Your Next UPI Payment Can Be A Scam! Learn How To Safeguard Yourself

"I could not receive my package, so I looked for Urbanic's customer care number on Google to find where my order was. I found a number from Google and called that number. They asked me to download the AnyDesk application, and then they asked me to put in my UPI pin", said Diksha Sharma, a journalist.

When she asked the "executive" why they needed her UPI info, the latter said they would help her understand it better. Two days later, Sharma lost around Rs 5,000.

This is not one such case. More than 95,000 fraud cases of Unified Payments Interface (UPI) transactions were recorded in India in 2022-23, the Union Finance Ministry told the Parliament.

The scams increased from 84,000 cases in 2021-22 and 77,000 cases in 2020-21. While the government has constantly pushed for digital payments, the country has also seen a significant increase in scammers duping people of their hard-earned money due to a lack of media literacy.

From posing as customer care officials to asking people to enter their UPI PIN to receive money, scammers find new ways to cheat people. But what are some of the most common methods these scammers use? What is their modus operandi? How do people fall for such scams?

The Quint's second part of the Scamguard project answers these questions. We spoke to victims, a cybersecurity expert, and a psychologist to better understand the issue.

<<The graphic novel could be a conversation with a fake customer care exec.>>

Are you actually speaking to a customer care executive?: Sharma told The Quint that as soon as she entered her UPI PIN on her screen, as the "customer care executive instructed, " the call was disconnected. When Sharma found that she had lost Rs 5,000, she filed a First Information Report (FIR) at the police station. However, she still awaits an update.

• A Reddit user shared a post claiming that he nearly escaped a UPI scam. The user's wife wanted to contact a hospital, and since she was in a hurry, she searched on Google for the contact and called the first number that showed up.

• The scammer shared the booking link on WhatsApp and offered to help fill out the form.

• The user went through the link and found it suspicious. However, he did provide all the details, but when he saw that the UPI interface looked different from NPCI, he decided not to proceed with the transaction.

Rakshit Tandon, a cybersecurity expert, told The Quint that this kind of scam is the most common. He said that users search for customer care numbers through Google for all major services.

Sent money by "mistake": The scammers transfer a small amount to the victim's account. Then, they contact the victim, claiming that the money was sent mistakenly. At this point, the scammers send a link and ask the victim to use it for payment. However, when the victim clicks on the link, the scammers take control of the device and steal money from the victim's bank account.

• A user named 'Umesh Dudhabale' posted on X (formerly Twitter), where they shared their experience about the same incident.

Electricity bill scam: The victim receives a message from an unknown number that says that their electricity bill has not been paid and the electricity department will discontinue the services. When victims contact the number given, they are either asked to download some third-party applications or asked to share personal information. This eventually leads to people losing their money.

• An X user named 'Vignesh K' shared their experience where they were asked to download a third-party application to "pay transaction charges for electricity bill".

Fake websites and applications of service-providing platforms: The scammers usually create a replica of the websites and mobile applications where they ask for UPI and card details of the victim. The website will have a similar-looking URL. This is true for mobile applications, too. These fake applications usually ask for personal details, which the official ones will not ask.

• Recently, IRCTC sent an email warning people of a malicious Android application hosted on a phishing website that was being shared on social media platforms.

• Scammers were impersonating government officials and were tricking them into revealing their sensitive information.

Tandon said that people should identify the developer and permissions while installing any application.

He also cautioned people against downloading apk files and said that scammers are targeting people with these files.

Hacking accounts: Ayush (name changed) told The Quint how he was scammed through a fake investment scheme on Instagram. After seeing a few stories of his friend's account where they earned a profit, Ayush decided to invest too and reached out to the person mentioned in the story. He was asked to invest Rs 2,000 and was promised around Rs 25,000 as profit.

Ayush received a QR code where he was asked to send money through UPI.

The scammer asked Ayush to send more money. This is where he realised that he was being duped. He later found out that his friend's account was hacked. Hacking people's accounts and asking for their contacts is another way that scammers use to dupe people.

Recently, a woman from Kolkata had her WhatsApp account compromised and the scammer was sending messages to the woman's contacts asking them for money.

Harshit Mahajan, an X user, shared their experience where their WhatsApp was hacked and the scammer was asking people for money.

