FinTechDefending Against UPI Fraud: Best Practices for Customers and Merchants

August 30, 20240

INTRODUCTION

Unified Payments Interface (hereinafter referred to as “UPI”) has revolutionized digital transactions in India, offering a fast, easy, and secure way to transfer money. However, as with any digital platform, UPI is not immune to fraud. Both customers and merchants are at risk if they do not take appropriate precautions.

Merchant fraud pertains to deceptive practices wherein an individual or entity assumes the guise of a bona fide business entity to defraud consumers and unlawfully gain financial advantage. It encompasses criminal activities aimed at exploiting payment mechanisms and commercial processes to unlawfully appropriate assets from unwitting businesses and consumers.

Defending against UPI fraud involves understanding potential threats, such as phishing scams, unauthorized transactions, and social engineering attacks.

MERCHANT AND CUSTOMER FRAUD – METHODS AND MODUS OPERANDI

1. Phishing scams: These scams entail perpetrators disseminating deceptive emails or messages to individuals, often aiming to procure sensitive information like login credentials or credit card data. Given their sophistication, phishing scams pose a significant threat to businesses and their clientele.

Modus Operandi: Individuals are targeted with phishing links directing them to counterfeit UPI websites, wherein they are prompted to divulge login credentials and sensitive personal information.

2. Account takeover fraud: This scheme ensues when fraudulent parties illicitly acquire a customer’s account credentials, such as usernames and passwords, to execute deceitful purchases. Due to its semblance with legitimate transactions, detecting account takeover fraud can be challenging.

Modus Operandi: Cybercriminals have the capability to gain control over established accounts, including those related to banking, credit cards, and e-commerce. Certain cases of account takeovers commence with cybercriminals collecting personal data from data breaches or acquiring it through illicit means on the dark web. This personal data, encompassing email addresses, passwords, credit card details, and social security numbers, holds considerable value for cybercriminals seeking financial profit. Upon the successful execution of an account takeover attack, fraudulent transactions, credit card misuse, and unauthorized purchases can ensue, originating from compromised customer accounts.

3. Identity theft: This offense involves malicious acts obtaining an individual’s personal information, including name, address, and Social Security number, to perpetrate fraudulent transactions or initiate new lines of credit in the victim’s name. The repercussions of identity theft can be severe for both individuals and businesses, emphasizing the necessity of robust data protection and privacy measures.

Modus Operandi: The modus operandi for identity theft fraud in UPI typically involves fraudsters employing various deceptive tactics to obtain sensitive personal information from unsuspecting individuals. This may include sending phishing messages or emails disguised as legitimate entities, directing recipients to counterfeit UPI websites where they are prompted to enter their login credentials, PINs, or other confidential details. Additionally, fraudsters may use social engineering techniques to manipulate individuals into divulging their personal information over phone calls or through fake customer service channels.

Once the fraudsters acquire this sensitive data, they can exploit it to gain unauthorized access to the victim’s UPI account. This unauthorized access enables them to conduct fraudulent transactions, transfer funds to their own accounts, or make unauthorized purchases using the victim’s identity.

4. Using QR Code: The deployment of Bharat Quick Response (hereinafter referred to as “BQR”) codes in India during 2020–21, amounting to 49.7 lakh, reflects a notable increase of 39.3% compared to the preceding year of 2019–20. Concurrently, instances of fraudulent activities exploiting QR code usage have been observed. Fraudulent tactics often involve the transmission of counterfeit QR codes to unwitting consumers. Upon scanning these falsified codes, recipients are misled into believing they will receive funds in their bank accounts. Additionally, perpetrators have been known to surreptitiously substitute authentic QR codes with their own versions at merchant establishments, leading customers to inadvertently direct payments to illegitimate accounts.

Modus Operandi: The method of operation typically involves fraudsters contacting customers through various deceptive means and inducing them to scan QR codes using mobile applications. Unwittingly, customers may grant authorization to the fraudsters to withdraw funds from their accounts by scanning such QR codes.

5. Social Engineering: Social engineering attacks typically entail the exploitation of unsuspecting individuals by inducing them to disclose sensitive information under false pretences. This often involves psychological manipulation by the perpetrator, who may impersonate a trusted entity such as a financial institution, a family member, or an employee of a financial institution. The aim is to deceive the victim into revealing their banking details or making unauthorized payments.

Modus Operandi: The modus operandi for social engineering fraud in UPI typically involves perpetrators leveraging psychological manipulation techniques to deceive individuals into divulging sensitive information or performing actions that compromise their security. This may include tactics such as impersonation, pretexting, or exploiting trust to convince victims to share their UPI PIN, login credentials, or other confidential details.

