Fraudsters often call the victim posing as an executive and misleads them into breaking security procedures
Recently, former cricketer Vinod Kabmli lost ₹1.14 lakh to a digital payments fraud. The conman, posing as a private bank executive, coaxed Kambli into downloading third-party app AnyDesk that would enable him to update know-your-customer (KYC) on his card. The app gave the fraudsters remote access to the cricketer’s mobile phone, following which they stole sensitive information related to his bank account and OTP to commit the fraud.
Kambli was quick to report the scam to the concerned bank and lodge an FIR with the police and has managed to get his money bank. However, not everyone is lucky.
This is just one of the many frauds in which conmen dupe hundreds and thousands of users of digital payments into losing their hard-earned money. While the modus operandi of each fraud is different, the concept of social engineering frauds is the same—these are carried through direct human interactions wherein the fraudster calls the victim posing as an executive and misleads him/her into breaking security procedures to siphon off money from his/her bank account.
Mint tells you the modus operandi of different digital payments related vishing frauds and how to avoid them.
Pending KYC fraud: This is one of the most common tricks used to commit a crime. Fraudsters call the victim posing as a bank or a card company executive and inform them that their card or bank account will be disabled if they don’t complete KYC on it. They create an urgency to baffle the victim and manipulate them into parting with sensitive information.
This is done through several ways.
One, the conman gets the victim to share her card or bank details on the pretext of confirming that they are talking to the right customer. Once they have the details, they initiate a transaction and ask for the one-time password (OTP) sent to the victim’s mobile phone saying it’s needed to complete the KYC process. The OTP, in reality, is for completing the transaction.
Second, the conman makes the victim download a remote access mobile app, such as TeamViewer, AnyDesk, Splashtop, ConnectWise, etc., saying they can help them complete the process online through this app so that the customer doesn’t have to visit the bank.
“The conman makes the victim make a small payment and when the latter keys in the card or bank details, frauds duplicate the information and use it to commit the fraud," said Rahul Tyagi, co-founder, Safe Security.
These apps are not malicious and are used by companies to assist their customers to solve technical glitches by remotely assisting them by accessing their device. Hackers have been using these apps to commit sophisticated crimes.
“The biggest red flag in this fraud is that any merchant, payment company, bank or card company will never ask you to carry a payment while they have access to your phone. They may ask you generic information but will never make you do a payment activity. In fact, banks never ask customers to download a third-party app," said Tyagi.
Data leak from e-commerce companies: Lately, employees of some of the e-commerce companies have been selling data related to big-ticket purchases done by customers to fraudsters. When a customer makes a purchase from an e-commerce website, the conman calls that customer 2-3 days after the purchase to offer a reward saying they have been selected in a lucky draw. The hacker uses the information related to that purchase received from the e-commerce company’s employee to establish the genuineness of the call. Once the customer is convinced, the conman sends a QR code to the customer promising a cashback reward.
The QR code opens into a ‘request payment’ link. Most customers don’t pay attention and end up sending the money. Some customers notice the request payment message but the conmen have a counter to that as well. “The fraudster sends a new ‘test link’ saying that the customer should try it with ₹1 to see that the money is immediately credited back along with the reward. Once convinced, the victim sends the ‘cashback’ amount which, of course, never comes back," said Tyagi.
The thumb rule of UPI payments is that a user never has to scan a QR code or click on a link received through an SMS or email to receive payment.
SIM swap scam: Tyagi said this is quite a dangerous scam as when carried successfully, it gives fraudsters access to all the financial information of a person. Fraudsters mainly target high-net-worth individuals (HNIs) through this scam. The conman calls the victim posing as a telecom company executive saying that their SIM will expire in the next 24 hours and that they need the 10-digit unique number on the SIM card to initiate a connection continuation request.
“Customers don’t realize how crucial this 10-digit number is. It is used to port the number to a different operator. Once the customer shares this number, the fraudster puts in a porting request after which the SIM is shut down for 24 hours. The fraudsters use this 24-hour window to issue a new SIM in the same number and then use it to login and reset the victim’s net banking, mobile wallets, UPI and other important app’s passwords," Tyagi said. He added that two-factor authentication through an app like Microsoft authenticator or Google authenticator can protect customers from such scams.
“Most of us err by relying only on OTP-based 2FA as a security measure. When a mobile phone or SIM is compromised, OTP sent via SMS can be easily viewed by the fraudster, which is not the case with an app-based authenticator as the authentication code validity is only 30 seconds and it cannot be easily cracked through remote access," Tyagi said.
Fake customer care coordinates fraud: Fraudsters create fake customer care numbers of merchants on Google, Twitter, Facebook and Google Maps to con customers into calling them instead of the company they want to register a complaint with. When you go looking for customer service coordinates of a company on social media or Google, there’s a high chance you may end up calling a fraud. What follows is the obvious—the conman tricks the victim into revealing his/her bank account or card details.
If you want to lodge a complaint, you should only call on the number provided on the merchant’s website or verified social media page.
As a common practice, do not share your sensitive financial information or OTPs with anyone over the phone.
Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.
Never miss a story! Stay connected and informed with Mint.
our App Now!!