UPI Fraud: Protect Your Customers & Your Business

Feb 2024
13 min read
Divyansh Sharma

The increase in UPI fraud corresponds with the rapid expansion of digital payment channels. A troubling trend can be seen in recent statistics, which highlight the urgent need for increased awareness and practical preventive actions. According to the finance ministry’s data, there were over 95,000 occurrences of UPI fraud detected in the 2022–2023 financial year. The growing incidence of UPI fraud emphasises how critical it is to comprehend and deal with the difficulties posed by digital transactions.

UPI Fraud Explained

Unified Payments Interface (UPI) fraud encompasses a spectrum of illicit activities within the digital payment system. Perpetrators exploit vulnerabilities in the UPI framework to gain unauthorised access or deceive users for financial gain. The multifaceted nature of this digital-age crime necessitates a comprehensive understanding to combat its various forms effectively.

Types of UPI Frauds

Common UPI payment frauds encompass various tactics, such as receiving fake payment requests or scammers gaining unauthorised access to UPI accounts. Fraudsters employ strategies like phishing, SIM swapping, or creating fake UPI IDs to deceive users. Understanding these frauds and taking preventive measures is crucial for safeguarding digital transactions.

Phishing: Phishing stands out as a prevalent UPI transaction fraud. Fraudsters send deceptive emails to extract sensitive information. By entering your details (password or PIN) into the fraudulent site, you unwittingly provide the hacker with the means to misuse your data, making you more susceptible to UPI scams.

Fraud Sellers: Fraudulent sellers thrive in online marketplaces, deceiving unsuspecting buyers by selling counterfeit products or processing orders without delivering the purchased items. This not only results in financial losses but also erodes trust in the e-commerce website.

Fraud Through Screen Monitoring Apps: Malicious actors can exploit screen monitoring apps to compromise privacy and security. These apps enable fraudsters to capture sensitive information, including UPI PINs and OTPs, by recording screen activities without the user’s knowledge. This access allows them to conduct fraudulent activities with the compromised data.

Malware: Malware is a prevalent form of UPI fraud, often mistakenly downloaded from fake email attachments or unsecured websites. Designed to extract and copy data from infected devices, malware poses a significant threat to the security of digital transactions.

Money Mule: Money mule fraud involves transferring money to an intermediary account after obtaining financial data. This account acts as one of the money mules to store funds collected from various unsuspecting victims, presenting a typical modus operandi in UPI hacking.

SIM Cloning: A recent addition to UPI fraud tactics, SIM cloning has surged after the implementation of OTP-mandatory rules by banks. If a fraudster clones your SIM, they can receive the OTP on their device and change your UPI PIN, gaining access to your bank account data and ID proof to reset the PIN.

Deceiving UPI Handles: Fraudsters create deceptive UPI handles to trick unsuspecting users, often using enticing offers or urgent payment requests. These scams occur across various platforms, including social media and online marketplaces, enticing users into making transactions to fraudulent UPI handles.

Vishing: Vishing involves fraudsters posing as bank representatives, weaving a web of lies to extract personal information, including PINs or passwords, under the guise of assisting the user on behalf of the bank.

Collect Request: A common UPI fraud involves fraudsters requesting a collect payment or posing as legitimate entities to deceive users into providing sensitive information or initiating fraudulent transactions to their accounts. Awareness and vigilance are paramount in thwarting these deceptive tactics.

UPI Fraud by Hackers: Hackers employ sophisticated tactics such as phishing emails, malware, and device compromise to execute UPI fraud. Exploiting vulnerabilities in security protocols, they gain unauthorised access to sensitive information, compromising the financial integrity of users. Understanding these tactics is crucial for developing effective countermeasures.

How Hackers Execute a UPI Fraud

Fraudsters employ a strategic approach when executing UPI fraud to deceive individuals. Below is a breakdown of how these fraudulent schemes are typically carried out:

Initiating Contact
The process begins with a random phone call, as fraudsters prefer calls over texts to grab the target’s attention. Disguised as bank representatives addressing seemingly innocuous issues, they establish initial contact.

Verification Questions
To lend authenticity to the call, fraudsters proceed to ask verification questions such as date of birth, name, or mobile number.

Creating a Problem
Fraudsters exploit technical glitches in apps or websites, fabricating stories that convince the target to divulge personal information, citing the need to resolve apparent issues.

Application Download
After convincing the target, fraudsters instruct them to download specific applications on their phone, often using seemingly harmless apps like AnyDesk or ScreenShare from the Google Play Store.

Privacy Permission Request
While downloading these applications, they request privacy permissions similar to regular apps. However, these seemingly innocuous apps gain access to all data on the phone.

Obtaining OTP
Fraudsters then prompt the target to share a 9-digit OTP generated on their phone. Once revealed, the hacker requests additional permissions, gaining complete control of the phone.

Unauthorised Access
With acquired permissions, the fraudster takes complete control of the phone without the user’s knowledge. This enables them to steal passwords and conduct unauthorised transactions through the victim’s UPI account, rendering them a victim of UPI fraud.

Aside from this, fraudsters also employ SMS-based tactics, instructing victims to forward messages to a provided number. Once sent, the fraudster links the victim’s mobile number or account to their own through UPI, expanding the scope of UPI fraud.

