Ways to protect yourself from fraud on UPI apps namely Google Pay, PhonePe, Paytm

Pin is needed only for transferring not while receiving.

Block or avoid unknown access to screen-sharing apps.

Never ever share your pin, CVV and OTP details.

Ashutosh Asthana, a 32-year-old Delhi based freelancer lost Rs. 10,000 to a fraudulent transaction while using Unified Payments Interface(UPI) application, Google Pay. He was trying to sell his sofa set on OLX, a platform for buying and selling old or second hand goods.

Although UPI is super easy to use but lack of awareness and not having a suspicious mind that there can be such misuse, the freelancer lost money on good faith. The UPI enables bank account holders to send and receive money through their app in which the bank is linked using a Virtual Payment Address (VPA), a unique ID, without requiring additional bank information once the account is added in the UPI app. It has become a common fraud with many cases reported and currently investigated wherein the fraudsters tend to ask for the Virtual Payment Address (VPA) on a phone call by while engaging you in a chat. The message received will also have a fake narration as “Money received from ‘X’ person”

The case happened on a lazy Sunday morning when the freelancer Ashutosh woke up late around 9 a.m. and while sipping a cup of tea took photographs of his sofa set and an old water dispenser and uploaded it on OLX. Within 10 minutes he received a call from a person(fraudster) saying that he is ok with price without bargain and asked whether Ashutosh used Google Pay, UPI app. With no bargain and easy deal, the freelancer was set in a trap. Ashutosh immediately said that he uses the app and finalized the deal.

The fraudster engaged Ashutosh in chat and in the middle of call sent a message from UPI app Google Pay, that had narration “Money received from ‘X’ person name” and asked Ashutosh to accept the money sent request for transfer completion and enter the PIN. The trap was successful, without much thinking and attention Ashutosh clicked on accept button and entered the PIN and the rest is ‘Fraudistory’ (Just invented, not in dictionary).

After a minute Ashutosh received a message from his bank that a sum of Rs. 10,000 has been Debited from your account vide UPI reference no. xxxxxxxx. The freelancer was in for a shock as the money was ought to be credited. Even the hot cup of tea froze that moment in his hand. It was too late to retract or cancel the transaction.

Immediately Ashutosh called the person and said that instead of receiving the money the bargained sum is debited from his account. But the fraudster was so cunning that he said that the money is not received by him but has paid Ashutosh twice so he is sending a message to him to refund Rs. 10,000.

He again sent a message with PIN and called Ashutosh to accept the same and enter the PIN again. But by now Ashutosh was well aware that he has been defrauded and the fraudster is trying to make a fool of him once again.

Be alert when engaging with purchaser (He/she will be sweet talker)

He called the buyer (fraudster) once more and asked for an explanation. The person feigned ignorance and said that he would look for an alternative way to transfer the amount to him. But at the same time again asked him to first refund Rs. 10,000. On hearing this Ashutosh got angry on which the other person disconnected the phone and didn’t pick the call again.

After 10 minutes, Ashutosh again received from a person for purchasing the Water Dispenser, the other item he had uploaded on OLX. This person also asked for use of UPI apps for money transfer, but by now Ashutosh was not only aware but also annoyed, so he asked for payment in cash for the water dispenser, on which the other person disconnected the phone.

As per the National Payments Corporation of India (NPCI) data, the total number of UPI transactions have reached 781.79 million in April 2019. Although the total number of transactions stabilized month by month, the total value transacted by UPI grew by 6.4% reaching Rs. 1.42 lakh crores. Average transaction per person comes to around Rs. 1,700. As the transactions and infrastructure grow there is a high probability of fraud that may occur. Therefore, it is important for consumers to be aware of various means of fraudulent transactions on these platforms. NPCI or the National Payments Corporation of India is considering use of Blockchain technology to make the system more robust and risk free.

Be alert to transfer requests on UPI

Fraudsters misuse the ‘request money’ option on UPI apps such as Bharat Interface for Money (BHIM), Google Pay, PhonePe, etc. Imposters/fraudster show interest in buying a product listed on various online platforms like OLX, Quickr, etc and engage the seller on a phone call. They induce the seller of the product to transfer the money using UPI apps’ ‘request money’ option. There have been numerous instances of such frauds in the last few months. One of the instance can be referred here :

Ashutosh suggests that to overcome these scams. “UPI companies should provide totally different user interface of the app, wherein color coding will also help like red for payment and green for receiving. Also a pop up alert when request money window pops up on the screen, it should clearly mention that after accepting this transaction (request), your account will be debited with Rs XXX amount and this acceptance should also be password protected”.

