A Closer Look into UPI Fraud and How it’s Done

Saurin Parikh
4 min readAug 26, 2019

Your guide to staying vigilant and safe from cyber frauds.

Digital transactions are the need of the hour, and with the country rushing towards a cashless economy, it’s important to stay vigilant of all the loopholes in the system.

UPI, being one of the foundation stones of the digital economy, needs to be airtight when it comes to security. With UPI transactions hitting an all-time high this year, it’s no surprise that UPI is one of the most preferred methods of payment in recent times.

And why wouldn’t it be?

All you need is a 4-digit PIN to authorize your transaction and the deal is done in seconds. Of course, something so awesome definitely comes with its share of liabilities– and that’s what we’re going to see in this article.

Amid a massive spike in online banking fraud, HDFC Bank issued a warning to all online banking users. According to the alert, fraudsters are stealing money from users’ bank accounts via UPI. Hackers access users’ mobile phones remotely through a device control app called AnyDesk.

So, how do we deal with UPI fraud? How do hackers take your information? What is the best way to keep yourself safe from so many seemingly intelligent tricksters online?

Let’s begin!

#1 Types of cyber frauds

Before you stay vigilant, you must first be aware of the types of fraudulent cyber activities out there. While there are one too many types of frauds, we’ll be discussing those pertaining to UPI scamming, in this article. Here goes:

  • Phishing

Fraudsters send bogus e-mails to access sensitive information of the potential victim. Once the victim keys in their details (password or PIN) into the fraudulent site, the information is immediately passed on to the hacker for misuse.

  • Malware

Malware is one of the most common forms of cyber fraud and can be mistakenly downloaded from a fake e-mail attachment or an unsecured website. Malware is designed to extract and copy data from the infected device.

  • Money Mule

Money Mule is a more elaborate fraud where once the victim’s data is obtained, fraud rings transfer money to an intermediary account to house the loot. This account acts as one of the money mules to park money collected from different victims.

  • SIM Cloning

SIM cloning is a recent addition that has mushroomed after the OTP-mandatory rule by banks. If a fraudster clones your SIM, he can even change the UPI PIN. The fraudster gets hold of the victim’s bank account details and ID proof to reset the PIN.

  • Vishing

Vishing is mostly scamsters posing as bank representatives, asking questions ‘on behalf of the bank’. These individuals weave a web of lies and enquire about the victim’s personal information to extract their PIN or password.

#2 The Execution

It’s been observed that fraudsters follow a pattern whilst executing these elaborate plans. We’ve managed to weave a step-wise timeline of how these plans are generally executed. Take a look:

Step 1

Fraudsters usually call targets to get their attention, as opposed to texting. They commonly disguise themselves as a bank representative, calling for a seemingly harmless issue.

Step 2

To make the call sound legit, they proceed to ask verification questions like your date of birth, name or mobile number.

Step 3

There is always a problem. Hackers usually use technical difficulties in the app or website to get to talk to the victim. They usually weave a false story that the victim may have to forfeit their personal information to resolve the issue.

Step 4

Once the fraudster has convinced the victim, they proceed to ask the latter to download an application on their phone. Some of the apps are AnyDesk and ScreenShare, which are available on the Google Play Store.

Step 5

While downloading AnyDesk or any similar application, it asks for the user’s privacy permission, like any regular app. But don’t be fooled, these apps can access everything on your phone.

Step 6

The fraudster will then ask the victim for a 9-digit OTP, which is generated on their phone. As soon as the victim reveals the code, the hacker will also ask to grant permission from the phone.

Step 7

When the app acquires all permissions required, the caller starts to take full control of the victim’s phone without their knowledge. After getting full access to your phone, a hacker steals passwords and begins transacting with the victim’s UPI account.

We identified other approaches, too. Fraudsters send an SMS and ask the victim to forward it on another number that they provide. After the message is successfully sent, it permits the fraudster to link the victim’s mobile number or account through UPI to their mobile.

Fraudsters also send a ‘collect request‘ or a refund request to your Virtual Payment Address (for ex: name@bankname) on apps like Google Pay, PhonePe, etc.

Most users authorize these requests without paying attention, and this can lead to any amount of money being collected from their account.

This story was first published on Razorpay Blog. Click here to read about how you can stay safe from UPI frauds.

--

--

Saurin Parikh

Writer, content coach, content marketer, elderly millennial, cool dad. Published work: http://bit.ly/SaurinParikh