Online payments frauds are getting more common as transaction volumes grow
Fraudsters send payment requests through UPI apps to steal money
Individuals should avoid engaging with strangers
Unknown banking and UPI apps shouldn’t be installed
Avoiding online payment fraud while using UPI apps or e-wallets is becoming increasingly difficult with the growing volume of online transaction in India. Total number of transactions made through the Unified Payments Interface (UPI) in February 2021 was 2.29 billion, according to data provided by the National Payments Corporation of India (NPCI). And as more people make payments using UPI apps and e-wallets in the country, the incidences of online fraud grow. Scammers continue to find new ways to steal the hard-earned money of individuals. Many such victims have posted about their ordeals on social media.
The list of victims of online payment fraud not only includes the people who live in rural areas and are new to the world of digital payments, but also many people living in urban areas and using UPI apps and e-wallets frequently. In a recent case, Delhi Chief Minister Arvind Kejriwal's daughter Harshita Kejriwal was also allegedly duped of Rs. 34,000 while trying to sell a sofa online. A man posing as a buyer contacted Kejriwal and told her that he would send a small amount to confirm her bank account. He initially sent her Rs. 2 and asked her for confirmation, according to media reports. But after that, he reportedly sent her a QR code that enabled him to withdraw payments from her bank.
This is a common way of fraudsters trick individuals by sending them a payment request on their UPI app. That request allows them to easily transfer the money. But along with sending payment requests, criminals use social engineering to dupe people.
“Social engineering can be found in various forms, and we use various names to it such as phishing and smishing,” Vikram Jeet Singh, Director, Risk Consulting - IT Advisory, KPMG, told Gadgets 360 in an earlier interview.
Once the payment request is accepted, the UPI app asks for the PIN, which is the last step to complete the transaction. This means that you'll lose the money the moment you enter your UPI PIN, which you shouldn't.
“When it comes to a consumer, it boils down to common sense,” said Ram Movva, President and Co-Founder of Tamil Nadu-based cybersecurity services firm Cyber Security Works.
Most of the leading commercial banks run various online and offline campaigns to inform their customers about frauds taking place through UPI apps and e-wallets. The NPCI also educates individuals through its social media channels. However, some experts believe that frauds could be minimised by bringing stringent policies and rules.
“With no data standards… defined by the government — and neither by the Reserve Bank of India nor by CERT-In — people have been left aside from the security point,” said Sateesh Kumar Peddoju, Associate Professor, Indian Institute of Technology - Roorkee.
The growth in online payment frauds have made it quite difficult for businesses to protect customers as cybercriminals continue to build new ways and mechanisms to target innocent people.
"More and more of us have become accustomed to doing more and more transactions online, especially since the COVID-19 pandemic hit last year, and it is easy to forget that there are people out there who will do anything to obtain money or personal information by deception," data security firm Sophos said in a statement.
Having said that, you can take certain steps to stay safe from online frauds while making payments through a UPI app or e-wallet.
Avoid engaging with strangers
One of the first steps that can help you stay protected against online frauds is to avoid engaging with strangers through any medium. It is important that you are not communicating with unknown people over a phone call or message — unless it's something very urgent and unavoidable. Banks also tell their customers to not disclose personal or transactional details such as UPI PIN or OTP even to people claiming to be banking officials contacting them via email or phone.
"There are millions of fake emails that are being sent everyday by hackers," said Karmesh Gupta, CEO of network security firm WiJungle. "They usually pose that they belong to an authentic organisation or platform to trick and ask you for the desired information. Before acting upon any email, make sure that you thoroughly check and verify the email address."
By not communicating with fraudsters, you can avoid getting caught in social engineering tricks that fraudsters often use to steal money from individuals.
In case you need to engage with someone you don't know, maybe for selling a household item (like in Harshita Kejriwal's case), you should be very careful of the communication you make and must never share your bank details. You must also not share OTP or any other transactional information you get on your phone while talking to someone you don't know personally.
“Fraudsters track social media accounts and can approach the user under the guise of providing assistance,” said Damon Madden, Principal Fraud Consultant— Fraud & Risk Management, ACI Worldwide.
PhonePe had also noted in a blog post that fraudsters often build on their credentials by telling people that they work for the armed forces, police, or the government. But you should be aware and not trust any individual just because they appear to represent a reputed organisation.
Gupta pointed out that in some cases, bad actors try to connect with individuals by pretending to offer them heavy discounts, offers, and deals from online shopping platforms. "This is one of the most commonly used and trending ways of looting people through online channels," he said.
You should, therefore, be utmost careful while taking any actions on emails or messages claiming to give you discount offers and deals.
Do not share OTP with anyone
One-time password (OTP) is what banks and financial institutions send to validate transactions in India. But unfortunately, OTPs have also become the entry-point for most frauds nowadays.
“Banks usually don't ask for personal information on SMS, so if you receive a text asking about your financial information, it is generally a red flag,” said Madden of ACI Worldwide.
Gupta of WiJungle said that OTP frauds were one of the most common due to which a lot of people lost access to their important information or even lakhs of rupees. "It is usually the lack of awareness that people share their OTP (one-time-password) considering that it has come from the bank or any official authority. Thus, it is important to take care before sharing the OTP to any unknown," he said.
You should never share the OTP you'll get on your phone with anyone over a call or message. It is also important to note that you must not be entering your banking details or login credentials to your bank account on a computer or device that is part of a shared network, as it would let someone know your information from the backend.
Never click on any links or accept payment requests
Fraudsters often send doctored links to obtain money from your account. UPI apps such as BHIM and Google Pay have also made it easier for scammers to make fraudulent transactions by sending payment requests. However, Movva of Cyber Security Works said that no matter you should never click on a link you receive or proceed with a transaction request unless you initiated it yourself via a UPI app or your bank's website.
Google Pay displays a blocker warning screen for high value QR/ payment link transactions to warn users about fraudulent payments and ensure they approve transactions after due deliberation. But several people still become victims, especially when a fraudster tries to take part payments from their account instead of getting the entire money out in a single transaction.
Similar to Google Pay, PhonePe also asks users to not respond to any random payment requests. “Always remember you do not have to ‘Pay' or enter your UPI PIN to receive money on PhonePe,” the company wrote in another blog post that details the type of online frauds that happen while using UPI apps.
Although Apple and Google try hard to remove duplicate and false apps from their app stores, you may still come across counterfeit UPI apps while downloading other apps. It is, therefore, important that you must not install those on your phone.
“Users should verify the name, developer, registered website and email address of an app before installing it on their mobile phone,” said ACI Worldwide's Madden.
Alongside counterfeit UPI apps, you'll find several apps that appear to be associated with your bank when they actually aren't. It is, therefore, your responsibility to install only authenticated and official banking apps on your devices.
Always connect with official helpline contacts
Fraudsters these days try to connect with individuals through fake helpline accounts on social media. In some cases, fraudulent phone numbers also appear on search engines. Platforms like Google Pay and PhonePe, however, recommend users to connect with their support team directly. You can reach out to Google Pay via its toll-free number 18004190157 or by going through the Contact Us section in the app. PhonePe also has dedicated customer support on its website. Similarly, most commercial banks have their official helpline numbers and social media accounts that you should reach in case of a query or for reporting a fraud.
Experts believe that it is important to let others know if you've caught in a fraudulent activity to help them beware of similar experiences. You should also hear about the incidents happened with others to be careful at your end.
"Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done," Sophos said.
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a principal correspondent for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at email@example.com. Please send in your leads and tips.