Your Next UPI Payment Can Be A Scam!
Learn How To safeguard Yourself

Did you know more than 95,000 fraud cases of Unified Payments Interface (UPI) transactions were recorded in India in 2022-23?

So how do you ensure your UPI transaction is not one of them? This guide will explain how.

This is part of our series of guides – Scamguard – that aims to raise awareness on online scams.

supported by

FactShala Innovation Lab is a media literacy incubation programme by FactShala

The Many Faces of UPI Scams

Fake Customer Care

Carefully read this post shared by a user on Reddit

  • The user's wife wanted to contact a hospital, and since she was in a hurry, she Googled for the hospital's contact details and called the first number that showed up.
  • The scammer shared the booking link on WhatsApp and offered to help fill out the form.
  • The user went through the link and found it suspicious. After giving all the details, when they saw that the UPI interface looked different from NPCI, they decided not to proceed with the transaction.
"This kind of scam is the most common. Users search for customer care numbers for all major services through Google. So, they [scammers] poison the search results. And as soon as you connect with that fake customer care operator, or you can say the scammer, they try to get hold of your UPI. For that, they will ask you to install third-party applications like screen-sharing ones or SMS forwarders. As soon as you install these applications, the scammers gain control of your UPI."
Rakshit Tandon, a cybersecurity expert, told The Quint
  • Contact the customer care only through the contact details provided at the official website of the organisation.
  • The customer care executives can't ask customers to install any third-party application to provide services
  • Even if you install any third-party application, do not permit them to access to your contacts, gallery, camera, microphone, UPI payment apps, finance & investment apps, etc
  • And the most basic one – do not share your PINs or OTPs with anyone (including any customer care executive)

Sent Money 'By Mistake'

This is one of the most popular UPI scams.

The scammers transfer a small amount to the victim's account. Then, they contact the victim, claiming that the money was sent mistakenly. At this point, the scammers send a link and ask the victim to use it for payment.

However, when the victim clicks on the link, the scammers take control of the device and steal money from the victim's UPI account.

Below post recounts one of the countless cases of this type of scam.

  • Do not click on any links sent by unknown numbers.
  • Be more prudent when a stranger reaches out to you virtually, asking for money or personal details.
  • Restrict your mobile browser's access to your contacts, photo gallery, UPI apps – as these may contain your banking details.

Electricity bill scam

Imagine, suddenly receiving a warning message from your electricity provider! How will you react?

Electricity is one of the most common utility service and many pay their electricity bills via the convenience of their UPI apps. So it has become another avenue for scammers to target.

The victim receives a message from an unknown number that says that their electricity bill has not been paid and the electricity department will discontinue the services. When victims contact the number given, they are either asked to download some third-party applications or asked to share personal information. This eventually leads to people losing their money.

Below post recounts one of the countless cases of this type of scam.

See how an X user named 'Vignesh K' was asked to download a third-party application to "pay transaction charges for electricity bill".

  • Do not entertain an unknown number posing on behalf of an organisation or authority. Verify the claims made by such people from official channels. (In the above example – from the electricity provider)
  • Do not install any third-party application to make any digital payments.
  • Always check the authenticity of the developer of the app on the app store before downloading any unpopular app.

Fake websites and apps of popular platforms

Did you know that most of the popular websites have a fake replica?

The unauthenticated versions of popular websites are developed by scammers to get their hands on UPI or card details of people. This is true for mobile applications, too. The fake website will have a similar-looking URL to that of the original one.

See these fake banking apps on the Google Play Store.

They steal data by asking users to fill forms that require sensitive information such as log-in credentials and credit card details.

Delhi Police had earlier warned users of a fake ICICI Bank webpage.

Did you notice the difference in their URLs?

Recently, IRCTC sent an email warning people of a malicious Android application hosted on a phishing website that was being shared on social media platforms. Scammers were impersonating government officials and were tricking people into revealing their sensitive information.

"There were so many people who were scammed with this thing called Pink WhatsApp, Blue WhatsApp, GB WhatsApp. Why? There is only one green color WhatsApp which is created by the Meta company...There is no second application on any PlayStore or any application store."
Rakshit Tandon, a cybersecurity expert, told The Quint
  • Check the URL of the website. Make sure it is the official one.
  • Identify the developer and permissions while installing any application.
  • Do not download apk files as scammers target people with these files.

Hacking Accounts

Here's a scam that will blow your mind:

Ayush (name changed) told The Quint how he was scammed through a fake investment scheme on Instagram.

After seeing a few stories of his friend's Instagram account where they earned a profit, Ayush decided to invest too and reached out to the person mentioned in the story. He was asked to invest Rs 2,000 and was promised around Rs 25,000 as profit.

Ayush received a QR code where he was asked to send money through UPI.

"When I decided to withdraw money, I could not due to some error. The scammer asked me for a security amount saying that my account was new. He said the amount along with the deposit will be returned to me. I sent the deposit amount but I was not able to withdraw again."

The scammer asked Ayush to send more money. This is where he realised that he was being duped. He later found out that his friend's account was hacked.

Hacking people's social media accounts and asking money from their contacts is growingly being used by scammers to dupe people.
  • Firstly, always be suspicious of unknown digital payments. Do not blindly pay money on any random links. Do a thorough background check.
  • Ask the person, physically or on call, about the monetary claim that their social media handle is endorsing. This will confirm if their account is hacked or not.
  • In cases related to investments, always do your research and consult a known domain expert.

