How Do UPI Frauds Happen?

UPI transactions have become a part of our day to day lives. To accommodate technological advancements, UPI transactions are a must. Due to the many benefits that they offer, they are getting wide acceptance. UPI is a single platform that combines various banking services under one head. Sending and receiving money is very easy using a unique ID of yours together with PIN. UPI ID is your virtual payment address and you can experience a real time bank to bank payment system without any hassles. The entire process is seamless and once you get used to it, you can pay or receive money anytime, anywhere without carrying hard cash.

UPI is a payment method where the users can link more than one bank account with a single mobile app and carry out transactions without using the IFSC. There is no need to remember recipients’ account number and type, nor the IFSC and bank’s name. UPI interface is developed by the National Payments Corporation of India and regulated by the Reserve Bank of India. Many of us are using verified digital payment apps like Google Pay, Paytm and PhonePe in our day to day life. Digital economy is another world which we have already stepped into but it comes with its own safety risks.

Instant fund transfers can happen through the real time payment system. A mobile application is sufficient to transfer money. Unfortunately UPI frauds are becoming common in India. Every month there are about 80K frauds that take place through UPI. The total amount of money thus stolen could be to around Rs.200 crore. In absence of redressal mechanisms, it is difficult to find those who commit this crime. You will be surprised by how almost 50% of all financial services frauds in our country are carried out through UPI. It is difficult to find the fraudulent behaviour of someone due to the easy route that UPI uses to transfer money.

Online payment frauds are not just limited to urban areas but they also include complaints from rural areas. The government is trying to fix this by making it easier to report cyber frauds,yet it continues to be victimising financial fraud so far. The size and complexity of it are just getting bigger and bigger day by day. In absence of data standards defined either by the government of the RBI or CERT-In, the public at large is likely to face security hazards. COVID-19 has added to the dependence on online transactions thus adding more to the likelihood.

Let’s try to understand the common UPI frauds and also learn how to avoid them. Last four years have witnessed 70 times more frauds in the last four years as per SBI. There is a chance of getting exposed to unauthorised payment links or fraudulent UPI handles and screen monitoring by fraudsters. Though the transactions use a secure encryption to maximise security, they are susceptible to certain frauds.

The list of probable UPI Frauds-

Most commonly fraudsters send a payment request on user’s UPI app. But there are many other ways to trick people.

1. Phishing frauds-There are unsanctioned payment links appearing similar to the original URL of the merchant. When the consumer clicks on the link, they are directed to the UPI app where by entering the PIN, they give permission to auto debit from the account resulting in an authorised debit transaction. The customer is victimised as he/she is unable to know the fake features of the app and they fall in the trap by making payments via it.

Anuthorised payment link is sent via an SMS. They look like the original URL so it is unlikely not to get misled by them. It will ask to pay via any of the payment apps installed on your phone. Such links are very harmful and they infect your mobile phone with viruses or malware. Giving your PIN will complete the transaction. Phishing and smishing is used for such social engineering scams of various forms. Common sense should always be applied before clicking on any of those links.

2. Screen mirroring apps-There are desk and team viewer apps which are given by the banks to resolve the issues of their customers. Fraudsters contact the banks’ employees as genuine companies and they also appear to be legitimate when searched on Google. If they get to work on behalf of the bank or other agencies they can easily loot people’s money. When a complaint is raised regarding any issues like pending payments, KYC updates etc, the fraudsters get complete access to the victim’s phone . And then it becomes very easy to trap the customers.
3. Fraud by creating a collect request-There is a ‘collect request’ created by the fraudsters and they give many reasons like it’s a reversal entry or a refund etc. to compel people to approve the transaction. Once they give their permission by entering their PIN, the fraudsters will receive the money.
4. Fake apps-There are a number of other ways by which people agree to share their UPI PINs and OTPs with scammers. The unauthorised access to the victim’s account allows them to withdraw their bank balances. It is not just UPIs, it could be credit cards or e-wallets through which fraudsters reach their prey. Downloading an unverified application from the app store leads to privacy breach and data leak. These apps will get confidential data from your phone using your UPI app details leading to UPI frauds.
5. Fake calls-People try to find out a seller’s number to reach out to them to buy things from them. They might end up using the number of an imposter who is listed under several businesses. They take orders and request the customer to pay via UPI. The customer makes payment on the belief that the item will reach him/her as promised by the seller but that doesn’t happen. After a few days of wait, they come to know that they have scammed.
6. Social media pages to prey.Scamsters create fake UPI social media pages to trap the customers in the name of complaint resolution services. They get the financial information of the customers to con them. Customers do not get to know that such handles are not authorised and that they are getting trapped.
7. Unverified links misguide many users to scan a QR code to receive money on the UPI app. Such fake codes ask for your UPI PIN and your financial details get exposed to the scammers. Similarly they can even call and request you to provide your details telling you that they are bank representatives and the call is for verification purposes.

