Beware! Hackers might be fraudulently accessing your e-wallets, mobile banking app and UPI Wallet. A complete guide to secure your wallet.

India is thriving towards digitalisation. Since last year due to imposition of lockdown and the social distancing norms followed, digital transactions are preferred over cash, for being a contactless mode of payments. Significant percentage of consumers have increased their usage of digital payments via credit and debit card, mobile wallet and other UPI-based payment methods. However, with the surge in the digital transaction, the number of online fraud transaction such as phishing, cyberattacks etc., where fraudsters manage to target your bank account or extract money from your Debit Cards/Credit Cards, payment wallets such as Google pay, Paytm, Phonepay etc., have also shot up.

The Schemers keep looking for information about you. Data is the new gold. Most of the data are provided by you. The Question is How?

Let me give you instances: 1^st scenario…. When you visit a Mall/ Restaurant, you will find some youngster approaching you with a form to fill the details saying that you are eligible to participate in the Luck Draw!!. You will fill the details. Bhoom….you have given your vital information: Your Name, Your date of birth, your anniversary date, your email ID, address etc…

2^nd Scenario… Most of you like posting details of your life events on the social media handler’s page. Your Birthday celebrations, The Pictures of your family/ friends, the places you visit, the restaurant you eat etc, etc.. Your information is scattered all over the digital media, which if pooled in together gives the whole picture about you.

This information is gold for these schemers. The Schemers deploy new tactics for looting money digitally. Fraudster by collecting the information may call you and say they are the representative of some Bank/ Telecom Company and say you are eligible for some loan, or some gift and ask you to confirm your DOB and other details to empty your bank account over a call. And unsuspecting you will give away the information.

To create awareness the telecom service provider such as Airtel, have during the outward calls are playing the pre-recorded warning against sharing the OTP Pin, ATM Pin, CVV Number etc over the phone. National Payments Corporation of India (NPCI), Banks and the Reserve Bank of India (RBI), are also issuing advisories on these fraud transactions. Despite this, people are falling prey to such frauds.

This reminds me a plot of the web television series Jamtara – Sabka Number Ayega that was released on the Netfilx OTT Platform on 10^th January 2020. The storyline of the series is based on phishing operations being conducted from a village, Jamatra remotely located in Jharkand State, by a bunch of young illiterate boys and girls using minimal infrastructure like mobile phones and a laptop and looting lakhs of rupees from the urban literate unsuspecting people like us. Worth watching it!!!

Every Schemers have his/her own special modus operandi.

Remote Screen mirroring tool:

Since the Lock down was imposed in March 2020, Work from Home is the new norm in the business. Many Companies are insisting on downloading remote screen mirroring applications to keep track on their employees. These applications work to connect one device to another. So, any person gaining access to your device through this application will be able to view and control your device.

However, fraudster are using these applications to commit fraud. Many times, hacker pose as bank official or the customer service provider of the online payment wallets and say that your wallet or bank KYC is invalid or debit card is blocked and you will need to download an app to claim the money or validate the KYC to continue to use the payment wallets. This Application could be Remote Screen Mirroring tool. Sometimes while transacting through the online wallet, you may get a message that the transaction has failed or declined or some error, but the amount would have been debited from your bank account. At such instance a victim will search for the helpline numbers listed in the search engine, but it may out to be fake number. This has happened to many. Apparently, the fraudster had created a fake website page, that was an exact copy of official page of the actual service provider, the Bank, where he put fake helpline number. The victim ended up complaining on this fake helpline number or calling them for all complaints. The schemer convinced him to download the remote mirror application for resolving the payment issue. The victim fell prey to the scam. Once the application was downloaded in the victims Phone, the Fraudster could access the victims phones, read his messages and OTPs, the clicks on the phone etc.. The Victim lost all his hard-earned money from his bank account. One should always look at the authenticity of the website of the Banks. Do not search for the helpline numbers in the search engine. Always contact the number listed in the Official Website of the bank and not on any other social media pages.

Now a days as a trend, most of the people choose to contact the officials through the twitter account to seek the attention of the service provider for quick redressal. They post the details of the failed transaction online, thinking that it will be resolved soon. However, the schemer will also be reading such posts. The fraudsters may contact you as the representative of the redressal agency and will make you reveal further details and will convince you to download an application to solve your problem or for verification purposes.

Just because a UPI social media page, has the words BHIM, NPCI, or names similar to any banks or government agencies, it does not make it authentic.

