Over the past few weeks, payment apps such as PhonePe that provide a platform for UPI transactions, online classifieds portals such as OLX as well as the National Payments Corp. of India (NPCI) have been witnessing a stream of complaints. Many of these complaints are being made public through social media. What is striking is that UPI, in fact one particular feature in UPI, is being used by the fraudsters in different ways.
New Tactics
Approach 1: Fake Money receive Request
The ‘Request’ feature on UPI apps allows a person to send you a payment request where the amount is filled in by the requester.
This feature is used widely by scammers to fraudulently rip money off unsuspecting victims.
In OLX scam, this feature is employed by scammers while enquiring about the product (pretending to be an interested buyer). Scammers gain trust by saying they work in the army or police which adds credibility. Even the name shown in Truecaller would say the same with army / police keyword either in name or the tag.
The scammer calls you regarding the product and tells you that they cannot make payment in person, rather make instant payment using UPI. During this conversation, the scammer poses to buy the product posted by victim and requests the victim for UPI ID to send advance payment.
Scammers often forget to enquire about product condition, warranty etc. This should raise a suspicion but the victim gives their UPI ID. After getting the UPI ID, the scammer starts asking random questions about the product and sends money request saying that they have made the advance payment and the victim needs to enter his UPI PIN to authorize the transaction. This is infact Money Request sent to the victim which eventually transfers money to the scammer’s account from the victim’s account rather than receiving any.
This scam takes place because users are not aware about the fact that Receiving Money does not require you to enter PIN, only Sending does. To prevent this scam, many UPI Clients explicitly warn users that they are Sending Money when a Request is made to them.
Approach 2: User gives UPI Pin and grant access to Remote Access Software
The problem that is encountered frequently by many users is the deduction of money despite the transaction failure (which ideally should not deduct the amount or should refund instantly if debited).
The deduction of the money concerns the User and like everyone, the first thought which comes to mind is contacting Customer Support. Contacting customer support on email may take up to 24 Hours (as stated on Official Websites) and then multiple follow ups to resolve the query.
Calling customer support on the Given number, explaining the problem and getting the issue resolved is quick and usually done in a few minutes or more, depending on the complexity of the issue, hence Customers often reach out to the Support on given phone number.
With any consumer services such as gas agency, internet providers, sometimes the primary number is busy due to an influx a lot of customers calls or no one receiving the calls after working hours.
In such a scenario, customers search for alternative Contact numbers. This is the first trap they fall into. Scammers generally share fake customer care numbers in Twitter, Facebook, Google Reviews, etc which comes up when you search in search engines. You would call one of these scammer numbers and are greeted in a way similar to Customer Support (although they do not mention any specific UPI portal, they’ll just say that they provide support for all UPI Apps – Obviously alarming to raise the suspicion and yet people believe them). If asked about the usage of mobile numbers, it would be stated that it is the personal contact number of the support employee so that they can provide support after work hours.
As soon as you explain the scenario, he would ask you few more details so that he can raise the complaint. Looks legit till now. After gaining the trust, the scammer would ask you to install some app like Anydesk, TeamViewer, etc so that he can see the screen to understand the issue better. These apps would give remote control to your device. Scammer can operate and control your device. Once he has control, he can see all whatever you type (including PIN, Passwords etc).
How to avoid online fraud
Dos
- Read transaction SMSs, pop-ups and descriptions closely. Keep track of all your messages from bank.
- Know the difference between an ID, PIN and OTP.
- Alert your service provider to potential spam and fraud. You can report through TRAI DND App (Available for both Android & iOS).
- Be sceptical of someone calling you and offering freebies like cashbacks.
- Pay attention to SPAM warnings on your UPI app
Don’ts
- Never share PINs and OTPs
- Never share identifiable information on public forums that can be misused
- Don’t enter a PIN to receive money on any platfrom
- Don’t click on random links offering freebies or asking for verification
- Never open e-mails without checking their authenticity
- Avoid using Open Wi-Fi
Last updated:
0 Comments