Soon after he listed his window AC, Mishra got a call from a prospective buyer claiming to be working for the armed forces and being stationed at a border area in Rajasthan. As the negotiation progressed, Mishra tried to ascertain the identity of the person through Truecaller. “I checked his name on Truecaller and it was the same that he told me, so I was kind of satisfied," Mishra said.
The person told Mishra that he was going to transfer him the money right away and his son would come later and collect the AC. Mishra agreed. The caller told Mishra to enter his UPI (Unified Payment Interface) ID in the UPI app on his phone. The minute Mishra did that, he got a message from his bank, informing him that his bank account was debited. He called the person to figure out what happened and was told that something went wrong and that Mishra should try doing it again. He tried again, and then again. After the third attempt, Mishra realized he was getting conned. What he was entering was not his UPI ID but his UPI PIN, authorizing payment to the fraudster. But by then, Mishra had lost ₹50,000, over the three transactions.
Over the past few weeks, payment apps such as PhonePe that provide a platform for UPI transactions, online classifieds portals such as OLX as well as the National Payments Corp. of India (NPCI) have been witnessing a stream of similar complaints. Many of these complaints are being made public through social media. What is striking is that UPI, in fact one particular feature in UPI, is being used by the fraudsters in different ways.
The most common UPI fraud right now is the one that Mishra faced. UPI has a feature wherein an individual or a merchant can send the user a request to collect money. The user needs to authorize the transaction using a security PIN. This PIN is like an ATM PIN and not a uniquely generated one-time password OTP. In the case of Mishra, when the fraudster was asking for his UPI ID, he was actually nudging his victim to input the PIN, which makes the transaction go through. This is the first and most common variation of misuse of the “request money" feature in UPI at present.
Another way, said Anuj Bhansali, head, fraud and risk at PhonePe, is for the fraudster to call the user claiming to be a representative of some platform and offer a cashback. The user is nudged to enter the PIN through the collection request and the money gets debited from the victim’s account. Basant Shroff, partner and technology risk leader at EY, said this technique is also being used by fraudsters to defraud card users. The difference is that the user needs to share the OTP for a card transaction. “The fraudster calling you does not use the term ‘OTP’ but says that it is a code that you need to share to get the cashback (though the message does mention OTP)," he said.
In the UPI ecosystem, some fraudsters get reported by alert users and get blocked by the payment platforms, but a lot of them get away. “What happens is that the fraudster will make a purchase on an online platform and enter your UPI VPA (virtual payment address) in the mode of payment. You will get the collect request. If you enter your PIN at this stage, you have paid for someone’s else’s online purchase. It is not rampant, but we have come across some such cases," Bhansali said.
Another method fraudsters are using is spreading fake customer care numbers for banks or UPI platforms. When a user calls these numbers, fraudsters extract sensitive information from them.
Long road to recourse
If you fall prey to such a fraud while using UPI, your recourse is largely only through law enforcement, even though your bank would ask you to raise a complaint. A banker who spoke to Mint on condition of anonymity said banks cannot take responsibility because it is the user who completed both factors of authentication and the bank cannot unilaterally debit money from someone’s account to return it to you. “Unlike the charge-back system for cards, where we still can take some measures to retrieve the money for fraud transactions, person-to-person transactions don’t give us that opportunity," the banker said.
Though you must take the issue to the police, the resolution could take a long time. In most cases, the victim, the fraudster, the actual account holder and the place where the money is withdrawn are in different locations. “When the law enforcement of four or five places is involved, it becomes very time-consuming to get all the information and reach the actual culprit,"said Bhansali.
Even though banks can easily identify the individual behind a UPI ID, the identification appears to be of little use in such cases of fraud. “The problem that we have seen across the industry is that there are a lot of cases where the fraudsters are using someone else’s account, like on rent, or someone else’s KYC (know your client) to open an account," Bhansali said. He was referring to fraudsters paying people from time to time to just use their account or to get their documents to open an account. “As soon as the money gets transferred, the amount is withdrawn from the account using an ATM card," he added. Most of the accounts being used by the fraudsters are created through identity theft, which also appears to be the case in what happened with Mishra.
Mishra lodged a complaint with his bank, the payment platform and the police. The platform has shared some details with him like the IP address of the fraudsters, which could possibly be used to identify or locate them. However, he has no idea if and when he will get his money back.
Increase in the number of frauds could eventually lead to systematic changes in UPI. But can you disable the “request money" feature for your own account? As of now the answer is no, and any change will be decided at the NPCI level. “We are considering it. We are also discussing this with NPCI. It is a common feature of UPI and disabling it will mean not adhering to the open interoperability of UPI," Bhansali said. NPCI did not respond to Mint’s email.
However, there are other measures that banks and payment platforms are taking, though these are not specific to UPI, Shroff said. “To prevent phishing, some banks have stopped sending URLs in messages and emails and are instead insisting on (users) visiting their websites directly. Some banks also offer the option to switch off certain types of transactions for your account or card," Shroff said. For UPI transactions, Bhansali said, if the system detects unfamiliar behaviour, the user is alerted about the transaction.
Classifieds marketplace OLX, through which many such frauds have reportedly taken place, did not respond to a request for details on how it plans to prevent fraudsters from misusing its listings. It said in a press release that it is doing so using “technology filters and site auditors", and that it bans over 1 lakh suspicious accounts each month. For consumers, it is important to note that you can choose to not make your phone number public while posting on sites like OLX.
As a consumer, you must stick to the basics. One, never share your PINs or OTPs with anyone. Two, remember that you don’t need to authorize a transaction if money is being transferred to your account—whether it is through UPI, NEFT, IMPS, e-wallets or any other payment system.
How to avoid online fraud
■ Read transaction SMSes, pop-ups and descriptions closely
■ Know the difference between an ID, PIN and OTP
■ Alert your service provider to potential spam and fraud
■ Be sceptical of someone calling you and offering freebies like cashbacks
■Never share PINs and OTPs
■Never share identifiable information on public forums that can be misused
■Don’t click on random links offering freebies or asking for verification
■Don’t enter a PIN to receive money on any platfrom