Unified Payment Interface (UPI) is a fasted method to make payments digitally and is rapidly gaining popularity among people. Digital transactions have made life easier and save time of going all the way to the vendor, pay the cash/cheque or even logging on to internet to do IMPS, NEFT or an RTGS Transaction. In the recent trends the whole country is rushing towards a cashless economy.
UPI is one of the most chosen methods of payment in the recent times. All you need is just a 4-digit PIN to authorise your financial transaction and the whole transfer process is done in seconds. Of course, convenience definitely comes with its share of liabilities– and that is what we are going to see in this article.
Please note almost all the UPI apps i.e. Google Pay, PhonePe, Paytm are robust and highly secured, but one has to be cautious that scammers are well versed on social engineering tactics to steal the money using phishing, vishing, smishing, malware, SIM clone and other means.
Scammers follow a pattern while doing the social engineering frauds, and we have collated the sequence of steps that they do based on our interactions with the victims.
1. To grab the victim’s attention, fraudsters usually call them disguised as a bank representative calling for a regular issue like KYC updates, redeeming bonus points or cash backs.
2) To make the call sound legitimate, they mimic the actual bank process and proceed to ask verification questions like date of birth, name, mobile number etc.
3) Scammers usually come up with a false story that the victim may have to give their personal data to resolve the issue.
4) Once the scammer convinces the victim, they proceed to ask the latter to download an application on their phone. Most common app is AnyDesk and other screen sharing devices, which are available on the Play Store or App Store.
5) After downloading AnyDesk or any other screen sharing application, it asks for the user’s privacy permissions like any regular app. Please note that these apps can access everything on your phone.
6) The scammers will then ask the victim for an OTP generated on their phone. After the victim reveals the code, the hacker will also ask to grant permission from the phone.
7) When the app acquires all permissions required, the caller assumes full control of the victim’s phone without their knowledge. The scammer steals passwords of the victim’s phone and begins transactions with the UPI account.
a. Fraudsters send an SMS and ask the victim to forward it to another number that they provide. After the message is successfully sent, it allows the fraudster to link the victim’s mobile number or account through UPI to their smart phone.
b. Fraudsters send an SMS with short links and Google forms asking them to fill the username/password and OTP/UPI details
c. Alternatively, the scammer impersonating as buyers sends a regular payment request to your virtual payment address on apps like Google Pay, PhonePe, Paytm etc.
d. Scammer sends a payment request (QR code) to your virtual payment address on apps like Google Pay, PhonePe, Paytm etc.
How to safeguard yourself
a. Look for a secure payment (https://- URL with a pad lock symbol) environment
b. Never share OTP/ UPIN/MPIN numbers in any form to the buyer or seller.
c. Never do the payment transaction while you are making a call.
d. Do not click and fill up any short links provided by the buyer or seller.
e. Do not fill Google forms links provided by the buyer or seller.
f. Do not scan suspicious QR code. If you are scanning, it means money is getting debited from your account.
g. Avoid using screen sharing softwares i.e. ScreenShare, AnyDesk, TeamViewer etc. on smartphones for resolving any banking-related issues.
h. Do not search for your app’s customer support numbers on Google, or any social media platforms. Visit the official website of your app or bank and find out the customer care number from there.
Stay Tuned to Cyber Talk Column on 03rd March 2020 for more news on Cyber Crime and Cyber Safety Issues, brought to you by Anil Rachamalla, End Now Foundation, www.endnowfoundation.org