Link UPI app to bank account having limited funds; set daily limits
Indians have lost Rs 485 crore to frauds on the Unified Payments Interface (UPI) across 6,32,000 incidents reported until September of the current financial year, according to data from the Ministry of Finance.
“Post-Covid, UPI transaction volumes have grown significantly due to the convenience UPI offers in undertaking both large and small transactions. But UPI frauds also tend to impact many people due to its massive user base,” says Vikram Babbar, partner, EY forensic and integrity services–financial services.
Key methods of fraud
Phishing links:Fraudsters send spam links via SMS, emails, or other means, enticing victims to click on them. “These links either install malware, extract sensitive banking information, or trick users into entering their UPI PIN, resulting in unauthorised transactions,” says Babbar.
Prashant Mali, an advocate and expert on cybercrime, informs that fraudsters often impersonate trusted entities, like banks, e-commerce platforms and other service providers, to trick victims into entering their UPI PIN.
QR code manipulation:Frauds linked to QR codes have also grown. “Users scan QR codes with a certain set of expectations. Instead, their accounts get debited,” says Amit Dubey, author and cyber security evangelist.
QR code frauds take a variety of forms. Fraudsters send QR codes claiming they are for cashback offers or refunds. Scanning these codes leads to phishing websites or malware installation, allowing fraudsters to steal credentials or initiate unauthorised transactions.
Fraudsters also place fake QR codes over legitimate ones — on parking meters, donation boxes, etc. When users scan them, the payment goes to fraudsters’ accounts.
Sometimes, scanning a QR code installs malware on a victim’s phone, which intercepts OTPs (one-time passwords) or accesses the UPI app and carries out unauthorised transactions.
OTP theft: WhatsApp accounts of 40 to 50 Gurugram-based doctors were hacked recently. The fraudsters posed as representatives of an organisation sending Diwali gifts. Since the gifts were expensive, the doctors were told to verify themselves online. They were asked to dial a number. In fact, dialling this number activated call forwarding. All incoming calls got redirected to the fraudsters’ phones.
The scammers then attempted to log into the doctors’ WhatsApp accounts. When WhatsApp sent a voice OTP to verify the login, the fraudsters intercepted the OTP, logged into the doctors’ accounts, and gained control over them. They then used these WhatsApp accounts to message the doctors’ family, friends, and colleagues, asking for money. Many complied.
How to stay safe
Never open links from unknown senders and unverified sources. “Avoid downloading apps or executable files from suspicious links,” says Babbar. Mali suggests verifying the identity of the person requesting money before responding.
Link your UPI app to a separate bank account or wallet that has only a limited sum. “This will minimise potential losses,” says Babbar. Dubey suggests setting daily transaction limits on UPI apps.
Mali warns that QR codes are for sending money, not for receiving it.
Nowadays, security apps (like Mobi Armour) are available. “An app like this one can scan QR codes, links, and Wi-Fi networks and ensure it is safe,” says Dubey.
Update your UPI app regularly to avail of the latest security features. To keep transactions secure, Mali suggests using only trusted apps and platforms for UPI transactions. If you get a suspicious request from, say, your bank, verify the request by calling its customer care number. Mali also suggests keeping yourself updated about the latest tactics being employed by fraudsters.