Google Pay explicitly points out the direction of the money flow in the user interface to make it easy for the user to distinguish between send and receive requests. Refer the image below, although it is easy to miss it.

Different arrow directions for payment and receiving money

Security features of Google Pay app also help to identify requests from high-risk users and a ‘spam warning’ is shown to the recipient.

Google Pay, Director – Product Management, Ambarish Kenghe, says, “Users need to be mindful that a transaction which requires them to enter their PIN, is for sending money. Remember, receiving money requires no PIN. If you happen to receive a payment request from someone not in your contacts list or whom you cannot immediately identify, then you should immediately decline the request.” NPCI has also urged users to decline all such requests coming from unknown payment addresses.

Limit third-party access to your mobile screen

There are several invasive technologies that can cause huge losses to users if not handled cautiously. Several free screen-sharing apps such as Anydesk, Teamviewer and Screenshare are generally used by the engineers to fix issues on a phone from a remote location. These apps grant full access and control of your phone to the engineer or fraudster accessing your phone. As per a press release from NPCI, five cases were reported with Reserve Bank of India (RBI) of fraudsters using these third-party screen-sharing apps to control mobile phones for malicious purposes.

“On third-party screen sharing apps, consumers think they are being helped for complaints, but fraudsters use the opportunity to record the user’s card number, CVV code and initiate financial transactions. Fraudsters capture the OTP received on the user’s phone and use it for transferring funds to their own accounts.” cautions, Anuj Bhansali, Head of Fraud and Risk at PhonePe.

Bharat Panchal, Head of Risk Management, National Payments Corporation of India adds, “Once access is granted on screen sharing app, fraudster can not only initiate financial transactions but can also place online shopping orders or book rail/air tickets, etc. using the apps available on users’ phones or even steal any information stored in the mobile phone.” So, you must be mindful of giving access to your mobile device to anyone, under all circumstances.

Plethora of Counterfeit UPI apps on Google Play Store and Apple apps

Counterfeits for UPI apps are already there on Google Play and Apple apps stores. After BHIM’s launch in December 2016, there were complaints to NPCI of numerous similar BHIM apps available on Google Play Store. Some of the names with which the fake apps were listed on Google Play Store were Modi Bhim, Bhim Modi App, BHIM Payment-UPI Guide, BHIM Banking guide, Modi ka Bhim, etc. However, after numerous complaints and media coverage in January 2017 from consumers, these fake apps were pulled down from Google Play Store.

For their own safety user should verify the company that created the application’s name, registered website and email address. Verify the app’s developer’s background before installing on your mobile.” For understanding sake, Google Pay is owned by Google and BHIM is owned by NPCI, so always check the details of the company that created the application. See Image:

Always download the app from the Google Play store or Apple apps store. In addition, before installing, see the number of downloads, check the reviews and ratings of the app. Most of the times genuine review will expose the fraud apps. Downloads of fake app would be in thousands compared to downloads in millions in the case of genuine apps.

Identify and avoid fake helpline numbers on social media as well as on Google search results.

UPI customers now days’ tweet about issues related to missed redeeming offers, missed cashback, money transfers, initiating refunds, and more. Unfortunately, again due to lack of awareness many users post the issues on counterfeit twitter handles and approach fake customer care numbers posted on that social media page. The imposters also keep a track of what’s being posted on twitter and approach the user under the guise of helping them. The fraud net is not limited to just twitter, now days the fraudster are openly advertising their number on Google search results by using Adwords ads of Google.

When the customer gets in touch with such fraud numbers the fraudster in guise of resolving an issue, extracts from users’ sensitive information, such as credit / debit card details and the OTP details received on their phone. As soon as users share their card details, OTP or accept the request, the money vanishes from the users bank or wallet account to the fraudster’s account. It is strictly advised to connect with the company only through official accounts across various social media platforms or customer care number mentioned on companies’ websites. As the company will also be not liable for your loss because of your lack of attention to details.