Perpetrators often utilize various communication channels such as phone calls, text messages, or emails to establish credibility and create a sense of urgency or fear, compelling victims to act without critical scrutiny. Consequently, unsuspecting victims may inadvertently authorize fraudulent transactions or disclose personal information, leading to financial losses and security breaches.

PREVENTIVE STEPS

a. Beware Against Engaging with Fraudsters

Preventing involvement in UPI fraud is paramount for safeguarding oneself. Recognize that legitimate financial institutions never solicit sensitive information over the phone. Any such request should raise immediate suspicion. Utilizing services like Truecaller to authenticate unknown numbers can aid in identifying potential fraudsters.

b. Take Care with Request/Acceptance Payment Requests

Exercise vigilance when utilizing or responding to payment requests, particularly through features like “request money” on popular UPI apps such as Google Pay and PhonePe. Scammers exploit these functionalities by feigning interest in purchasing advertised products and coercing sellers into initiating transactions via UPI apps, often resulting in financial losses.

c. Take a notice of Spam Alerts on UPI Platforms

Remain attentive to spam notifications provided by UPI applications like Google Pay and PhonePe, which flag suspicious transaction requests from unfamiliar accounts. Promptly report any dubious activity or accounts encountered to mitigate potential risks.

d. Beware of Malicious Applications

Exercise caution when downloading mobile applications, as fraudulent actors may distribute counterfeit banking apps through platforms like the Google Play Store. These deceptive apps, resembling authentic banking interfaces, surreptitiously extract sensitive information from unsuspecting users, facilitating fraudulent transactions. Heightened awareness of such risks can prevent falling victim to these scams.

f. Adherence to Security Protocols

Safeguard personal identification numbers (hereinafter referred to as “PINs”) and utilize biometric authentication features offered by UPI apps to fortify account security. Regularly install and update antivirus software to detect and eliminate malicious software that may compromise device security.

g. Scrutiny of Email Authenticity

Exercise diligence when handling emails, as they may serve as conduits for malware dissemination and phishing attempts. Employ email scanning measures to detect and prevent malicious software from infiltrating devices, thereby minimizing susceptibility to UPI fraud.

h. Regular Account Monitoring

Periodically review account activity to detect and address any irregularities or suspicious transactions. Proactive monitoring enables timely identification of fraudulent behaviour, empowering individuals to promptly report discrepancies to their financial institutions for investigation and resolution.

i. Avoidance of Use of Unsecured Wi-Fi Networks

Be cautious when accessing UPI apps or conducting banking transactions over unsecured Wi-Fi networks, as they pose inherent security risks. Prioritize the use of secure, trusted networks to mitigate the potential for unauthorized access to sensitive information by malicious actors.

j. Keep a record of all Bank Communications

Maintain vigilance when reviewing messages from financial institutions, discerning between legitimate communications and potential phishing attempts. Familiarize oneself with the distinctions between passwords, PINs, and one-time passwords (OTPs), scrutinizing messages for inconsistencies and promptly reporting any discrepancies to ensure account security.

AMLEGALS REMARKS

The UPI has emerged as a transformative force, reshaping India’s payment landscape and setting new benchmarks for secure, convenient, and efficient financial transactions. With its rapid adoption and widespread accessibility, UPI has empowered millions, fostered economic development, and garnered recognition beyond India’s borders. The collaboration of key participants such as NPCI, PSPs, and TPAPs has ensured the seamless operation of UPI, while innovations like UPI Lite and UPI 2.0 continue to advance financial inclusivity and user experience.

Additionally, the prevalence of customer and merchant fraud in the realm of UPI transactions emphasizes the critical importance of heightened awareness, stringent security measures, and proactive vigilance. Fraudsters employ a variety of sophisticated tactics, ranging from phishing scams and account takeover fraud to identity theft and social engineering, to unlawfully exploit sensitive information and perpetrate fraudulent transactions.

To combat this menace effectively, individuals and businesses must adopt a multi-faceted approach that includes staying informed about prevalent fraud schemes, exercising caution when engaging with unknown entities, and adhering to robust security protocols provided by UPI platforms. Additionally, leveraging technological solutions such as spam alerts, biometric authentication, and regular account monitoring can serve as powerful deterrents against fraudulent activities.

As UPI continues to evolve and expand its capabilities, it stands poised to further revolutionize the global financial arena, driving progress and empowering individuals and businesses alike towards a digital future.

– Team AMLEGALS assisted by Mr. Samarth Sheth (Intern)


For any queries or feedback, feel free to get in touch with mridusha.guha@amlegals.com or liza.vanjani@amlegals.com

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.

 

Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.