If you have ever come across a person seeking resolution on social media for a faulty purchase they recently made, chances are you’ve witnessed UPI scam fraud in the making.
This is not to say that social media is unsafe to seek redressal for your grievances. It is fast becoming one of the quickest and most reliable ways to resolve issues if done rightly. All it takes is one tiny crack for the fraudsters to enter and trick you into falling prey.
One such crack that is being exploited en masse is providing your phone number publicly as a part of your grievance.
Many small finance banks in the industry receive between 100-200 police complaints per day with respect to this UPI scam which involves layering and multi-level laundering.
The fraud is carried out in multiple stages, we understand from our findings. These parts, when viewed in isolation, don’t tell a story. It is only when we are able to connect the dots do we really understand the true breadth of the elaborate scheme at play here.
As it involves multiple victims across the stages, let us try to look at it from the perspective of how victims are targeted at each stage.
Stage 1
- Victim 1 posts their grievance on social media. They tag the service provider (Amazon, Flipkart, Swiggy, etc.) and provide their phone number hoping for a speedy resolution.
- Victim 1 then gets a phone call from the fraudster gang, who tells them that they are sending a confirmatory link on the provided phone number.
- Clicking on the link installs some sort of spyware on victim 1’s phone. Now the fraudsters download a Payment Service Provider (PSP) app such as Google Pay (on the victim’s phone). They have access to the OTP that comes on the victim’s phone.
- This way, the fraudsters don’t need to access victim 1’s bank account (which saves them time as they don’t have to reset the password). Neither does a beneficiary need to be registered (which takes a bit of time).
- The fraudsters link all the bank accounts which are linked to victim 1’s mobile number. The victim now has a PSP account in their name for which they don’t have login credentials or the UPI PIN.
Stage 2
- The fraudster gang has access to victim 2’s PAN and Aadhaar details.
- They use a SIM card procured for these frauds and provide it as part of the application for a limited KYC account at any of the small finance banks (there’s a gestation period of 11 months to furnish full KYC documents at a branch or to regularise the account via video KYC).
- Victim 2 then receives a call from the fraudsters. They are told that their existing bank account might get blocked as their Aadhaar is not linked to their number and are coaxed into sharing the OTP.
- Although customers are slightly more aware of these OTP frauds today, a hit rate of even 2 out of 10 such calls made serves their purpose.
- There is no In-Person Verification (IPV) at the branch or video KYC leg involved in opening such limited KYC accounts. Hence there is no extra verification.
- A limited KYC savings account is opened in victim 2’s name without their knowledge. All details related to the account opening (account no., customer ID/ CIF no., etc.) are sent to the number which the fraudsters are using.
- Banks take around 7 days to dispatch the welcome kit (debit card, cheque book, etc.) to victim 2’s communication address as maintained in their Aadhaar. This gives the fraudster ample time to create net banking login credentials and carry out the fraud.
Stage 3
- Money is transferred from victim 1’s PSP account to victim 2’s limited savings account, from where it is transferred to another such account created by the fraudsters’ network. The longer the chain, the more difficult it becomes for the police, banks, and law enforcement agencies to track.
While banks and cyber security agencies are doing their part to clamp down on these fraudsters and further tighten their security, we can do our bit by being informed and raising awareness about the different ways of getting defrauded.
Share this with your peers and circles and let them know about the potential implications of being careless with their personal information. Don’t give in to rogue calls manipulating you into sharing OTP and other credentials. Be vigilant and educate people when you come across instances of them sharing more details than are needed on social media to avoid UPI scam.
IDfy provides solutions for fraud detection and fraud-free onboarding to Banks, Fintechs, E-Commerce, and Gaming companies.
To schedule a demo with IDfy, please email shivani@idfy.com or fill out the form here.
