What are UPI Based Frauds & How to Prevent in India 2020

What are UPI Based Frauds & How to Prevent in India 2020

What are UPI Based Frauds & How to Prevent in India:

In India, Unified Payment Interface (UPI) has been created by National Payments Corporation of India (NPCI). It aims to merge several banking features into a single mobile application to provide seamless payments. 

UPI Based Payment Apps:
The UPI based payments are expanding exponentially, primarily due to its ease in payment and customer friendly interface. With time, more and more Indians are shifting to UPI based mode of payment, which include:

  • PayTM
  • Google Pay
  • Bharat Interface for Money Application (BHIM)
  • Amazon Pay
  • Phone Pe etc.

Using a virtual ID or payment address and password, any user can transfer (push) or request (pull) money through the UPI app.

However, like two sides of a coin, the UPI based frauds in India are also increasing by leaps and bounds. In this blog, we shall read how these frauds perpetuate and what users can do, to prevent being victims of such frauds. 

UPI Frauds:
Different Modus Operandi are being used by cyber criminals, to perform unauthorized bank transactions. Most common of them are:

Modus Operandi 1: UPI’s ‘Collect Request’ Feature:
In order to send money to someone, you must know their Virtual Private Address or other details like ID number. However, using “Collect Request” feature, you can send money to anyone, without even knowing their VPA. 

Fraudsters misuse this feature by sending fake payment requests with messages like “Enter UPI PIN now to Receive Money”, “To get Rs 10, 000 enter your UPI PIN” and so on. Many people respond to these messages by entering their PIN, thereby losing money. 

Modus Operandi 2: Downloading a Third Party App:
Step 1: Fraudster impersonate as representative of a bank or any other financial institution like RBI, telecom service provider etc. To make the call sound legitimate, they proceed with verification questions like name, DoB, mobile number etc. 
Step 2: Fraudsters then ask you to download an app, which gives remote access to your mobile phone to carry out fraudulent transactions via UPI. Examples of such apps include Any Desk, Team Viewer, Screen Share or any other third party app. 
Step 3: After you install the app, the fraudsters ask you to share the code, following which they get complete access to your device, without you even knowing it. 
Step 4: Now fraudsters can steal your passwords and transact with your UPI account. They need not ask OTP from you any longer, for making unauthorized transactions from your account. 

Modus Operandi 3: Scan QR Code for Receiving Money Fraud: 
In apps like Google Pay, there is an option to scan QR codes to process payments. Fraudsters exploit this feature, to commit fraud. 

Fraudsters send a QR code over WhatsApp, and ask to scan it to receive the money. Once you scan the code and enter your confidential UPI PIN, your account is debited rather than being credited. This is because, the QR code sent by fraudster is a collection request rather than a payment request.

Like other UPI based payment, you need to scan the code and enter PIN only to make payment. So, if someone asks you to scan the QR code and enter PIN, deny doing it. 

Modus Operandi 4: Frauds Posing as Customer Care/ Helpline: 
Fraudster track comments of users on the original customer care pages of apps. These include issues related to cash back, refunds, sub-standard products and services etc. The fraudster then immediately responds to the comment by sharing his phone number posing as customer care or helpline number. 

Customer then ends up calling the fraudster’s number, who then seeks sensitive information, in guise of helping him. Once the details are parted by the victim, the money is debited from victim’s account to the fraudster’s account. 

Modus Operandi 5: SMS Forward Trick:
Fraudsters send an SMS and ask the victim to forward it on another number that they provide. After you send the message, it enables the fraudster to link your mobile number or account through UPI to his (fraudster) mobile. 

How to Prevent Such UPI Frauds?
To avoid a UPI based fraud, you should:

Avoid engaging with fraudsters: Banks and any other genuine financial institution never ask or call to discuss confidential information. Further, to check the authenticity of unknown numbers, you may use free apps like Eyecon, Truecaller etc. 

Be cautious of malicious apps: Fraudster create fake mobile apps, similar to original bank apps and upload them on the Google Play Store. When a person, accidentally installs the fake app and provides the necessary permissions, it starts sending sensitive data to the fraudster. E.g., Modi BHIM, BHIM Modi, Modi ka BHIM apps etc. 

Follow hygienic cyber security practices: It includes not disclosing password, UPI PIN, OTP or credit card details to any stranger; protecting UPI apps with biometric recognition soft-wares, installing and updating anti-virus and firewalls etc.  

Other Suggestions:

  • Always remember, you don’t to enter your UPI pin to receive money on UPI app.
  • If you receive any suspicious text message or a message with link from unknown number, better ignore it or visit the nearest bank branch to confirm it.  
  • Do not download and install third-party apps, such as Screen Share, Any Desk, Team Viewer etc. Always use apps downloaded from the official Google play store (for Android) or App Store (for iPhones). This applies to bank apps as well. 
  • Do not search for your app’s customer support numbers on Google or any social media. Visit the official website of your app or bank to find the customer-care number. 
  • Be skeptical of someone calling you and offering freebies like cash-backs.
  • Pay attention to Spam warnings on your UPI app, never open e-mails without checking their authenticity and avoid using open and free Wi-Fi.
  • Do not post phone number linked with bank account on social media sites. 

What Should You Do When Contacted by a Fraudster?

In such a situation you should – “Login to your UPI app and go to “Help”. Many apps allow you to report fraudulent incidents”.

What if You Got De-frauded: 
Step 1: The complainant/ victim should lodge a complaint with the nearest Police Station or Cyber Cell. Following documents should be submitted along with the complaint:

  • Self attested, Government ID proof of the complainant
  • Screen Shots of the SMS which reflects the unauthorized transaction details (received on the victim's registered mobile number)
  • A detailed application describing the whole incident i.e., how the caller obtained the private information like card details and OTP etc.
  • Name of any suspected webpage or application used by the victim
  • Phone numbers of the fraudster (if available) i.e., Whatsapp, IMO, WeChat, Skype, email etc
  • Updated bank statement reflecting the unauthorized transactions
  • Any other relevant detail

The chats, fraudulent mails, voice recordings, phone messages etc. should be retained in the “Original Device” as such. This is important to enable adduce them as evidence in the Court of Law. Once, the contents from original device are deleted, they lose their sanctity (even though present in other devices, as forwarded materials). Hence, care must be taken not to delete the original incriminating evidences.   

Ideally, an FIR should be lodged (U/S 154 Cr.P.C), but if police resists get a DDR (Daily Diary Register) entry made and receive a stamped copy of the proof of submission of the complaint. Now-a-days several state police allows lodging similar complaint via mobile application or web based interfaces too.

The whole idea is to lend weight and credibility to the complaint you shall finally make to your bank, with the use of such FIR/ DDR entry.

Step 2: Submit a similar complaint to the nearest bank branch and the RBI branch. The complaint to RBI branch is primarily meant to pressurize the bank to deal with the case swiftly and strictly as per the procedure prescribed by RBI.

RBI Bank branches: The RBI branches pan India can be seen using this link - https://www.rbi.org.in/Scripts/Regionaloffices.aspx

Care must be taken to ensure you notify the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction, to enjoy zero customer liability.  

Step 3: Stay in contact with bank officials, seeking refund as per RBI guidelines. In case of delay, seek reasons for the same.  

Learn the complete process for money refund in online fraud cases here: https://cyber-cops.com/blog/sop-for-money-refund-in-online-fraud-cases