A Comprehensive Guide to UPI Fraud Prevention

Scams are not inevitable; they can be thwarted by taking essential precautions. These tips are not only designed to keep you away from fraud but are also fundamental in keeping your information secure in the Internet era. Below are a few ways to avoid UPI fraud prevention

Beware of Engaging with Fraudsters
Avoiding engagement with fraudsters is the most effective way to protect yourself from fraudsters. Your bank will never contact you to discuss your sensitive information. Any call requesting such information is a red flag. You can verify the authenticity of unknown numbers through apps like Truecaller, which has a database of numbers flagged by users.

Take Extra Precaution While Requesting/Accepting Requests
Fraudsters exploit the ‘request money’ feature on apps like Google Pay, PhonePe, BHIM, etc. They express interest in purchasing a product advertised online and engage with the seller on a phone call. Careless clicks during the conversation can cost you thousands through UPI fraud. Remember, receiving money requires no PIN code.

Pay Attention to SPAM Warnings on Your UPI App
UPI apps like Google Pay and PhonePe usually issue a spam warning for requests from unknown accounts. Keep an eye out for such signs and report suspicious accounts as spam.

Be Wary of Malicious Apps
UPI frauds occur using fake mobile apps to deceive people. Scammers create apps similar to authentic bank apps and submit them to the Google Play Store. When a customer unintentionally downloads and installs the fake app, it sends sensitive details to enable fraudsters to withdraw money from the victim’s account. Unauthentic applications such as Modi BHIM, BHIM Modi App, BHIM Payment-UPI Guide, BHIM Banking Guide, Modi ka Bhim, etc., have been reported for stealing customers’ data under the guise of providing valuable banking services.

Follow Security Practices to Avoid UPI Fraud
Never reveal your PIN to strangers and protect your UPI apps with biometric recognition software. This prevents hackers from misusing your account. Install antivirus software to check for malicious software regularly.

Never Open Emails Without Checking Authenticity
Emails are a common avenue for tricking individuals into downloading malware and obtaining information. Always scan emails for viruses/malware to avoid UPI fraud.

Keep a Check on Your Account Activity
Regularly observe your account activity for any suspicious behaviour. It’s easy to overlook and miss red flags, so thoroughly examine your accounts every few months. If you notice an unusual pattern or suspect UPI fraud, alert the bank promptly.

Avoid Using Open Wi-Fi
Using open/public Wi-Fi for banking or UPI apps is risky as it may give hackers access to everything on your device. Always check the trustworthiness of Wi-Fi before connecting.

Keep Track of Bank Messages
Examine messages from your bank closely. Differentiate between a password, PIN, and an OTP. Carefully scrutinise messages for inconsistencies or disputes to ensure awareness of all transactions made via your UPI ID.

Best Practices to Avoid UPI Fraud

Adopt These Practices:

  • Set a daily transaction limit for UPI payments.
  • Regularly monitor your transaction history.
  • Promptly contact your bank if you detect any suspicious activity.
  • Make sure that your phone or laptop is connected to a secure wifi network.

Avoid These Practices:

  • Refrain from opening links or emails from unfamiliar sources.
  • Decline any payment that requests your UPI PIN/OTP.
  • Exercise caution when presented with payment links from unknown accounts.
  • Never share your UPI PIN for any KYC-related processes; it helps avoid UPI PIN fraud.

Step-by-Step Guide on Reporting UPI Frauds in India

Inform Your Bank and Payment Company: Report the UPI fraud incident to your bank and the relevant payment company.

File an FIR with Local Police: Lodge a First Information Report (FIR) with the local police outlining the details of the fraud.

Complaint to NPCI: Raise a formal complaint with the National Payments Corporation of India (NPCI), providing a comprehensive account of the whole sequence of events.

Contact Digital Payments Ombudsman: Write to the Digital Payments Ombudsman, furnishing the complete history of the fraud.

Utilise RBI’s Redressal Scheme: Take advantage of the scheme launched by the Reserve Bank of India (RBI), where the Ombudsman can address digital transaction issues for resolution.

Conclusion

The escalating threat of UPI fraud underscores the critical need for user awareness and proactive engagement in securing digital transactions. The increasing prevalence of this digital crime emphasises the necessity for individuals to stay informed and vigilant and actively contribute to ensuring the UPI ecosystem. By adopting secure practices, leveraging preventive tools, and actively participating in collective security efforts, users can boost a safer and more resilient environment for digital transactions.

FAQs About UPI Fraud

1. Is the bank responsible for UPI fraud?
No, the Payment Service Provider (PSP) bears responsibility for any losses arising from online payment fraud incidents.

2. Do banks investigate UPI fraud?
Banks generally investigate UPI fraud cases, and customers are encouraged to report any suspicious activity for a thorough inquiry.

3. Can UPI frauds be reversed?
UPI frauds may be reversible if reported promptly, enabling the bank to take appropriate action to recover the funds.

4. Is it safe to give someone your UPI ID?
While sharing your UPI ID is common for transactions, it’s crucial to only share it with trusted individuals or entities to ensure the security of your account.