As the volume of online transactions in India continues to grow, it is becoming increasingly difficult to avoid online payment fraud while using UPI apps or e-wallets. Data provided by the National Payments Corporation of India (NPCI) shows that the total number of transactions conducted through the Unified Payments Interface (UPI) in February 2021 was 2.29 billion. As more people in the country use UPI apps and e-wallets for payments, the incidence of online fraud is also increasing. Scammers are constantly finding new ways to steal individuals’ hard-earned money. Many such victims have recounted their ordeals on social media.
The list of victims of online payment fraud not only includes people living in rural areas who are new to the world of digital payments, but also includes many people living in urban areas who regularly use UPI apps and e-wallets. In a recent case, Delhi Chief Minister Arvind Kejriwal’s daughter Harshita Kejriwal was also allegedly cheated of Rs. Made $34,000 trying to sell sofas online. A man posing as a buyer contacted Kejriwal and told her he would send a small amount of money to confirm her bank account. He initially sent her Rs. According to media reports, he asked her for confirmation on the 2nd. But he has since reportedly sent her a QR code that allowed him to withdraw the payment from her bank.
This is a common way fraudsters deceive individuals by sending them payment requests on UPI apps. This request allows them to transfer money easily. But in addition to sending payment requests, criminals also use social engineering to trick people.
“Social engineering comes in many forms and we use different names for it, such as phishing and SMS scams,” Vikram Jeet Singh, Director, IT Consulting Risk Advisory, KPMG, told technology shout in an earlier interview.
Once the payment request is accepted, the UPI app asks for a PIN, which is the final step to complete the transaction. This means you are losing money when entering your UPI PIN, which you shouldn’t do.
“For consumers, it boils down to common sense,” said Ram Movva, president and co-founder of Cyber Security Works, a Tamil Nadu-based cybersecurity services company.
Most of the leading commercial banks conduct various online and offline campaigns to inform customers about fraud happening through UPI apps and e-wallets. NPCI also educates individuals through its social media channels. However, some experts believe that fraud can be minimized by establishing strict policies and rules.
Sateesh Kumar Peddoju, associate professor at the Indian Institute of Technology Roorkee, said: “People are being excluded from the security point as there are no data standards defined by the government, RBI and CERT-In.”
The growth of online payment fraud is making it difficult for businesses to protect their customers, as cybercriminals continue to create new ways and mechanisms to target the innocent.
“As more of us have become accustomed to conducting more and more transactions online, especially since the COVID-19 pandemic began last year, it’s easy to forget that there are people who will stop at nothing to obtain money or personal information through deceptive means,” data security company Sophos said in a statement.
Having said that, there are certain steps you can take to avoid online fraud while making payments through UPI apps or e-wallets.
Avoid contact with strangers
One of the first steps that can help you protect yourself from online fraud is to avoid contact with strangers through any medium. It is important that you do not communicate with unknown people via phone calls or messages unless the matter is extremely urgent and unavoidable. Banks have also told customers not to reveal personal or transaction details such as UPI PIN or OTP, even to people claiming to be bank officials who contact them via email or phone.
“Hackers send millions of fake emails every day,” said Karmesh Gupta, CEO of cybersecurity firm WiJungle. “They often pretend to belong to a real organization or platform in order to trick you into asking for the information you need. Before taking action on any email, make sure to check and verify the email address thoroughly.”
By not communicating with fraudsters, you avoid falling for the social engineering tricks fraudsters often use to steal personal funds.
If you need to contact someone you don’t know, perhaps to sell home goods (as was the case with Harshita Kejriwal), you should communicate very carefully and never reveal your bank details. You are also not allowed to share OTP or any other transaction information you get on your phone while talking to people you do not know.
“Fraudsters will stalk social media accounts and approach users under the guise of offering help,” said Damon Madden, principal fraud advisor for fraud and risk management at ACI Worldwide.
PhonePe also noted in a blog post that scammers often use their credentials to tell people that they work for the armed forces, police or government. But you should be aware not to trust anyone just because they appear to represent a reputable organization.
Gupta noted that in some cases, bad actors try to connect with individuals by pretending to offer them deep discounts, deals and offers from online shopping platforms. “This is one of the most common and popular methods of robbery through online channels,” he said.
Therefore, you should be extremely careful when taking any action on emails or messages claiming to offer you discount offers and offers.
Do not share OTP with anyone
One-Time Password (OTP) is a password sent by Indian banks and financial institutions to authenticate transactions. But unfortunately, OTPs have also become the entry point for most fraud today.
“Banks generally won’t ask you for personal information via text message, so if you get one asking for your financial information, that’s usually a red flag,” says ACI Worldwide’s Madden.
WiJungle’s Gupta said OTP fraud is one of the most common frauds through which many people have lost important information and even hundreds of thousands of rupees. “People often lack awareness to share OTPs (one-time passwords), considering they come from banks or any official agency. Therefore, one must be careful before sharing OTPs with any stranger,” he said.
You should never share the OTP you got on your phone with anyone through calls or messages. It is also important to note that you must not enter your bank details or login credentials into your bank account on a computer or device that is part of a shared network, as this will allow others to know your information from the backend.
Never click on any links or accept payment requests
Fraudsters often send modified links to obtain funds from your account. UPI apps like BHIM and Google Pay also make it easier for scammers to conduct fraudulent transactions by sending payment requests. However, Cyber Security Works’ Movva said that no matter what, you should not click on the link you receive or proceed with the transaction request unless you initiate the transaction yourself through a UPI app or bank website.
Google Pay displays a blocker warning screen for high-value QR code/payment link transactions to warn users about fraudulent payments and ensure they approve the transaction after careful consideration. But some people still fall victim, especially when fraudsters try to withdraw partial payments from their accounts rather than withdrawing the entire funds in one transaction.
Similar to Google Pay, PhonePe also asks users not to respond to any random payment requests. “Always remember that you do not have to ‘pay’ or enter a UPI PIN to receive money on PhonePe,” the company wrote in another blog post detailing the types of online fraud that occur while using UPI apps.
Citibank also writes in a detailed support page about UPI fraud: “A PIN is not required to receive payments.”
Stay away from fake apps
Despite Apple and Google’s efforts to remove duplicate and fake apps from their app stores, you may still encounter fake UPI apps when downloading other apps. Therefore, it is important not to install them on your phone.
“Users should verify the app’s name, developer, registration website and email address before installing it on their phone,” ACI Worldwide’s Madden said.
Apart from fake UPI apps, you will also find some apps that appear to be associated with your bank, but are not. Therefore, it is your responsibility to install only authenticated official banking applications on your device.
Today, fraudsters are trying to connect with individuals through fake helpline accounts on social media. In some cases, fraudulent phone numbers also show up on search engines. However, platforms like Google Pay and PhonePe advise users to contact their support teams directly. You can contact Google Pay via the toll-free number 18004190157 or through the Contact Us section in the app. PhonePe also offers dedicated customer support on its website. Likewise, most commercial banks have official helpline numbers and social media accounts that you should contact if you have inquiries or report fraud.
Experts say it’s important to let others know if you’ve fallen into fraudulent activity to help them guard against similar experiences. You should also be aware of incidents with other people so you can be careful yourself.
“If you can, report the scam. You may feel like you’re not doing much to help, but if a lot of people provide some evidence, there’s at least a chance that something can be done about it. On the other hand, if no one says anything, then nothing will or can be done,” Sophos said.
Does WhatsApp’s new privacy policy mean the end of your privacy? We discuss this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.