Banks issue advisories on their special media handles regarding such frauds and warn customers to practice safe banking. Hackers target e-commerce users.

How to avoid hacking or misuse of your UPI apps

The example given below explains how one of the most common frauds takes place.

Mrs. Sharma wanted to sell her Sofa as she was moving to another city. She put the details about her Sofa on a few platforms that help to sell used articles. She got a call from a person saying that he is a bank employee and his identity matched with the true caller description. The caller sent him a barcode and told him to scan it through another mobile to receive money. And he said that he will collect the Sofa later but he wanted to pay in advance. Mrs. Sharma happily scanned the code by using another mobile and instead of receiving money for her Sofa, she ended up paying for it! Meaning the same amount got withdrawn from her bank as she scanned the QR code. There are numerous ways to victimise UPI users. All you have to do is just be alert and not get convinced by what they want you to do.

1. Do not click on the links in any SMS especially from unknown resources. It is highly likely that all your money will be washed away from your accounts if you allow it to work via any of your UPI apps.
2. Check the official website of your bank or other financial agencies like a stockbroker etc. to know about the exact site or links. Usually they are given by their representatives. Mere mentioning of the name given in the link or site redirecting to the payment options will mostly put you into trouble.
3. Do not search for customer numbers on Google. Fake call centres are plenty in number and if you have a complaint, contact the official agencies or websites.
4. Do not use unverified apps. As more and more users are making payments through UPI platforms, the scammers are getting newer opportunities to prey. Do not install any UPI apps which are unusual or any unknown banking apps. Engaging with strangers should be strictly avoided through any medium. They might try to contact you via a phone call or a message, do not rely on them unless it is unavoidable. Sometimes they claim that they are bank officials. Emails are also sent to get information from individuals. Verify the email addresses as well. The authenticity of the source should always raise the red flag. The best way is to not communicate with or reply to them. OTP details are very personal and confidential, do not share it with anyone unless and until it is for a close contact who requests to use it and you already know about it.
5. Pay attention to the prevention programs.The leading commercial banks and the NPCL carry out various online and offline campaigns to educate their customers about the frauds that may affect them through UPI apps and e-wallets. However still there is a need that they deploy initiatives such as informing them through emails/circulars and vigorous testing being done by the third party evaluators. Vulnerability assessment can be done to check the UPI integration frameworks.
6. Special media accounts are yet another option to approach the user. Again there too the scamsters appear as a problem solving or helping hand. They identify themselves as someone from official sources like the government, police, banks, armed forces etc to get your attention and win your confidence. Do not trust any of those who just appear to be so but are fake otherwise. SMS can also come to your mobile stating they are from Provident Fund Organisation or Insurance Regulatory and Development Authority. They never send such messages.
7. Double check the authenticity. It is very important to understand how this new-age payment system works. The users need to be made aware so that they are not easily fooled by the manipulators. When a substantial amount of money is involved, check for the person/business you are transacting with. Take sufficient precautions before sharing confidential details like OTPs. Download verified apps only through App Store or Google Play Store.
8. Raise the red flag.If you feel that you are being tricked or followed by a fraudster, you can report the same to the nearest cyber crime centre. Alternatively, log into your UPI app and go to the ‘Help’ section. It will guide you how to contact the cyber crime cell and how to stay safe. Contact the bank or customer care services immediately and block the card linked with the UPI.
9. Set limits and block certain types of card transactions on your apps to avoid frauds. It is all in your hands. There are precautionary measures to save you from the worst outcomes.

Even different UPI apps tell us to avoid payment transfer scams like Google Pay. The app has specifically mentioned areas for which money transfers should be avoided to prevent scams.

• Purchases should not be made using money transfers. Eventually you may lose your money without getting what you paid for. Sports events, concert tickets, vehicles, pets or electronics fall under this category.
• Tech support services should not be paid via such mediums.
• Job, real estate or money making opportunities.Payment for rent of an apartment. It is required that you do the paperwork and inspection of property before you make the payment. Also receive the keys first.
• You may be deceived by a fake shipping receipt that the item has already been dispatched.
• If you are asked for passwords, passcodes, password reset links, debit or credit card info, personal info like your address or social security number, PINs, debit or credit card information, bank details or other account numbers etc. then it is surely a scam.

