Understanding Modus Operandi of Unified Payment Interface (UPI)

Frauds

Unified Payment Interface (UPI) platform is fast catching up its market, Its one the advance
technology enhancement in digital payments. UPI interface is a means of making digital
transaction and one of the most popularized, handy and ease of doing digital payments
through mobile without using debit/credit cards. Because of this less time consuming and
easiest way of fund transfer majority of the people have shifted from NEFT, IMPS, Mobile
wallets to UPI transactions. The increasing trend towards UPI transactions as shown in the
table no.1 in India, in October 2019 UPI transactions touch one billion. On the other side
fraudsters are also getting evolved in different ways to trick to execute cyber-attacks.

Table No. 1
Unified Payment Interface transactions in India

Month No. of Banks live on UPI Volume (in Mn) Amount (Rs. in Cr.)
Nov-19 143 1218.77 1,89,229.09
Oct-19 141 1,148.36 1,91,359.94
Sept-19 141 955.02 1,61,456.56
Aug-19 141 918.35 1,54,504.89
July-19 143 822.29 1,46,386.64
June-19 142 754.54 1,46,566.35
May-19 143 733.54 1,52,449.29
Apr-19 144 781.79 1,42,034.39
Mar-19 142 799.54 1,33,460.72
Feb-19 139 674.19 1,06,737.12
Jan-19 134 672.75 1,09,932.43
Dec-18 129 620.17 1,02,594.82
https://www.npci.org.in/product-statistics/upi-product-statistics

However, advanced financial technology, is a double-edged sword, when it comes to

technological innovation and its effects on our lives and culture, both the luddites and the
evangelists have a point. The financial technology risk underline with risk of losing money,
especially when users are not aware about the adequate safeguards or protecting their
activities towards economic crime. It not the technology, but the master mind behind the
process of cyber theft. Cyber crime is a perfect blend of people, process and technology.
Modus operandi can be classified into three type as technological vulnerabilities, Human
errors and lop holes in the processes.
Reserve Bank of India , Public and Private sector Banks and other institutions such as IRDAI
(Insurance Regulatory and Development Authority) and EPFO (Employees Provident Fund
Organisation) are frequently sharing and disclosing warnings on their official websites and
via email and social media accounts to, not to share their personal and financial information
with anyone on phone or with anyone posing as official from the respective institution.
Irrespective of all this alerts and awareness still people are being a victim of such cybercrime.

Virtual Payment address (VPA)

In UPI the transaction is executed through virtual payment address (VPA), VPA look like xyz@axis.
VPA replaced your bank account and its an online unique address of each customer used instead of
sharing bank account details. A bank account is needed to enable UPI transaction.
Sending money via VPA
To send money to via UPI app, you must have the VPA of that person. Follow these steps to transfer
money using VPA:
1. Enter your PIN and login to your UPI app.
2. Select fund transfer through UPI as your preferred option.
3. Enter the beneficiary VPA, the amount to be transferred and remarks.
4. If you have multiple VPAs, choose the one linked with the bank account you would like to
pay from and click Submit.
5. Confirm the details and type your MPIN to validate.
6. Receiving money via VPA
Receive money via UPI.
The steps to receive money using VPA are as follows:
1. l Enter your PIN and login to UPI-based mobile app.
2. Select UPI, then click on “Collect via UPI”.
3. Type the VPA address of the individual who you are requesting money from.
4. Give the amount requested and add remarks.
5. Choose the VPA address/account at which you need the money transferred.
6. Submit details requested and await approval from the other end.
Once approved by the individual you are requesting money from, the amount gets credited to your
chosen account.

Modus operandi
 Downloading app:

The attacker calls you impersonating as a representative of a bank or any financial institution.
They will create a storyline of money transfer or query related to your debit or credit card or
reasons me be different too. As a remedy they will ask you to download app such as Any
Desk, Team Viewer or any other third-party App to compromise your device. After
downloading the app, they will ask you to share OTP grant certain permissions to access your
device, this is how they clone your mobile handset.
Collect request:
In any UPI financial transaction, one should be cautions about the messages and alert been received
on your mobile phone. Now a days, The fraudsters are ending some SMS mention “Collect Request”
through Google pay or any other UPI, if the victim click and confirms the this sms However, if
someone initiates a ‘Collect Request’, you can authorize the same and the funds from your account
will go into the sender’s account. If one unknowingly ‘Confirms’ such Collect Request from a
fraudster, the account will be debited immediately. HDFC reveals the modus operandi in such
instances – “ Send “Collect request” to your VPA and ask you to approve or authenticate it on the
respective UPI apps to get reversal or refunds.”

In UPI, you can send money to someone whose VPA or other details are known to you. However, if
someone initiates a ‘Collect Request’, you can authorize the same and the funds from your account
will go into the sender’s account. If one unknowingly ‘Confirms’ such Collect Request from a
fraudster, the account will be debited immediately. HDFC reveals the modus operandi in such
instances – “ Send “Collect request” to your VPA and ask you to approve or authenticate it on the
respective UPI apps to get reversal or refunds.”
UPI fraud prevention

 Types of frauds
Banks are now regularly sending emails and SMSs to their customers educating them on how
the UPI based scam works and what they should do to avoid being scammed.

For instance, ICICI Bank is sending warning emails to their customers telling them about
how fraudsters operate and what steps they should take to prevent the fraud.

According to the email sent by the bank to its customers, fraudsters ask customers to share
their debit card details, forward text messages, share UPI registration one-time password
(OTP) etc. over the phone. They use this data to create a new virtual payment address (VPA)
ID for your account and set an MPIN to do the transactions. At times, fraudsters ask
 customers to click unverified links etc. over text messages.

In another scam, according to another Times of India report from July, HDFC Bank and even
the Reserve Bank of India had issued advisories warning all online banking users about a
particular app that s being used by fraudsters to steal money. According to the report, this is
how the scam worked: "Fraudsters may ask you to download AnyDesk App and share a 9-
digit code which gets them access to your phone to steal money."

The Times of India further stated that, "The RBI has mentioned that while the AnyDesk app
asks for regular privacy permissions, it is capable of acquiring full access to your smartphone
remotely and would let fraudsters carry out banking transactions remotely."

Now AnyDesk is a legitimate app which is a remote desktop software tool, which provides a
third party a complete view of the user's screen. Scamsters just use it to their advantage.

 How to avoid fraud

In order to prevent such frauds, this is what you should not do:

 Never share details such as debit card number, expiry date, registration OTPs on the
call or other media. The bank never asks for such details.
 Avoid clicking on unknown links or forwarding any suspicious SMS
 Never share your UPI MPIN with anyone.

The steps advised by the ICICI Bank to prevent fraud are relevant for all customer ..

The steps advised by the ICICI Bank to prevent fraud are relevant for all customers using UPI
to avoid getting scammed.

 What you should keep in mind

Banks and other financial institutions have been warning customers never to share their OTPs
and their bank account details with anyone over the phone or via SMS. Also, bank officials
never ask such details from their customers.

Recently apart from banks, other institutions such as IRDAI (Insurance Regulatory and
Development Authority) and EPFO (Employees Provident Fund Organisation) have also been
putting out warnings on their websites and via their social media accounts not share their
personal and financial information with anyone on phone or with anyone posing as official
from the respective institution.

Read more at:

//economictimes.indiatimes.com/articleshow/71938286.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst