As UPI Transactions Surge, Fraudsters Hone In On Vulnerabilities

The increased convenience offered by the platform has drawn customers and payment service providers but also fraudsters.

No official data on such frauds is available with the National Payments Corporation of India. BloombergQuint reached out to NPCI via email and calls to understand the increase in instances of UPI-based fraud but the organisation is yet to respond.

However, reports of small-value fraud using UPI-based payment platforms have been on the rise.

According to Vishal Thakur, deputy commissioner of police - cyber crimes, Mumbai, over the last six months the number of UPI-related fraud complaints at the cyber-crime cell have increased substantially and are now at-par with the number of debit or credit card fraud complaints they receive.

Even though the volume or value of such frauds may not be alarming, banks and payment service providers have become more alert to features that are susceptible to misuse. “Stay alert and cautious! Fraudsters are using UPI to get your money”, alerted an email from HDFC Bank to its customers. Peer ICICI Bank listed out ten ways in which fraudsters may target UPI-payments. Even the RBI, in specific instances such as alleged UPI fraud via a service called AnyDesk which surfaced in February, cautioned about the rising instances of UPI frauds.

Customers, too, seem to be sitting up and taking notice if the surge in searches for terms such as “UPI Fraud” and “Payment Fraud” are anything to go by.

Targeting ‘UPI Collect’

One UPI feature that has been increasingly misused is ‘UPI Collect’, which, as the name suggests, is a request to collect money from someone. This service sends a collect request to a customer who shops with the online website and chooses to make a payment using his UPI.

Earlier this month, Times of India reported that a scientist at IIT-Bombay was defrauded Rs 80,000 by a person who claimed to be interested in purchasing goods listed in an online classifieds service.

BloombergQuint could not verify that specific instance but found other such examples of fraud.

One recent case was where fraudsters targeted another customer using OLX, a website for classified advertisements. This fraud victim, who spoke to BloombergQuint on condition of anonymity, said that they were defrauded of Rs 7,000 in early October after they placed an advertisement on OLX to sell an electronic device.

The buyer approached the seller stating that they would pay half in advance and the remainder after collecting the device. The seller then received a UPI payment request from the buyer, while the buyer was still asking questions about the technical features of the device. Assuming that it was to accept a payment, the seller proceeded to click ‘accept’ on their UPI application, but instead their account was debited, this person said.

This person attempted to call the seller moments after realising their mistake, but the mobile device was disconnected and messages over OLX to the buyer went unanswered.

On its part, OLX flagged the buyer’s account as suspicious and also has published an FAQ on UPI frauds warning their customers of the potential for fraud.

OLX did not respond to an email from BloombergQuint.

Another such case occurred when a victim took to a social media website to complain about the Indian Railway Catering and Tourism Corporation Ltd..

Earlier in April this year, the victim had made a payment to IRCTC for a ticket, but the transaction did not go through and the money was never refunded. The victim took to Twitter to air their grievance. In response they got a call from someone claiming to be an IRCTC employee.

The alleged employee asked the victim to open a Google Form, sent via an SMS, and fill the form. Within five minutes of filling the form, over Rs 1,000 was debited from the victim’s account. This victim also spoke on condition of anonymity.

An email sent to IRCTC seeking a response went unanswered.

What Makes UPI-Collect Vulnerable

Instances such as the ones cited above and others suggest that the UPI-Collect feature is one source of vulnerability.

Is it? And, if so, why?

The UPI platform has two payment functions - push and pull. When a person initiates a payment, that is when a payer pays the payee via UPI, this is called a push transaction. The process followed in that transaction is explained below:

On the other hand, a pull function is when a request for collecting money or a ‘collect request’ is initiated by the payee to the payer. This follows a different process as detailed below:

While the push-payments appear to be reasonably standardised, the pull-payments are not.

Puneet Kapoor, senior executive vice president at Kotak Mahindra Bank, said there is a clear shift in how consumers are being defrauded. From physical or instrument-led frauds, the trend is largely now in compromising identity credentials, getting access to the banking app or luring consumers to remit money out.

“The collect money feature of UPI is being increasingly used to lure customers into approving a transaction without them realising that money will go out,” he said over email.

Kapoor said that UPI frauds are on the rise in absolute numbers, but in percentage terms, it is in line with the increase in the total number of UPI-led payments.

Security Or Design Flaw?

In July 2018, the NPCI issued a circular requiring those who develop payment applications to improve security features particularly when it comes to ‘collect request’ features. The circular asked payment service providers to standardise the SMS sent to customers whenever a collect request is initiated. NPCI also asked that a payment confirmation page is added before the transaction is finally authorised.

But not all payment service providers have done this, leaving open the scope for misuse.

“The first issue is that people are still unaware of how UPI works and that to receive money you do not need to log into the app and click any button,” said Harshil Mathur, founder, Razorpay. The second issue, he said, is that some of these apps are not communicating the ‘collect request’ properly to their customers.

“A lot of these apps do not have strong designs that clearly tells the user that if they click the button it will debit their account and not receive,” Mathur said.

PhonePe, for instance, has built a messaging process so that customers see the request before they enter the UPI PIN and their account is debited, said Anuj Bhansali, the head of risk and fraud at PhonePe. “These messages serve as a reminder to the customers that they are paying money to the requester. When customers receive payment requests from unknown users, they see the option to "Decline" the transaction and also "Block" that particular user from sending new payment requests to them,” he said.

Both Razorpay and PhonePe block high-risk transactions and accounts when they suspect or are informed by customers or the police that a particular merchant on their network is fraudulent.

According to Mukul Shrivastava, partner, forensic and integrity services, EY India, the increased convenience of the payments and digital banking system can create increased risks. “Even if there is an OTP facility to the ‘collect request’ service, after using it a few times people will get used to it and their susceptibility to frauds remains the same. It is a human and convenience issue,” he said.

Limiting The Risk

To limit the risks across payment systems, NPCI conducts an annual technical and financial inspection of all payment service providers on the network. There are 141 live-members on the UPI network and 40 third-party-apps, according to NPCI’s website.

But as a cyber-security expert pointed out, these technical audits are conducted by third-party vendors in most cases. As such, a vulnerability may go undetected for a while, this person said on the condition of anonymity.

Srikanth L, a technology research and contributor to Cashless Consumer, a consumer collective focused on digital payments, said that the NPCI needs to check if any of the licensed payment service providers and third-party apps on the UPI network have not followed its technical guidelines. “Perhaps the NPCI needs to develop an automated way to check that these basic security features are complied with, whenever an app is updated and a new version is rolled-out, he said. It may not be possible to check every technical standard prescribed, but the key security factors can be automatically checked, Srikanth added.