UPI Financial Frauds — Hammering Digital Payments
On an average, there is ~2–3 Lakh rupees fraud occur daily using UPI systems. This figure is derived from the opensource analysis of data on twitter.
Keywords: @cyberdost, @mahacyber, @rbi “Fraud”, @npci etc.
Unified payment interface was introduced to simplify the payments and people has adopted is at great scale. Lets discuss in detail.
The Indian Problem
Setting up the context, India is vast.
There are two parts. India (Urban) and Bharat(Rural).
People are educated but many are digitally illiterate. First time users of the smart phone are not taught about digital safety. This causes issues while using smart phone. Even basic hygiene of not sharing the password is not known. Currently variety of UPI frauds take place in the system.
As per my twitter analysis, it has been seen that more than 2 Crore amount has been defrauded alone by UPI frauds.
Here are some of the frauds that are currently in existence:
- Phishing + Device Registration == Unauthorized debits.
Adversaries take on twitter to find out the customers who have posted complaint on twitter. They call victim and ask them to send an encrypted SMS to UPI registration number. This encrypted SMS contains the device binding details of adversary which our victim sends to NPCI for registration. This successfully binds adversary mobile with the number of victim!. Then a phishing link is sent to victim which looks like resolution form wherein it also asks for PIN. Victim gives the PIN and then fraudster debits the account from UPI app.
2. Collect Request.
Fraudster sends the collect request to victim telling them to accept cashback/payment etc. As people are not aware about the fact that you don’t need to enter PIN in order to receive payment, they all fall prey to collect request.
Though there is a restriction of collect request amount for P2P, they don’t have restriction for P2M. Hence these people have started using merchant service for frauds.
3. QR Code
QR in UPI is a form of collect request. Fraudsters send a QR code and ask the victim to scan it in order to receive a payment for anything (Ex. OLX etc). Victim scans QR, enters PIN and money debited
4. Anydesk & Remote Access
They will send a tempting message like KYC is expired. Then you will be told to install the quick support or any remote access app. They will take away your PIN, follow step 1 and also can getinto your net banking app to make IMPS/NEFT payment.
5. Fake UPI IDs
Fraudsters will create a fraud ID of some popular ID. Like PMCares fund where original VPA was pmcares@sbi, but similar IDs like pmcares@upi were created to defraud.
Expected frauds on Whatsapp payments:
Whatsapp has 40 Crore active Indian users. Once it launches, it will be a big move and push of digital banking among Indians.
All the 5 common frauds mentioned above will be replicated as soon as the payments service is launched. Some whatsapp specfic are:
- Merchant Payment
There is a probability of fake merchant IDs and account getting created on Jio Mart of similar business site which accepts payments which will defraud in two ways: You made payment, but no order delivered. Collect request for refunds processing.
Suggestions for new giant waiting to conquer market:
- Create a very short video on online safety before allowing them to use whatsapp payments service. This should cover:
- No PIN while sending money
- No money transfer to strangers
- No sharing of UPI PIN
- Encouraging whatsapp password
- While selling phone, uninstall whatsapp.
2. Remote access of App must be disabled.
Use libraries that hide all the keyboard actions securing the screen of the user.
3. Dedicated hotline with banks for faster resolution.
Frauds will be in high number. Hence to investigate, a dedicated team should coordinate with banks of India.
4. Session with LEA of states and center on how to investigate whatsapp payments frauds
Views are personal. Total self research.
