Gone are the days we paid in cash for every other purchase. With the increasing use of Unified Payments Interface (UPI) transactions, almost all shops ranging from roadside stalls to big supermarkets tend to facilitate UPI payments. As much as it seems to have made our lives easier, there has been an increasing trend of scams related to UPI payments and digital transactions in Chennai and across the country.
A recent study shows that the country has around 35 crore transacting users across various digital platforms, including e-commerce, shopping, travel and hospitality. The number is set to hit 70 crore by 2030.
Though it is a boon that technology has reached laypersons, it is equally important that there is enough awareness among vulnerable groups to safeguard themselves from fraudsters.
Here is a simple explainer of the recent UPI scams doing the rounds and how to avoid falling prey to them.
What is a UPI transaction?
The National Payments Council of India (NPCI) defines the Unified Payments Interface (UPI) as a system that powers multiple bank accounts into a single mobile application (of any participating bank), merging several banking features, seamless fund routing and merchant payments into one hood.
The NPCI launched the pilot of UPI payments with 21 member banks in April 2016 and the banks have started to upload their UPI-enabled Apps on the Google Play store from August 2016 onwards. The participants of UPI include payer PSP (Payment System Provider), payee PSP, remitter bank, beneficiary bank, NPCI, bank account holders and merchants.
What are the recent trends in UPI scams in Chennai?
Srikanth L from Cashless Consumers, a consumer awareness initiative, categorises the UPI scams currently taking place in Chennai and across the country into two kinds – account takeover scams and the scams that take place at the transaction level.
Both kinds of scams are executed through social engineering which is the practice of obtaining information, especially financial information, from a particular person using fictitious stories or narrations.
Account takeover scams:
Though UPI payments have become widespread, it is not friendly to illiterate users.
Karthik*, an officer from a public sector bank in Chennai, explains that in the initial days if those who are not literate and have a bank account and want to withdraw money, they will have to register their left thumb impression and bring a witness for authorisation. However, according to the current RBI procedures, ATM cards can be provided to all account holders, including those who are not literate.
If a mobile number is linked to a bank account and a working ATM card is available, the UPI service can be enabled in the mobile phone which has the sim card of the registered mobile number. Thereby, an easy fund transfer mechanism can be enabled for those who are not literate.
Account takeover scams target vulnerable groups who do not have a UPI account or are aware of it.
Scammers gain access to the credentials of the victim’s bank account first. Though a one-time password (OTP) is not required for transactions through UPI apps, it is required for setting up the account or retrieving a lost account. The scammers then make fraudulent calls to the victim and gain knowledge of the OTP required to set up a UPI account.
“They then set up a UPI account without the knowledge of the victim. The banks might not be aware that it was fraudulently set up as the details entered are legitimate. Once the scammers set up the account, they can siphon the amount from the particular account easily,” explains Srikanth.
Transaction level scams:
The transaction level scams through UPI continue to take different forms every passing day. Such frauds have been propagated through marketplaces like OLX frauds, with scamsters posing as army personnel, scams through collect requests and scams that use fraudulent QR codes and SMSes.
“Almost always, the UPI frauds will take place with the gullibility of the customer where the liability on the banks become null,” notes Karthik.
Marketplace frauds are those in which the fraudsters reach out to the seller under the pretext of buying a product. They then get the bank details of the seller and inform them that they have mistakenly sent the seller an amount over and above the selling price.
For instance, if the product costs Rs 1,000, the fraudster would say that they have sent Rs 10,000 by mistake and request the seller to return Rs 9,000. The seller, who would have originally received Rs 1,000, might send Rs 9,000 without adequately checking the transaction. Once the fraudster receives the amount, they then block the seller.
Recent trends have also seen fraudsters posing as army personnel looking for a rental house and reaching out to the house owners who have put out advertisements for vacant houses. They send doctored proof of employment in the army to gain the trust of the owner. On the pretext of paying an advance for the house, the scammers follow the same modus operandi outlined above and end up deceiving the house owners of huge sums.
