Online payments services like Google Pay, Paytm, and PhonePe have grown in popularity over the past few years thanks to the government’s ‘Digital India’ push. UPI (or Unified Payments Interface) has made it easy for users to transfer money and our dependence on these services may have even increased during the ongoing coronavirus lockdown as people are forced to stay at home and make payments online instead of doing it in person via cash. Thus, this is the time to be extra vigilant when it comes to UPI scams as fraudsters try to dupe unsuspecting users since scammers are always on the lookout to trick users into giving them money directly from their bank accounts, and UPI is a great tool for them to do so. In fact, several people have lost thousands and lakhs of rupees in these UPI scams. Here are a few popular UPI scams through which fraudsters are able to scam people using apps such as Google Pay and PhonePe.
1. Request Money scam
One of the most common UPI scams is the ‘Request Money’ scam. This happens when a user receives a request to pay money instead of getting a payment, and isn’t paying enough attention to the transaction. OLX and Quikr are well-known for hunting grounds for frauds using this scam. On apps like Google Pay, PhonePe, BHIM, etc., there is an option to request money from another person, which is something fraudsters take advantage of. Say you’re expecting a payment from a person for a product you want to sell, but instead of paying you the amount, the person sends a payment request for that amount. You receive the request and, unassumingly, enter your UPI M-PIN. As soon as you enter the PIN, you have validated the transaction and the money gets transferred from your bank account to the fraudster’s account.
@CyberDost
— 🇮🇳Shivam Kumar (@_ekansh11) May 5, 2020
I Just got a call from +91 9064342853. Saying I hv got 3999 from @PhonePe_ as reward. The guy is still on call on 8:49. He even tried requesting me rs 3999 through phone pe. Please look into this number. I’m attaching some screenshots. @phonepe_safety @PhonePeSupport pic.twitter.com/7z2syFA4jj
2. Cashback/ refund scam
This is a variation of the Request Money scam, wherein the scammer will call and pose as an agent of the bank or a major retail chain. She/ he says the user has been awarded some cashback and asks them to accept it via any UPI app of your choice. Many scammers even keep an eye on Twitter and Facebook for complaints shared by users on the platform; they then call as executives of such companies and promise to process a refund. Within seconds, the user gets a message mentioning the said amount on your UPI app; in a rush to encash the cashback, many users enter their PIN. However, this will be a payment request — UPI apps do not require users to enter PIN to accept a payment. This means they authorised a UPI payment from their phone instead of accepting money from the caller. This is a fairly common scam and many have fallen for it.
3. Remote access/ Vishing
UPI has a simple four-digit PIN to authorise transactions. The simplicity of this process also makes it easy for hackers to transfer funds from your bank to their accounts once they discover your PIN. One of the ways hackers can do this is by accessing your phone remotely using apps like AnyDesk. This is a remote desktop software that can allow hackers to gain access to your phone and all the OTPs it receives.
In such a scam, you can get a call from a fraudster pretending to be a bank representative calling regarding an issue with your account. They will then try to establish a conversation, asking for personal details such as your date of birth, name, and mobile number. They will then ask you to download an app like AnyDesk or ScreenShare or TeamViewer from Google Play Store. The fraudster will then ask for an OTP that is generated when setting up the app. They will also ask you to grant all the necessary permissions in the app. Once this is done, the hacker will have full control of your phone and can make transactions using your UPI account.
In such a case it is important to understand that a bank representative will never ask for your credentials such as passwords or OTPs. They will also never ask you to download a third-party app. If anyone asks you to do any of these over the phone, they are most likely trying to scam you. Notably, apps like Paytm will not work if you have a screen-sharing app installed in order to protect your confidential data.
4. SIM cloning
Another way fraudsters have been able to hack someone’s bank account is by cloning their SIM card without their knowledge. By cloning the number, the fraudster can receive OTPs, allowing them to change the victim’s UPI PIN and access banking apps and payments services like Google Pay, Paytm, and so on. The process for SIM swapping or cloning is not easy, which is why it’s not popular even among scammers. SIM swap fraud has been steadily increasing in India in recent times. Last year, a person reportedly lost Rs 25 lakh due to SIM cloning.
Notably, this method happens after some of the previous scams we mentioned such as phishing and fraudsters pretending to be bank representatives. Once they obtain enough personal information from the victim, they can call the mobile operator and convince them to block your SIM number. They will then obtain a new SIM and access your banking accounts via SMSs and OTPs.
5. SMS forwarding scam
This is a relatively elaborate scam in which the scammer will ask you to send an SMS from your phone in order to authenticate an order or to process a refund, etc. However, this SMS actually contains an alphanumeric identifier for your smartphone — this alphanumeric identifier tells UPI that the request to register a UPI account was made from the users’ registered phone number. When you send the requisite SMS to the scammer, they will get this alphanumeric identifier too, which allows them to register for a UPI account from your phone number. Then they will be able to steal money from your account. This usually involves the fraud guessing the UPI PIN based on the personal info they have of the user. However, there have been cases where the scammer convinced the user to give their PIN in order to process refunds etc.
6. Fake helpline numbers
This is a fast-growing UPI scam these days. When you search for something innocuous, like the phone number of courier service or a local restaurant, Google may show a listing that is unverified and actually belongs to a scammer. The scammer achieves this by optimising the website for social media as well as by registering as a business on multiple platforms to convince users (and Google) of its authenticity. When you call that number, the person on the other end will ask you for details or your package or take your order; then will request partial or even full payment to confirm the order via UPI. After this, money will be deducted from your account and the phone number will become unresponsive.
7. Counterfeit UPI apps
Counterfeit UPI apps are available by the hundreds on the Google Play Store, with names that try to trick the user into downloading them. These include and are pretty easy to spot due to poor ratings and few downloads. Nonetheless, if someone does end up downloading such an app, they can not only give away their phone number in the registration process but also their debit card PIN and access to their bank account. In many cases related to these fake banking apps, the OTP the user receives and then enters in the app is used to authenticate a payment/ transaction by the scammer.
