Moneycontrol PRO

Five ways to protect yourself from fraud on UPI apps such as Google Pay, PhonePe

A pin is needed only for transferring amounts, not while receiving. Restrict access to screen-sharing apps and never share your pin, card and OTP details.

June 04, 2019 / 02:37 PM IST

Maya Venkat, a 28-year-old Bengaluru-based yoga trainer, saved herself from a fraudulent transaction of Rs 14,000 while using the Unified Payments Interface (UPI) application. She was trying to sell her bed on OLX, a platform for buying and selling goods.

The UPI enables bank account holders (of banks participating in the UPI) to send and receive money using a Virtual Payment Address (VPA), a unique ID, without requiring additional bank information. Fraudsters tend to ask for the Virtual Payment Address (VPA) on a phone call or while engaging you in a chat.

Beware of engaging with fraudsters

On 21 May, 2019, a person (fraudster) messaged Maya on OLX, inquiring about the product and negotiated on the price. After nominal bargaining, she decided to sell the bed to this person for Rs 28,000. Later, the person asked if half the amount as deposit is acceptable to freeze this deal and whether he could transfer this amount using any of the UPI apps.

She immediately agreed to close the deal and asked for a deposit of Rs 14,000 using PhonePe (UPI app). After a few minutes, he gave a call to Ms Venkat and engaged her in other conversation about how the furniture could be transported, location, etc.

Herein lied the trick. Recalls Maya, “In the middle of this discussion, the person said that he had sent a request on the UPI app for the advance amount of Rs 14,000 as discussed and calmly asked me to accept it.”

Maya kept the call on hold and checked the message on the UPI app requesting to receive the amount. She was shocked to see a pop-up message on UPI app from the person and understood that the request was to transfer the amount from her account to his account.

Had she accepted the request and entered the PIN to complete the transaction by staying on the call with the person, she would have lost Rs 14,000.

She called the buyer once more and asked for an explanation. The person feigned ignorance and said that he would look for an alternative way to transfer the amount to her. However, the person didn’t approach her again.

According to the National Payments Corporation of India (NPCI) data, the total number of UPI transactions has reached 79.95 crore in March 2019, up from 17.80 crore in March 2018 and 62.01 crore in December 2018. There has been a growth in total value of UPI transactions as well – Rs 1.33 lakh crore in March 2019 versus Rs 24,172 crore in March 2018. Therefore, it is important for consumers to be aware of fraudulent transactions.

Be alert to transfer requests on UPI

Fraudsters take advantage of the ‘request money’ option on UPI apps such as Bharat Interface for Money (BHIM), Google Pay, PhonePe, etc. Imposters show interest in buying a product advertised on various online platforms and engage with the seller on a phone call. They make the seller of the product to transfer the money using UPI apps’ ‘request money’ option. There have been numerous instances of such frauds in the last couple of months.

Maya makes suggestions to overcome this menace. “Companies should change the user interface of the app in a way that user will be more alert when request money window pops up on the screen. Also, clearly mention that after accepting this transaction (request), your account will be debited with Rs XYZ amount.” At present, to make it user friendly, Google Pay explicitly points out the direction of the money flow in the user interface to make it easy for the user to distinguish between send and receive requests.

Different arrow directions for paying, receiving

Google Pay_request and pay

Ambarish Kenghe, Director - Product Management at Google Pay, says, “Users need to be mindful that a transaction which requires them to enter their PIN, is for sending money. Remember, receiving money requires no PIN. If you receive a payment request from someone whom you don’t know or cannot immediately identify, then you should immediately decline the request.” NPCI has also urged users to decline all such requests coming from unknown payment addresses.

Google Pay’s security infrastructure detects risk and fraud on the product. This alerts, the users before making any transactions. For instance, if you receive a request from someone who is not in your contacts list, it displays a ‘stranger warning’ (refer image given below).  You can block the user, report as SPAM or continue if you are convinced with the identity of the person. The other UPI apps too have similar pay, decline and block options.

Security features of the app also help to identify requests from high-risk users and a ‘spam warning’ is shown to the recipient (see image below).