Is it your relative or a scammer?

To defraud you, the scammers have even started impersonating your closed ones.

Watch the below video where Prerna Yadav, a journalist, narrated an incident where the scammer called her mother impersonating as a distant relative and cheated Yadav's brother of around Rs 80,000.

What takes this scam to another level is how smartly the scammers are using AI voice modulation to sound like family members in distress!

And the worrying fact is that India tops the list for victims of AI-powered voice scams with 83% losing money, according to a report titled ‘The Artificial Imposter’ released by McAfeee.

This video released by the Union Home ministry explains how to be vary of AI voice cloning fraud:

  • Scammers often create a sense of urgency on such calls. Use your discretion so that you don't transfer money in haste.
  • A big red flag is the way the money is requested. Scammers may ask for money to be transferred to a particular account.
  • The voice on such calls may sound different from the person you know. Sense the inconsistency in the tone.
  • Scammers may also ask for login credentials or personal information. Do not give any.
The best way to outsmart such scammers is by calling the person (on whose name the scammer is asking money) on their mobile phone and check if they had actually demanded of money.

Now that you have learnt how to identify scams, do you think you are ready to beat the scams? Test your Scamguard abilities through this

Scam or Not Quiz

Now that you have learnt how to identify scams, do you think you are ready to beat the scams? Test your Scamguard abilities through this

Scam or Not Quiz

Were you able to identify the scams in the quiz?

hOW Scammers ARE MISUsing
UPI'S POPULARITY

Why UPI scams are more prevalent than other frauds, including credit or debit cards frauds?

According to cybersecurity expert Rakshit Tandon, it is much easier for a scammer to dupe people of money through UPI because in these kinds of scams, the scammers only need access to the victim's PIN. However, if one tries to hack a debit or credit card, they need a lot of credentials like a 16-digit card number, OTP, CVV, and expiry. So, now scammers are targeting only UPI.

This raises a concern considering UPI's popularity over the years.

According to the information available on Press Information Bureau (PIB), more than eight billion transactions were carried out in UPI in January this year. A recent report said that UPI transactions are likely to reach 1 billion transactions per day by 2026-27.

More than 95,000 fraud cases of UPI transactions were recorded in India in 2022-23, the Union Finance Ministry told the Parliament.

The scams increased from 84,000 cases in 2021-22 and 77,000 cases in 2020-21. While the government has constantly pushed for digital payments, the country has also seen a significant increase in scammers duping people of their hard-earned money due to a lack of media literacy.

Escaping the Trap

Escaping the Trap

Tandon listed some steps people can take to safeguard themselves.

  • Enable double-factor authentication on all your accounts, including social media handles and email accounts.
  • Do not keep any personal credentials in your photo galleries. Most applications ask permission to access your gallery when you install them.
  • Set transaction limit on your accounts to prevent scammers from draining the entire amount kept in the bank accounts.
  • Keep the official contact details of your respective banks handy. So, whenever you are caught in an online scam, you can immediately ask the bank to 'debit freeze' your account.

How people's cognitive biases play a role in responding to such scammers?

Dr Sanjay Kumavat, Consultant Psychiatrist at Fortis Hospital in Mulund, told that scamsters usually lure people with their authoritative or assuring voice, and people get carried away impulsively.

"It is our weakness of mentality, it is our non assertive behaviour, and most important is the greed and inability to say assertively 'NO'. That is what is lacking and that particular thing, that weakness, is exactly used by the scamsters."

Dr Kumavat said that when money is shown to people, they tend to melt emotionally and try to engage in conversations and these kinds of activities. When a person is involved and gives a small amount of money, the demand from scammers keeps increasing, and the person eventually realises that there is no end to it. Then, the threat starts. To avoid that, we continue to fall in the trap.

He advised people to listen carefully and think before taking any action. Dr Kumavat said that if a person still wants to take time, then they can drop the call as there should be no urgency to reply to any financial deals.

A study published in International Research Journal of Engineering and Technology said that "UPI-based social engineering cases of fraud are likely to remain a severe risk as the digital economy continues to grow. Individuals and organizations, on the other hand, can minimize the likelihood of falling victim to these types of scams by remaining vigilant and taking proactive measures."

Social engineering cyberattacks usually happen when the scammer uses psychological techniques to trick people into revealing their sensitive information.

We came across a survey conducted in 2022 found that "almost one-third of Indian consumers have been victims of online fraud." It further said that "Indian consumers are most vulnerable to fraud on social media sites and apps (38%) followed by payment system providers (30%) and online gaming platforms (30%)."

Sure, you may not have faced the misfortune of being scammed yet, but online scams are becoming more sophisticated. It's just a matter of a new scamming tactic that you become one of the victims.

Save this guide and share it around to aware your closed ones about the growing menace of these scams.

CREDITS

REPORTER
Abhishek Anand

GRAPHIC DESIGNERS & ILLUSTRATORS
Midjourney, directed by Kamran Akhter, Naman Shah

CREATIVE DIRECTOR
Naman Shah

SENIOR EDITOR
Abhilash Mallick

Other Guides from scamguard to Tackle Online Scams

Scamguard

All the guides on online scams

Online Job Scams

How to Identify and Beat Online Job Scams

E-commerce Scams

Beware of These Online Shopping Scams Before Placing Your Next Order

TopBuilt with Shorthand