Collect request scams rely on the UPI app’s user interface to confuse the victims. The scammers will say that the amount has been sent and ask the victims to check the UPI app on their mobile. “When the victim opens the app, the said amount will pop up on the screen. Thinking that the amount has been received, the victim will click on the amount which will direct them to the screen requesting the UPI pin. Since the UPI pin number for both the transaction and balance enquiry are the same, the victim will enter the pin believing it to be for the balance enquiry. However, once the pin is entered, the amount will be debited from the victim’s account,” says Karthik.
Sellers too have fallen victim to novel UPI scams lately.
Kannan, a roadside tender coconut seller in Koyambedu, started facilitating payments via UPI apps for his customers around eight months ago. “Many customers kept asking if they can pay me through the UPI apps. When I responded in the negative, they would say that they did not have cash at the moment and would move on to the shop with UPI payments. Ever since I installed the QR code scanner facility for UPI transactions, I have started gaining more customers,” he says.
Even though the facility for easy transactions has helped Kannan’s business, he has experienced the downside.
“A few months ago, I faced an issue receiving the amount through the UPI apps. Despite customers showing their mobile screens confirming successful payment, I did not receive any credit into my account. This went on for more than a week. When trying to understand the issue, I found that someone had pasted a different QR code on top of mine at the display in the shop. All my earnings have been going to their account,” he says.
Though Kannan was not able to get back the lost amount due to many challenges, he was given a choice to install soundboxes that would come with a QR code and make announcements of every payment received to that account.
While there are cases like that of Kannan’s where the QR code stickers can be swapped to cheat merchants, many scammers also use fake UPI apps to make the payment look more real.
Elaborating on this trend, Dinesh Pandian, a cybersecurity expert, says that scammers install mobile apps which help them scan the QR code of the merchants. “Once they scan the code, they will enter the amount to be paid. They can also enter fake credentials of the balance amount in their account. Once all the details are entered, the fake app will generate the exact replica of the ‘payment success’ page of the selected UPI application. Once the scammer shows this page to the merchant, they believe it to be true even when they have not received the amount,” says Dinesh.
The most recent UPI scam in Chennai is one where sammers send an SMS which warns the victims that if they fail to pay the electricity bill within a given time their power supply will be disconnected. The SMS also contains the link to a UPI ID to which the payment should be made.
“Since not many people know how to verify such an SMS, they tend to succumb to such scams,” notes Srikanth.
What to do if you are subjected to a UPI scam in Chennai?
Any user of UPI apps could potentially fall victim to these ever evolving scams no matter how vigilant we are. In such cases, it is important to know how to handle the aftermath.
Step 1: File a complaint at the bank
When a victim realises that they have fallen prey to a UPI scam, the first step is to file a written complaint with their bank detailing the incident along with the details of the bank account number, account holder’s name, the transaction number and the signature. While the written complaint would suffice (as other details are traceable by the bank), it is always advisable to carry the bank passbook while visiting the bank.
Further, the complainant should always take a photocopy of the complaint letter and get an acknowledgement with the bank officer’s signature and seal. Notably, the victim can file a complaint at any branch of the same bank.
“For instance, if you have opened an account in a branch in Madurai but live in Chennai now, you can file the complaint at any bank branch in Chennai. It is not necessary to visit the home branch,” says Karthik.
Step 2: File a complaint with the cyber crime police
The victim can file a complaint with the cyber crime wing through the cyber crime helpline number 1930 or through the web portal. They can also file a written complaint at the local police station by attaching the complaint copy from the bank and getting a copy of the complaint from the police as well.
Step 3: Processing the complaint
Once the victim finishes step 1 and 2, the cybercrime unit will act as a bridge between the victim’s bank and the beneficiary’s bank and process the complaint through the portal. The victims can also raise the complaint at the grievance redressal option in the UPI mobile application to block the particular UPI ID.
All UPI platforms use the interface of NPCI into which all the banks are integrated. Thus, the NPCI has a report-generating mechanism for all banks and has also given access to this report to all the banks. “While the victim will have access only to the UPI ID of the fraudster, the banks can trace the beneficiary account details including the IFSC code,” says Karthik.
Every bank will have a nodal officer to handle such cyber crimes. Once the complainant’s bank acknowledges the complaint, the cybercrime police will forward the complaint to the beneficiary’s bank. Following this, the beneficiary’s bank will hold the funds from that particular account. They will then wait for the criminal proceeding from the cyber crime police who will have to send a confirmation of the crime to the beneficiary’s bank for them to refund the amount.