Spam warning on Google Pay app

Google Pay_Stranger and warning

Limit third-party access to your mobile screen

There are other invasive technologies that can cause losses to users if not carefully handled. Anuj Mehta a 37-year-old Pune-based Professor in management complained on social media about an unsuccessful UPI transaction of Rs 9,000 and his account being debited. A fraudster somehow accessed the details and approached him by pretending to solve the problem by calling himself the company’s technician. He asked him to download ‘Teamviewer,’ a screen-sharing app, to resolve his issue immediately. Later, the imposter got access to Anuj’s device. The fraudster asked him to hold the debit / credit card in front of the phone’s camera so he could record the card number, CVV code, etc. Mehta became alert. He says, “Being attentive, I declined to share these details in front of the mobile camera and immediately disconnected the permission granted to control my mobile device.”

There are several free screen-sharing apps such as Anydesk, Teamviewer and Screenshare. These apps are generally used by the engineers to fix issues on a phone from a remote location. These apps allow full access and control to your phone. According to a February 2019 press release from NPCI, five cases were reported with Reserve Bank of India (RBI) of fraudsters using these third-party screen-sharing apps to control mobile phones for malicious purposes.

Anuj Bhansali, Head of Fraud and Risk at PhonePe, cautions, “On third-party screen sharing apps, consumers think they are being helped for complaints, but fraudsters use the opportunity to record the user’s card number, CVV code and initiate financial transactions. Fraudsters view the OTP received on the user’s phone and use it for transferring funds to their own accounts.”

Bharat Panchal, Head of Risk Management, National Payments Corporation of India adds, “Once access is granted on screen sharing app, fraudster can not only initiate financial transactions but can also place online shopping orders or book rail/air tickets, etc. using the apps available on users’ phones or even steal any information stored in the mobile phone.” So, you must be mindful of giving access to your mobile device to anyone, under all circumstances.

Counterfeit UPI apps galore

There are counterfeits for some of the UPI apps on Google Play and Apple apps stores.  For instance, after BHIM’s launch in December 2016, there were complaints to NPCI of numerous duplicate BHIM apps available on Google Play Store. Some of the names with which the fake apps were listed on Google Play Store were Modi Bhim, Bhim Modi App, BHIM Payment-UPI Guide, BHIM Banking guide, Modi ka Bhim, etc. However, after receiving complaints in January 2017 from consumers, these fake apps were pulled down from Google Play Store.

Dewang Neralla, CEO of payments solution company Atom Technologies says, “User need to know the company that created the application’s name, registered website and email address. Also, check the app’s developer’s background and verify whether it’s genuine before installing on your mobile.” For instance, Google Pay is owned by Google and BHIM is owned by NPCI, so check the details of the company that created the application.

Download the app from the Google Play store or Apple apps store. Bhansali says, “Before installing, look at the number of downloads and installs, check the reviews and ratings of the app. On fraud apps, downloads would be in thousands compared to downloads in millions in the case of genuine apps.”

Avoid fake helpline numbers on social media

These days, UPI customers tweet about issues related to redeeming offers, availing cashback, money transfers, initiating refunds, and more. Unfortunately, some users post the issues on counterfeit twitter handles and approach fake customer care numbers posted on that social media page. The fraudsters also keep a track of what’s being posted on twitter and approach the user under the guise of helping them.

Bhansali says, “While resolving an issue, fraudsters ask users to share sensitive information such as credit / debit card details and the OTP details received on their phone. As soon as users share their card details, OTP or accept the request, the money gets transferred from the users account to the fraudster’s account.” It is advisable to connect with the company only through official accounts across various social media platforms or customer care number mentioned on companies’ websites.

Moneycontrol's Take

UPI eases payment transactions for consumers in a cashless manner. It works instantly by transferring funds between two bank accounts on mobile platforms such as BHIM, Google Pay and PhonePe. It made banking transactions accessible 24*7 for urban and rural consumers alike.

However, as a general guideline for all kinds of digital payments, you must be cautious with your financial information and not share PIN, credit or debit card details with anyone. Additionally, you should also be cautious and never forward your OTP messages to anyone, as that is another way for fraudsters to authenticate fraudulent transactions. You need to be alert and attentive while using UPI apps to stay safe from fraudsters.

Hiral Thanawala