What to do when you are scammed? Know about the redressal mechanism

A customer has a right to get the full amount back if the fraud occurs due to negligence/deficiency on the part of the bank or if it is a third party breach according to RBI’s July 2017 notification. However the consumer has to notify the bank within three working days. But where the loss is due to negligence on the part of the customer, he/she is liable to bear the entire loss until he reports the unauthorised transaction to the bank.

As per the New Consumer Protection Act-2019, the government has asked all e-commerce platforms to acknowledge all the UPI related complaints within 48 hours of receipt and their redressal within a month. If there is no satisfactory response from the bank or UPI service provider within a month, the user can directly approach the RBI’s banking ombudsman.

The following support is provided by the NCPL.

• Every end-user customer can raise a complaint with respect to a UPI transaction, on the PSP app / TPAP app.
• End-user customer can select the relevant UPI transaction and raise a complaint in relation thereto
• A complaint shall be first raised with the relevant TPAP in respect to all UPI related grievances / complaints of the end-user customers on-boarded by the PSP Bank / TPAP (if the UPI transaction is made through TPAP app). In case the complaint / grievance remains unresolved, the next level for escalation will be the PSP Bank, followed by the bank (where the end-user customer maintains its account) and NPCI, in the same order. After exercising these options, the end-user customer can approach the Banking Ombudsman and / or the Ombudsman for Digital Complaints, as the case may be.
• The complaint can be raised for both the types of transactions i.e. fund transfer and merchant transactions
• The end-user customer shall be kept communicated by the PSP / TPAP by means of updating the status of such end-user customer’s complaint on the relevant app itself

Raise a complaint with your bank-

1. Collect evidence as and when you realise that you have been cheated. Take screenshots of the transaction, note the transaction ID, beneficiary’s bank account details, phone number of the scammer etc.

2. Change or reset all your passwords and PINs of your bank accounts and mobile wallets. Contact your bank immediately. Sooner you inform, better it will be as it is the first step towards redressal. Call the bank’s toll-free number and tell them about the scam. Or else you can send an email to your bank or visit the nearest branch. This will take some time. So it’s always preferable to call them first.

3. Submit a request to block your bank account. They will verify your identity and for that the bank will ask you a few questions to confirm. Once blocked, all your future transactions will be stopped. Once you reset everything including your details and passwords, it will start functioning again.

Complain to the payment platform

1. Call the toll-free number of your UPI app to submit your complaint.
2. Use the inbuilt feature to raise the dispute.
3. The platform will share some details pertaining to the fraudster that will help you to identify them.

Complain to the Cyber Crime Police

1. Submit a written complaint to alert them about the UPI fraud. Give them all the details about the unauthorised transaction.
2. Or you can file an FIR at your local police station if you do not have information about the Cyber Cell of your location. The police will forward your complaint to the right kind of authorities.

Fraud resolution might take some time. It is better to follow the basic rules while you process online transactions. Remember that you need to authorise a transaction if the money is transferred to your account. It is a common technique to get you into the loop. The only recourse is through law enforcement and banks also fail to fix such complaints as the factors of authorisation are completed by the user. In case of a charge-back system for cards, there are still some measures that will retrieve the money but person-to-person transactions do not provide for any such scope. Plus, the person who gets victimised usually is located at a different place than the location of the scamster. And if more than one location is involved, it becomes more complicated. Also, the identity of the fraudster will not be of much use. Because usually the frauds are committed using someone else’s account. Fraudsters even pay people to use their account. They even use other’s documents to open an account. Identity theft is one of the common weapons used by them.

To prevent phishing, banks and other payment platforms have stopped sending URLs in messages and emails. They prefer emails from their official websites. Even in case of UPI transactions, if the system detects something unusual, the user is alerted. The sites like OLX are now considering technology filters and site auditors to prevent fraudsters from misusing the listings.

Stick to the basics-follow a stricter rule not to share your PINs or OTPs with anyone. You DO NOT need to authorise a transaction to receive money. Read the transaction SMSes, pop-ups etc very closely. Those who offer free goods, services or cashbacks are mostly fraudsters. Do not listen to them. There is a difference between an ID, PIN and OTP, understand that. Also do not share identifiable information on public forums as they are likely to get misused. If you follow these basic rules, you will be able to get saved from such tricks. It’s all a matter of a little knowledge and rest assured, nobody can fool you, how much they try to!

Image from https://unsplash.com/@jefflssantos

Finvestor Social Media

Krishna Rath is a SEBI Registered Investment Adviser, and since 2015 has been educating netizens on investments and insurance. Krishna is a fee only SEBI RIA and is Odisha's first SEBI RIA. With background in IT, Krishna is changing the advisory space with new innovations in AdvisoryTech.

See Full Bio