managing Director of consulting firm Protiviti’s member firm for India, said that there are several steps that users can take to ensure their safety.

“These include checking the authorisation of a person seeking sensitive information, avoiding accessing links shared via spam-like emails or SMS messages, confirming the identity of requestor or payer on apps before making a payment, being aware of warning and alerts sent by third-party apps or regulators, avoiding installing and using apps from malicious sources, following recommended security and KYC practices that include the change of PINs and passwords regularly, monitoring the transaction history in their UPI accounts after every transaction, and avoiding using public or unsecured networks that can be easily accessed by hackers,” Pandit said.

He emphasised that the Reserve Bank of India has implemented a comprehensive framework to regulate entities participating in UPI transactions. These entities include Payer PSP, Payee PSP, Remitter Bank, Beneficiary Bank, NPCI Bank Account holders, and Merchants. “Both banks and merchants are required to establish a fraud monitoring framework, including preventive and detective measures,” he said.

The potential scale of UPI scams is, at the end of the day, endless. Overall industry estimates state that there could be nearly 12,000 such scams happening across the country each day, with most of them bearing an average value of under Rs 10,000. Even at such averages, we are looking at thousands of crores being lost to UPI scams every year. Since they are not data breaches per se, no amount of policy measures or intervention from the Indian Cyber Emergency Response Team, CERT-In, can help in this regard.

“Regularly inspecting their QR code scanners and implementing essential precautions is crucial to thwarting these fraudulent activities.”- Vicky Ray, Director, Cyber Consulting and Threat Intelligence, Palo Alto Networks

The only resolution, therefore, is to spread user awareness and education, urging them to verify identities before making payments. Each of the top three UPI apps—Google Pay, Paytm, and PhonePe—prompts users to be doubly sure in case any unusual payment times and patterns are detected.

The ball, therefore, lies in users’ courts. After all, if the growing reputation of scams around UPI isn’t checked, India’s global DPI dreams could very well see a dent that is not even the direct architectural fault of the payment technology itself.

 By Vernika Awal

feedbackvnd@cybermedia.co.in