Unified Payment interface or UPI is one of the fastest growing and most accepted payment modes in India. It is also one of the most secure payment methods for fund transfer in which all the transactions are authorized only by a secure PIN i.e. UPI PIN set by the customer.
Here’s how UPI functions
- UPI works on the concept of a virtual payment address called UPI ID
- Bank accounts can be mapped to a unique UPI ID
- Payments can be made using an account number, mobile number, and UPI ID
UPI has many benefits
- The use of a UPI ID, QR affords interoperability & makes one-click payment possible.
- Funds transfers can be initiated by either the payee or the payer.
- UPI eliminates the need for exchanging sensitive information, such as bank account numbers, onetime passwords, or phone numbers during a financial transaction.
Staying clear of UPI frauds
Fraudsters usually trick customers using social engineering emphasizing the need to part with bank credentials. They do this by misinforming people that their banking service may get deactivated, they may not receive refunds, redemption of reward points, lucrative offers, etc.
- Some customers post their contact numbers with their complaints on social media platforms, which fraudster can misuse.
- Phishing is another way UPI frauds happen. Fake URLs which look almost identical to original URLs of banks or e-shopping portals are sent through SMS or while claiming any fake rewards. If a customer clicks on such a link, they are directed to the UPI payment app installed on their phone and asked to select an app for debit. Once, customer provides permissions and enters their UPI PIN, money is debited from their bank account instantly.
- Similarly, wrong customer care numbers can also be dangerous. Calling on random/unofficial numbers retrieved from search engines or other unofficial communication may connect customer to fake/criminal call centers.
How fraudsters trick people into divulging sensitive information
- Offer of money, savings, rewards, discounts
- Too good to be true schemes
- Threatening with bank account closure/blocking
- Threatening with SIM block
- Creating urgency/hurry to follow their instructions quickly
- Grievance sharing/exposing sensitive information on social media
A detailed look at how UPI Frauds happen
You will notice that the examples of fraud incidents outlined below require customer participation - meaning the victim shares banking credentials in some form with the fraudster. The objective is to never share such sensitive information to prevent such frauds.
- Remote access - This fraud occurs when customer grants remote access of his/her device to the fraudster
- 1. Fraudster convinces victim to download remote access tool in mobile
- 2. Victim shares RAT credentials through which fraudster gains access to victim’s mobile
- 3. Victim also shares App access passcodes along with banking credentials
- 4. Fraudster now is in control of victim’s device and credentials
- 5. Fraudster executes transaction using victim’s device and compromised banking credentials. Fraudster having control of device may also delete debit SMS / notifications
- 6. Victims are unaware of fraudulent debits until realization by further notification or by later checking bank statement.
- Fake Collect request / Self-initiated
Impostor sends “Collect Request” to victim and asks him/her to enter UPI PIN in order to receive a payment. The user is under impression they are receiving payment towards any offer, refund of past debits, damaged goods, etc, as convinced by the trickster. Sometimes, even the UPI ID from which victim receives collect request is misleading and appears to represent a genuine entity.
Fraudster disguises as fake merchant, advertising himself on various social media platforms providing high-end products at lucrative prices. Gullible customers finding the offer irresistible, either accept the payment request (collect request) by entering UPI PIN (4 or 6 digits number) or make payments, only discovering later about the scam.
What conmen do here, is simply share the QR codes already tagged with certain amount and names as “Free Offer”, etc. under the guise of genuine product or entity. Customer receives QR codes via WhatsApp / SMS, scans it using UPI app and makes the payment.
- SIM Swap frauds – also known as SIM hijacking
- 1. Fraudster procures blank SIM cards
- 2. Fraudster convinces the victim to SMS 19/20 digit new SIM number to the service provider
- 3. Fraudster will then activate the new SIM on his device with victim’s mobile number
- 4. Subsequently service of victim’s SIM will stop
- 5. Fraudster also takes bank credentials from customer
- 6. Victim remains unaware of fraudulent transactions since SIM is deactivated
- 1. Token (string value) is generated on fraudster’s mobile while initiating device registration
- 2. Fraudster convinces victim to send this token from RMN
- 3. Fraudster also takes bank credentials from victim
- 4. Fraudster’s device gets linked with victim’s RMN
- 5. Victim sends the token received from fraudster to SMS gateway
- 6. Fraudster transacts using victim’s account
- 7. Victim gets intimated of fraudulent debit on receipt of SMS alerts, or on checking bank statement
Other Dos & Don’ts –
- Never allow your mobile phone screen access to anyone to perform a UPI transaction
- Do not share your PIN to receive or collect money
- If SIM is deactivated, immediately check for unauthorized transactions & ensure to get bank accounts blocked if credentials have been shared
- Never share Debit Card credentials and UPI PIN with anyone
- No SMS to be forwarded on behest of an unknown caller
- Never download any App (especially remote access) unless absolutely sure about its utility
- Never post transactional details about any grievances on Social Media
- Avoid carrying out transactions while speaking with a third party on call
- Always verify the beneficiary or payee payment details before entering PIN
- If any suspicious activity is encountered on account through UPI, inform bank Call Centre at: 1800 1200 1200 or branch, or deactivate UPI services through bank-provided channels including net and mobile banking
- Always check for in-app notifications from UPI Apps while doing a transaction
- Find contact details of bank or merchants from official website or verified sources & not through search engines.
ALWAYS REMEMBER – No PIN is required to receive money through UPI.