Once the confirmation is sent, the beneficiary’s bank will resend the amount from the fraudster’s account to the victim’s account.
Though the process is clearly outlined on paper, there are many practical challenges to retireving money lost to UPI scams.
Challenges in handling UPI scam complaints
The recovery rate of UPI scams is very less in general, says Mohan*, a police personnel from the cybercrime unit. “More often than not, the amount secured through a scam is withdrawn or transferred to other accounts immediately. Once the fraudster withdraws or transfers the money, it also becomes untraceable,” he explains.
Further, there are also instances where the bank accounts used by the scammers are opened using fake credentials.
“Though the recovery rate of individual complaints is low, these complaints help trace organised crimes and understand the trends and modus operandi. It also helps in identifying the weak links in the system so that they can be fixed,” notes Srikanth.
Karthik cites an incident where the victim’s money has not been returned despite the scammer’s account having been identified and blocked from making any withdrawals. The victim lost Rs 10,000 to a scam and their money is still in the beneficiary’s account even after three months. Miscommunication between the cyber crime unit and the banks has led to the delay.
“There is a lack of awareness even among the officials about the coordinated structure of interfacing between multiple bodies to deal with complaints exclusively for UPI scams,” says Karthik.
How to safeguard ourselves from such scams?
Experts outline some of the ways in which we can protect ourselves from such scams.
- Do not accept the collect requests or enter the UPI pin without reading through the screen.
- Since some banks are poor at SMS notification of transactions, the account holders should enable multiple modes of notifications including email notification.
- Even when family or friends request money either through text, social media or through UPI apps, do not send money without verifying the authenticity of the message through a call or by meeting in person.
- Get to know all the facilities available in the UPI app such as checking the bank balance, raising complaints, checking transaction history etc.
- Educate senior citizens or adolescents in your life who are more vulnerable to such UPI scams.
- Always have a separate account for expenses and salary credits and link the expense account alone to the UPI application so that the salary account is not compromised.
- Do not use multiple UPI applications. Use one application so that the accounting is clear.
- As a practice, install e-passbook applications to keep an eye on the transactions at regular intervals.
- Temporarily deactivate the UPI applications if travelling abroad.
- Some banks allow individuals to set limits for UPI transactions, while some banks have a daily set limit by design.
Many merchants tend to use savings bank accounts instead of current accounts for regular business. “Since both the personal and business transactions happen in the same account, it becomes more vulnerable. Besides, when registering UPI for business transactions, they should opt for a merchant account,” says Karthik.
The merchants are suggested to always check if the amount is credited to their bank account. Since it is highly impossible to check every transaction during peak hours of business, they can install sound boxes to cross-verify real time transactions. Some UPI applications also have facilities to use mobile phones for audio notifications for such transactions.
The NPCI has also fixed responsibility on the UPI platforms and banks to create awareness among the customers on the various UPI scams.
The Union Ministry of Home Affairs has also launched an initiative called CyberSafe which provides the public access to verify the a list of fraudulent IDs.
“If a cyber complaint has been filed on a particular UPI ID from any part of India, the data gets entered into the portal. The public can enter the suspected ID in the portal to verify it. There are over 1.2 lakhs reported list of suspected IDs in the portal,” says Srikanth.
The way forward
Pointing out that gaps in policies allow such scams to flourish, Dinesh says, “The NPCI took more than 1.5 years to approve UPI for transactions as there were many security concerns. Many countries still have not approved the UPI mode of transaction for the same reason. While there should be a common data security act, every government agency in India tends to have different regulations. A clear policy exclusively for UPI transactions is required.”
Though the technology seems to have reached the laypersons in every nook and corner of the country, the increasing rate of UPI scams brings the need for awareness to be spread in regional languages to the forefront. There is also a need for more user-friendly interfaces. Manuals detailing usage, terms and conditions of installing such UPI apps must also be made widely available and through different mediums such as audio and video.
While the payments landscape has been altered drastically with UPI, safeguards must be strengthened to prevent vulnerable people from losing large sums to scams.
*names changed on request