You don’t need to enter UPI PIN to receive money in your account

The Unified Payments Interface or UPI has moved ahead of e-wallets in terms of volume as well as value of digital transactions, mainly due to the simplicity of the system. However, it is this simplicity of UPI transactions that is now apparently aiding fraudsters to con people who may not pay attention to details.

Recently, a Twitter user, @mohmaaya, shared her experience of how a fraudster tried to trap her by sending her a request to pay up when she was trying to sell something online. If she had not paid attention, she would have lost a substantial amount.

Mint spoke to payments companies to understand the mechanism used by fraudsters. But first, let’s understand how UPI works and how it’s open to the possibility of fraud.

How UPI works

In order to transfer or receive money using UPI, you need to have activated UPI for your bank account. To do this, you need to have the mobile phone connection linked with the bank account. When you activate UPI, you also need to create a VPA (virtual payment address) which is like a UPI ID.

Some UPI apps also allow you to check if a particular number in your contact book is active on the platform. In order to complete a transaction using VPA, both the sender and the receiver need to be active on UPI. If you are the sender, you will need to input VPA or select a contact from inside the app, which then prompts you to input the amount to be sent. After clicking on “pay”, you need to enter your UPI PIN, to make the transaction go through.

For commercial transactions, where you need to pay for a purchase, like an online purchase, you need to submit your VPA to the merchant online. The merchant then sends a “collect request” to you, which is time-bound. You need to log into your UPI app, then approve or decline the request. If you choose to approve the transaction, you need to enter your UPI PIN.

But even for person-to-person transactions, you can send a request to collect money from someone else, like the fraudster did with @mohmaaya. This feature is being misused by fraudsters.

The fraud

When you put in a request to sell something online, you also share contact details like your mobile number, which enables the fraudster to get in touch with you to enquire about the product being sold. That is what happened in @mohmaaya’s case.

The fraudster could also enquire if you would accept payment through UPI, and assure you that he wants to make a partial payment upfront to block the item.

If you agree to accept the part payment in advance, you will get a notification in your phone from your UPI app. When you open the request, you will also see a description of the transaction by the requester. The fraudster could use this description to create an impression that you will get the money once you enter the PIN. At this point, the fraudster may also call you to discuss the procedure or product to create a distraction for you, so that you do not read the description carefully and simply follow the instructions on the screen. In the case of @mohmaaya, the fraudster did exactly that, but she was alert enough to not fall for it.

If you fall for the distraction and enter your PIN, your account will be debited and the amount will get transferred to the fraudster. In such a situation, while you can raise the issue with your bank, it is unlikely that you will get back your money immediately.

You must remember that you don’t need to enter your PIN when you are receiving a payment. Also, as a thumb rule, do not share any sensitive details with anyone and be alert and pay attention to details while doing transactions.

The Twitter user was fortunate enough to realise just in time that someone is trying to defraud her. However, the system remains open to misuse and it needs to be seen what solutions the payments companies come up with to deal with such frauds.