One of the most prevalent UPI based scam, has nothing to do with malwares, ransom-ware or hacking. It is primarily due to digital illiteracy among citizens and fraudsters becoming better and better at social engineering attacks. Now, guess the fraud?
Yes, you are right, we are talking about UPI based frauds perpetuated using remote screen recorder apps like Any Desk, Team Viewer, Quick Support etc.
In fact, these frauds created such havoc that even RBI had to step in. Even PayTm and banks had to issue similar advisories, to protect themselves from reputational damage being caused by these apps.
Here, is the actual warning on Any Desk app, by RBI on February, 2019.
RBI Warning About “Any-Desk” App:
On Feb, 2019 RBI alerted banks about fraudulent transactions on the Unified Payment Interface (UPI) platform. RBI’s cyber security and IT examination cell warned user that a mobile app “Any-Desk” was targeting the mobile phone of customers.
It seeks permission to access control the phone like any other application. However, when the permission is granted by a user, “AnyDesk” app allegedly steals confidential data on the phone to carry out fraudulent transactions through other payment apps available on the phone.
What are Any Desk, Team Viewer etc Apps?
These are screen recorder app, used by IT professionals to work on remote devices. None of these apps – Any Desk, Team Viewer or Quick Support are illegal.
Most of these frauds occurred due to ignorance of citizens, who don’t know how these apps function. And fraudsters took control of their devices remotely, exploiting their ignorance.
Steps in Any Desk Fraud:
Step 1: Fraudster impersonate as representative of a bank or any other financial institution like RBI, telecom service provider etc. To make the call sound legitimate, they proceed with verification questions like name, DoB, mobile number etc.
Step 2: Fraudsters then ask you to download an app, which gives remote access to your mobile phone to carry out fraudulent transactions via UPI. Examples of such apps include Any Desk, Team Viewer, Screen Share or any other third party app.
Step 3: After you install the app, the fraudsters ask you to share the code, following which they get complete access to your device, without you even knowing it.
Step 4: Now fraudsters can steal your passwords and transact with your UPI account. They need not ask OTP from you any longer, for making unauthorized transactions from your account.
How to Prevent Such UPI Frauds?
The best defense against these attacks is an informed user. Users need to be very vigilant and treat their access codes the same way they treat their personal data and possessions.
Avoid engaging with fraudsters: Banks and any other genuine financial institution never ask or call to discuss confidential information. Further, to check the authenticity of unknown numbers, you may use free apps like Eyecon, Truecaller etc.
Be cautious of malicious apps: Fraudster create fake mobile apps, similar to original bank apps and upload them on the Google Play Store. When a person, accidentally installs the fake app and provides the necessary permissions, it starts sending sensitive data to the fraudster. E.g., Modi BHIM, BHIM Modi, Modi ka BHIM apps etc.
Follow hygienic cyber security practices: It includes not disclosing password, UPI PIN, OTP or credit card details to any stranger; protecting UPI apps with biometric recognition soft-wares, installing and updating anti-virus and firewalls etc.
Procedure that Victims should Follow:
There is no strict procedure to be followed, except for rigid timelines as enumerated before. However, for maximum efficiency, following procedure is recommended:
Step 1: The complainant/ victim should lodge a complaint with the nearest Police Station or Cyber Cell. Following documents should be submitted along with the complaint:
The chats, fraudulent mails, voice recordings, phone messages etc. should be retained in the “Original Device” as such. This is important to enable adduce them as evidence in the Court of Law. Once, the contents from original device are deleted, they lose their sanctity (even though present in other devices, as forwarded materials). Hence, care must be taken not to delete the original incriminating evidences.
Ideally, an FIR should be lodged (U/S 154 Cr.P.C), but if police resists get a DDR (Daily Diary Register) entry made and receive a stamped copy of the proof of submission of the complaint. Now-a-days several state police allows lodging similar complaint via mobile application or web based interfaces too.
The whole idea is to lend weight and credibility to the complaint you shall finally make to your bank, with the use of such FIR/ DDR entry.
Step 2: Submit a similar complaint to the nearest bank branch and the RBI branch. The complaint to RBI branch is primarily meant to pressurize the bank to deal with the case swiftly and strictly as per the procedure prescribed by RBI.
RBI Bank branches: The RBI branches pan India can be seen using this link: https://www.rbi.org.in/Scripts/Regionaloffices.aspx
Care must be taken to ensure you notify the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction, to enjoy zero customer liability.
Step 3: Stay in contact with bank officials, seeking refund as per RBI guidelines. In case of delay, seek reasons for the same.
Here is the complete procedure to get money refund in online fraud cases: https://cyber-cops.com/blog/sop-for-money-refund-in-online-fraud-cases
Cyber criminals can stoop to any level to commit fraud. Therefore, we must remain cautious, as a simple mistake has the potential to empty our pockets.
Fraud using Any Desk and similar screen recorder apps, clearly show that fraudsters are becoming increasingly adept in social engineering attacks. With emerging techniques like deep fakes, social engineering attacks will continue to sharpen.
Hence, we must refrain from sharing sensitive information or from installing any app suggested by strangers, to remain safe and sound in the digital world.