India’s surge in mobile payments has also led to a rise in UPI scams, necessitating increased vigilance and proactive preventive measures.
The extent of monetary loss due to Unified Payments Interface (UPI) scams in India is quite alarming, though it is challenging to capture the total figure accurately. A striking example of this is an incident in Mumbai in 2023, where a sophisticated KYC scam led to the loss of about Rs 1 crore from 81 individuals. This scam involved fraudsters mistakenly transferring money to victims’ accounts and then persuading them to return it, only to hack into their bank accounts upon the return of the funds. This case is just one among many, showcasing the severity of such scams.
Criminals are increasingly leveraging AI technologies to create synthetic content, including deepfakes like audio, images, and videos to deceive victims.
Furthermore, a report by the Union Finance Ministry indicates the breadth of this issue, with over 95,000 cases of UPI transaction fraud recorded between 2022 and 2023 alone. This number, while not reflecting the total financial loss, gives us an idea of the frequency and potential scale of UPI-related frauds.
These figures underscore the critical need for users to remain vigilant and informed about the risks associated with digital transactions. It is a stark reminder of the importance of cybersecurity measures and awareness in our increasingly digital financial environment.
The many shades of UPI scams
There are several common types of scams associated with UPI. Firstly, we have phishing scams where scammers impersonate banks or UPI service providers through fake emails or messages. Their goal is to trick individuals into revealing their PINs and login details. Then there’s vishing, which is similar to phishing, but it happens over phone calls. Here, the scammers pretend to be bank officials or UPI representatives to extract personal information.
Another prevalent scam is related to remote access. In this case, fraudsters convince people to download certain remote access applications. This allows the scammer to take control of the victim’s device and access their UPI-linked accounts. There are also instances of fake UPI apps. These are counterfeit applications designed to look like legitimate ones. Unwitting users might download them and end up providing their transactional information to scammers.
QR code scams are also on the rise. Users are often deceived into scanning QR codes that lead to unauthorised transactions from their accounts. Another variant is the request money scam, where fraudsters send UPI collect requests and dupe users into approving them, leading to unauthorised debits from their accounts.
Additionally, SIM card swapping is a serious concern. In this fraud, criminals obtain a victim’s SIM card linked to their UPI-enabled mobile application. They can then receive OTPs and other verification codes meant for the victim, allowing them to access the victim’s UPI-linked bank account and carry out fraudulent transactions. To counter SIM card swapping, users must report lost or stolen SIM cards immediately to their mobile service providers. Also, implementing Two-factor Authentication on sensitive accounts can offer an additional security layer.
Finally, there’s the issue of app permissions abuse. Some fraudulent activities involve malicious apps that gain unauthorised access to a user’s device permissions. These apps often request excessive permissions, like access to SMS, contacts, or location data, and exploit this information for fraudulent transactions or to steal sensitive data. Users should be vigilant about the permissions they grant to apps, avoiding those that request unwarranted access to personal information.
Further, payment fraud through the use of AI will become sophisticated and will be a growing concern. Criminals are increasingly leveraging AI technologies, like generative AI, to create synthetic content. This includes advanced deepfakes encompassing audio, images, and videos that are so refined they can be almost indistinguishable from real content. These deepfakes can be used to deceive individuals and businesses, create bogus accounts, and execute complex social engineering scams. When it comes to UPI scams, it is a game of wits, not just technology. Our biggest shield is not just the code in the app, but the awareness in our minds.
QR code scams are on the rise and users are often deceived into scanning QR codes that lead to unauthorised transactions from their accounts.
Tech flaw or user behaviour?
It would be right to say that the majority of UPI scams happen more due to user errors rather than any fundamental flaws in the UPI system itself. The payments interface itself is designed by incorporating numerous security layers to safeguard transactions. However, the primary vulnerability lies not in the technology but in user awareness and behaviour.
Scammers are adept at exploiting human psychology, leveraging a lack of awareness to manipulate users into revealing sensitive information or taking risky actions. These fraudulent activities often leverage on social engineering tactics, where the focus is on deceiving the person rather than breaking through the technological defences of the UPI platform. So, the issue is less about technical shortcomings and more about educating and alerting users to these deceptive strategies. In the digital world of UPI transactions, the line of defense is often not just coded by developers, but also crafted by
informed users.
Options to deal with it?
Users can significantly reduce the risk of falling victim to UPI scams by taking several proactive steps. First and foremost, it is crucial to use trusted apps. Only download UPI-enabled applications from official app stores and ensure they are from reputable sources. Enabling Two-Factor Authentication (2FA) on all your UPI-linked accounts is another vital step, as it adds an extra layer of security.
It is also important to be cautious with unsolicited communication. Never share personal information, OTPs, or any sensitive data with anyone who contacts you out of the blue, even if they claim to be from a bank or a UPI service. When dealing with QR codes, verify their legitimacy to ensure they have not been tampered with.
Keeping your software updated is essential. Regularly update your mobile device’s operating system and applications to patch any security vulnerabilities. Education is your best defence; stay informed about the latest UPI frauds and scams to recognise and avoid them.
Never share your PINs, passwords, or bank account details with anyone. Be particularly wary of unexpected UPI requests, especially if they ask for money or personal information. Always verify the identity of the sender or the organisation before responding to any monetary requests.
Avoid downloading remote access apps, especially if suggested by strangers or unverified sources. Keep your UPI and banking apps updated to access the latest security features. Monitoring your transaction history and bank statements regularly is key to detecting any unauthorised activity.
Lastly, awareness and education are paramount. Keep yourself and your family members, especially those who are less tech-savvy, informed about the latest scam types. This knowledge is a powerful tool in preventing such scams.”
These strategies collectively form a robust defence against the evolving threats in the digital payment landscape.
In the unfortunate event that someone becomes a victim of UPI fraud, the immediate course of action is crucial. The first step should always be to contact the UPI service provider, be it GPay, PhonePe, Paytm, or any other, and inform them about the fraudulent transaction as soon as possible. It is important to flag the transaction and request a refund through the service provider’s support channels.
SIM card swapping enables criminals to receive OTPs and other verification codes, allowing them to access the victim’s UPI-linked bank account.
If you find that the UPI service provider is not responding adequately, your next step should be to approach the National Payments Corporation of India (NPCI). You can file a complaint on their portal at npci.org.in, utilising their UPI Dispute Redressal Mechanism.
Additionally, it is advisable to file a complaint with the Payment Service Provider (PSP) bank as well as the bank where you have your account. These institutions can also take measures to address the fraud. It is also important to extend the complaint beyond just the financial institutions. Filing a complaint on the Cybercrime portal and at a cyber police station is a critical step. You can also register a complaint on the National Cyber Crime Reporting portal.
Taking these steps not only helps in addressing the immediate issue but also aids in the larger fight against cyber fraud, contributing to a safer digital transaction environment for everyone. Quick action is crucial—report, respond, and recover. It is a chord that can help mitigate the damage.
By Vaibhav Koul
The author is Managing Director at Protiviti Member Firm for India.
feedbackvnd@cybermedia.co.in