UPI scam: Fraudsters loot over Rs 1 cr from 81 users in Mumbai

The pandemic period witnessed widespread use of unified payment interface (UPI) applications for cashless money transfers in India. However, these popular online payment applications have also allowed scam artists to come up with new methods to scam people.

Fraudsters recently looted over Rs 1 crore from just 81 individuals in Mumbai.

According to FIR and testimonies by victims, the scammer sends a small amount of money to the victim’s account using a UPI app like Google Pay and then says the transaction was a mistake. The victim is then asked to send money to the caller’s phone number.

If the user returns the money using one of the UPI applications, the scammer will gain access to all of the user’s information, including bank information and KYC information such as PAN and Aadhaar. They then hack into the victim’s UPI account and steal money directly from their bank account.

According to famous Delhi-based cybercrime expert Pavan Duggal, this technique of operation is a complex mix of malware phishing and social engineering. “This is a mix of malware phishing plus human engineering,” he said, emphasising the complexity of the situation.

“Existing anti-malware software may not be sufficient to protect Mobile payment application users from this online fraud.” He recommends that users react to such calls by telling the con artist that they have reported the issue to their bank.

Instead of paying it back through the app, Duggal recommends users to inform the caller to go to the nearest police station to collect up the cash. A picture of the payment being sent to a stranger is also not recommended because it creates personal contact and allows access to a lot of your private data.

According to a report by the union finance ministry, cyber cells recorded more than 95,000 fraud cases of UPI transactions between 2022-23.

The National Payments Corporation of India (NPCI) has released an update regarding the story stating that the online scam is related to KYC and not UPI. “With reference to recent media/social media articles on 'KYC scams' - The connection to UPI is misleading and incorrect. We assure all users that any payment through UPI does not expose the sender’s KYC details and neither does it lead to a user’s mobile or App getting hacked. UPI works on the principle of payment using a Virtual Payment address or UPI ID – using secure method of device binding and UPI PIN to transfer money. KYC details are not used or shared during a UPI transaction. We would like to reassure that UPI continues to remain a safe and secure payment method. The intention of some of these articles/ social media messages are to mislead and thereby create mistrust about a payment method that has been adopted widely across the country”, reports The Indian Express.

PhonePe has released a statement, citing that the UPI gateways are safe and scammers cannot hack into sensitive data by just seeing the transaction details. "We do not believe this to be true because when a user links their bank account on a UPI app, the bank does not pass on the KYC information, and we do not have any user sensitive details to begin with. Therefore, there is no risk of any data either leaking or a fraudster being able to reverse engineer any data shared during a transaction. The only information available to a receiver is the transaction amount, the UTR number and the sender’s name," reads PhonePe's official blog.

From online shopping to travel booking, UPI allows you to transfer money between bank accounts instantly. According to the Reserve Bank of India, the daily transactions hosted by UPI have crossed from 24 crores to 36 crores in February 2022.

Misinformation or lack of awareness is what leads users to the trap set by scammers. It is therefore essential to remain vigilant, stay informed and take appropriate measures to protect yourself from potential fraud to ensure that online transactions remain safe and secure.

Here are some points to follow to avoid UPI payment-related fraud:

• Only use UPI apps from reputable sources like your bank or official app stores. Make sure to download the app from a trusted source.
• Choose a strong UPI PIN instead of easily identifiable numbers like birthdays so that it is difficult to crack.
• Keep your UPI PIN safe and confidential, and never share it with anyone.
• Always double-check the payee's details before initiating a transaction. Verify their name, UPI ID, and other relevant details before sending money.
• Be cautious of unsolicited calls or messages that ask for your UPI PIN, account details, or OTP. Do not reveal your confidential information.
• Enabling transaction limits to restrict the amount of money that can be sent in a single transaction, can help limit the damage if your account is compromised.
• Always update your UPI app to the latest version, as updates often include security enhancements and bug fixes.
• Keep an eye on your UPI transactions regularly and report any suspicious activity to your bank immediately.