UP, Gujarat, West Bengal contribute to more than 30% UPI frauds in India

NPCI takes only an average of 24 hours to respond to frauds

Last month, India achieved a historic milestone of 10 billion Unified Payment Interface (UPI) transactions. But there is a flipside to it. The rise in UPI usage has meant an increasing incidence of frauds. According to an industry estimate, more than 30 per cent of UPI-related fraud cases originate from three states — Uttar Pradesh, Gujarat, and West Bengal.

Of the total reported digital payment frauds, close to 55 per cent were related to UPI, a Praxis report published in May revealed.

However, close to 50 per cent of the frauds consisted of a ticket size less than Rs 10,000. About 48 per cent had a ticket size between Rs 10,000 and Rs 100,000 whereas those involving amounts over Rs 100,000 represented 2 per cent of the overall UPI-related frauds, the report added.

Though official countrywide data is not available, an estimate by Bajaj Finserv last year indicates that on an average India sees 80,000 UPI frauds in a month. As a percentage their numbers may be small, but they are increasing.

Industry sources attest to a trend where fake applications falsely present themselves as authorised UPI users. Tricksters defraud individuals via an array of deceptive methods — phishing attacks, malware, spoofing UPI IDs, remote monitoring of devices, among other techniques. Experts also warn about the use of artificial intelligence (AI) and machine learning (ML) by these fraudsters in the near future.

According to sources, National Payments Corporation of India (NPCI) is aware of such cases and has built a mechanism that tracks the system 24x7, with an average response time of 24 hours.

“…(there are) common attacks and scams using phishing, vishing, fraudulent QR codes, fake UPI apps, SIM swap fraud, UPI collect request scams, malware and spyware infecting the app,” said Kumar Ritesh, founder and chief executive officer (CEO) at Cyfirma, an external threat landscape management platform.

“The problem with a phishing attack is that it (you) tend to give control of your system, password, processes to an outside process. It may result in a piece of software getting downloaded in your system that can access your phone number, passwords, account number, among other things. On other occasions, fraudulent apps are masked as legitimate apps, (and) they take your data and force your money out,” said Pankit Desai, CEO and co-founder at Mumbai-based cybersecurity firm Sequretek.

Digital banking frauds doubled from 3,596 — fleecing Rs 155 crore using cards and internet banking — in FY22 to 6,659 (Rs 276 crore) in FY23. Interestingly, overall banking frauds saw a dip in FY23 to Rs 59,819 crore, from Rs 30,252 crore in FY22, says a Reserve Bank of India (RBI) report.

With time, fraudsters may implement sophisticated strategies with the advances in technology such as deep fakes, AI/ML and facial recognition. Experts expect this is going to get only worse.

“In two years’ time, social engineering and phishing attacks would primarily be using deep fakes. Today, defenders still have some ways of identifying a phishing email. With deep fake, the job will become far more difficult,” Kumar said.

Cyber attacks like these tend to navigate around the safety parameters of the payment systems.

“UPI itself is very safe. The problem is not with UPI, but our systems. Are the systems (mobile phones, among others) that I have connected my (UPI with) safe? There is a two-factor authentication (2FA) with a main password and OTP (to prevent frauds). (In the future), we will need some other mechanism that really validates that it is you who has carried out the transactions,” Desai noted.

Users can prevent payment frauds by practising basic digital hygiene for UPI-based transactions.

“Protect UPI PIN and never share your UPI PIN, OTP, or other sensitive information with anyone, even if they claim to be from a bank or UPI service provider. Enable 2FA on your UPI account for an additional layer of security. Regularly review your UPI transaction history to identify any unauthorised or suspicious activity,” Kumar advised.

Individuals should also invest in security products such as a reliable anti-virus service which they pay for, avoid downloading malicious software, and set different passwords for different platforms.

It is also pertinent for individuals to identify frauds as soon as possible so that law enforcement agencies, financial institutions and regulatory bodies can act on them fast.

“If you notice a suspicious transaction, it is important to report it as soon as possible. (With time), the trail of money goes from one account to another,” Desai said.

Kumar pointed out that in some cases, if there is sufficient evidence, law enforcement agencies or banks may request freezing assets or accounts involved in the fraudulent transaction to prevent further movement of funds. “Investigators may use digital forensic techniques to trace the online activities of the fraudster. This can involve analysing IP addresses, email headers, and other digital footprints to identify potential leads.”

Moreover, payments service providers, operators and developers of apps can invest in cutting-edge technology to detect and prevent anomalies and adapt to new fraud techniques.

“This is what we recommend: Set transaction limits for users based on their risk profile and transaction history. Implement additional authentication or approval processes for high-value transactions. Employ AI and ML algorithms to analyse transaction patterns and detect anomalies that may indicate fraud. Continuously monitor for both internal and external threats to identify vulnerabilities in the UPI system. Ensure that APIs (Application Programming Interfaces) used for UPI integration are secure and regularly updated to protect against vulnerabilities and data breaches. Invest in data encryption to protect sensitive user data,” Kumar added.

The government has pushed for initiatives to better safeguard users against scams and frauds.

In its report, Praxis said bodies such as the Central Fraud Registry, Centralised KYC Registry, Central Payments Fraud Information Registry had been established to report information regarding data and fraud. Additionally, within three weeks from the date of detection of a fraud, banks are required to provide Fraud Monitoring Returns in individual cases irrespective of the amount involved.

“The RBI has just come up with third-party outsourcing guidelines after recent breaches to force this (fintech) ecosystem to invest in security, processes, data storage, and a bunch of other activities. But, considering the breadth and the depth of the fintechs, it is probably going to take some time for breaches to actually get fixed,” Desai added.

Desai also said that fintech companies need to invest in security policies and conduct regular audits for these policies on technology and processes.

“24/7 surveillance and monitoring of the (digital) infrastructure, on a Cloud or a premise, is necessary. You need to be able to understand if any attack is happening in real time and to have a capability to protect it,” Desai added.

Abhishek Kothari, CEO, Pepper Money, a subsidiary of global consumer finance company Pepper Group, observed that UPI is still one of the safest payment methods built on a robust and secure technological framework.

“Therefore, for a consumer to stay protected from falling prey to fraudsters, vigilance is key. Added safety features within apps such as biometric authentication provides an extra layer of protection. Adopting safer practices can help confidently navigate and make the most of UPI amid transactions,” he added.

Paying the price

·         55% of all reported digital payment frauds were related to UPI, said a Praxis report in May

·         Nearly 50% involved ticket size less than Rs 10,000; 48% had a ticket size of Rs 10,000-100,000; 2% involved ticket size over Rs 100,000, it added

·         India sees 80,000 UPI frauds in a month, said an estimate by Bajaj Finserv last year

·         Digital banking frauds shot to 3,596 (Rs 155 crore) in FY22 from 6,659 (Rs 276 crore) in FY23, an RBI report said

·         Overall banking frauds dipped to Rs 59,819 cr, from Rs 30,252 cr in FY22