• Huma Qureshi, a victim of online fraud, told us that she too lost Rs 5,000 when she invested in a scheme shared by one of her contacts on Instagram. The scammer promised her a return of around Rs 25,000-35,000 in a mere 25 minutes.

• However, when time passed and Qureshi asked for money, the scammer asked for a deposit amount. After she refused, the scammer eventually blocked her.

Is it your relative or a scammer?: The Quint had previously spoken to some victims of digital fraud to understand how the scammers lay down their traps.

• Prerna Yadav, a journalist, narrated her incident where the scammer called her mother and impersonating as a distant relative.

• The impersonator eventually cheated Yadav's brother of around Rs 80,000. Watch the video below to learn how the scam with her brother unfolded.

Let's analyse why UPI scams are more prevalent than other frauds, including accessing credit or debit cards. Tandon told The Quint that it is much easier for a scammer to dupe people of money through UPI.

He explained that in these kinds of scams, the scammers only need access to the victim's PIN. However, if one tries to hack a debit or credit card, they need a lot of credentials like a 16-digit card number, OTP, CVV, and expiry. So, now scammers are targeting only UPI.

This raises a concern considering UPI's popularity over the years. According to the information available on Press Information Bureau (PIB), about eight billion transaction were carried out in UPI in January this year. A recent report said that UPI transactions are likely to reach 1 billion transactions per day by 2026-27.

According to the 2022 annual report of National Crime Records Bureau (NCRB), the cases of credit/debit cards fraud recorded in 2021 were 3432, an increase from 2870 cases in 2020 and 1809 cases in 2019.

While 2019-20 saw an increase of 58 percent in the number of cases, 2020-21 saw an increase of 19.58 percent.

Looking at the increase in the number of UPI cases, we found that the year 2021-22 saw a 9.09 percent rise, whereas 2022-23 saw an increase of 13.09 percent.

(Note: We kept 95,000 as the final figure in our calculation, however, the ministry statement said more than 95,000 cases in 2022-23 were recorded.)

Data:

https://docs.google.com/spreadsheets/d/1TyJLms04Y1u9NyZKNTpu_cTuB_09SB8S5X0mmt_2qH0/edit#gid=0

Speaking to The Quint, Tandon listed a few red flags that a person can identify to escape the elaborate traps set by scammers. He also shared some steps people can take to safeguard themselves.

• If someone asks you for your PINs or OTP, it is a big red flag.

• The customer care executives can't ask customers to install any third-party application to provide services.

• Enable double-factor authentication on all your accounts, including social media handles and email accounts.

• Do not keep any personal credentials in your photo galleries. Most applications ask permission to access your gallery when you install them.

• Activate double authentication on your UPI accounts, too.

He further said that people should keep the official contact details of their respective banks handy. So, whenever they are caught in an online scam, they can immediately ask the bank to 'debit freeze' their account.

We contacted Dr Sanjay Kumavat, Consultant Psychiatrist at Fortis Hospital in Mulund, to understand how people's cognitive biases play a role in responding to such scammers.

He said that scamsters usually lure people with their authoritative or assuring voice, and people get carried away impulsively.

Dr Kumavat said that when money is shown to people, they tend to melt emotionally and try to engage in conversations and these kinds of activities. When a person is involved and gives a small amount of money, the demand from scammers keeps increasing, and the person eventually realises that there is no end to it. Then, the threat starts. To avoid that, we continue to fall into the trap.

He advised people to listen carefully and think before taking any action. Dr Kumavat said that if a person still wants to take time, then they can drop the call as there should be no urgency to reply to any financial deals.

A study published in International Research Journal of Engineering and Technology said that "UPI-based social engineering cases of fraud are likely to remain a severe risk as the digital economy continues to grow. Individuals and organizations, on the other hand, can minimize the likelihood of falling victim to these types of scams by remaining vigilant and taking proactive measures."

Social engineering cyberattacks usually happen when the scammer uses psychological techniques to trick people into revealing their sensitive information.

We came across a survey conducted in 2022 found that "almost one-third of Indian consumers have been victims of online fraud." It further said that "Indian consumers are most vulnerable to fraud on social media sites and apps (38%) followed by payment system providers (30%) and online gaming platforms (30%)."