What happens once you download the remote screen application?

After downloading this remote screen mirroring application, a 9-digit code is generated on your device, which allows the hacker to remotely access your device. After inserting this 9-digit code on your device, the hacker asks you to grant certain permissions, which are like what is required while using other apps. Once they gain the access to your device, the hackers can view the screen and control your device via this application and carry out the transactions fraudulently through mobile banking application or payment related applications including UPI wallets. You will get an OTPs for all these transactions which Fraudsters also can view. They use your credentials to transfer huge amounts from your account and delete the SMS, which you may never know. And Boom… your bank account is empty.

Most interesting thing is that these hacking applications are freely available on the search engine and play store of Android, that allows you to use their tools to hack into anybody’s phone. Hackers can read through your chats, SMS, and other applications and gather all personal information about you, without you even noticing it. You always need to be alert. Read the permission sought by this app at the time of downloading a new app. Do not download the application from unknown source. Be cautious.

Scams using UPI Pin or OTP.

Recent ways adopted by the schemers are sending the “request money” link via SMS/Website. Once you click the link and authorise the transaction thinking that you will receive the money, on the contrary your savings will be deducted from your bank account.

There was this instance where PhonePe customers received SMS from fake header ‘AX-PHONEPE’ instead of legitimate ‘AX-PHONPE’, claiming that their account has expired or blocked, or KYC verification is due etc to transfer user’s money. Customers of other payment wallet including Eko India, Paypoint, Pay1, and Infibeam Avenues have also encountered phishing calls via illegitimate SIM cards.

One of the classic ways in which the fraudster tries to scam you is to convince you to share the OTP or UPI Pin over the phone. Once they have the details, they will authenticate the UPI transaction and steal your money.

Generally, during the process of on-boarding in any UPI application, the app and banks send text messages (SMS) at various stages—registration, adding a bank account and while setting the UPI PIN. If you are not registered for UPI services on any app but happens to receive an SMS regarding the on-boarding process having been initiated, then reach out to your bank immediately and lodge a complaint.

Phishing Scam

This is the most common way scammer use to scam you. The Schemer will call you informing that you have won crores of Rupees through Lottery or that your bank account is blocked and to unblock it you will need to click on the link (unauthorised URLs) provided by them via SMS. These fake bank URLs will look almost identical to the original URL. If you are in hurry you click on that link, it will direct you to the UPI payment app installed on your phone and will ask you to select any of the apps for auto-debit. Once, you give permission, the amount will get debited from the UPI app instantly.

Often, after such financial accidents you may be uncertain about how to seek redressal through formal channels. Here are the steps to be taken.

As soon as you realise that a suspicious bank activity is taking place or that you have been a victim of a UPI scam- collect evidence.

Preserve the transaction details:
- Take screenshots of the transaction, of SMS, email, fraudulent website, UPI handle;
- Note the transaction ID, beneficiary’s bank account details, phone number of the fraudster, etc.
- If you are defrauded through e-commerce platforms, you should save a screenshot of the merchant’s web page.
- If you fall victim to ATM skimming, which means stealing your details through a device placed illegally at an ATM terminal, you should document the ATM location, address and number which is listed on top of the machine.
- Similarly, you should note the merchant’s address if a point-of-sale device has skimmed your card details.

This is vital information and will be useful while lodging a complaint with the Police or the Bank or payment wallet companies or Application developer Company. Always remember to change all your passwords & PINs related to your bank account or mobile wallet immediately. Never search for the service providers helpline number in the search engine. Always get the number from the service providers official website. Look out for the genuine websites.

How to file Complaint with your Bank:
- Immediately inform your bank of the unauthorised transaction on the bank’s toll-free helpline (always mentioned in the banks’s official website) or send an email to your bank or visit your bank’s home branch to alert them of the fraud. Sooner you inform, the safer your money will be.
- In case of a payment fraud on an e-commerce website, a PoS device or an ATM, customers should file the complaint with the card issuing bank.
- In case any fraudulent transaction has been committed with your bank account linked to the UPI app, immediately register a complaint by giving a call or sending an email to your bank. Also, request your bank to block future UPI transactions associated with the account.
- Submit a request to block your bank account. The banks will verify your identity by asking some personal details before finally blocking your account. It will stop future UPI transactions. You’ll be able to access your bank account after you change the passwords or issuance of new details.
Complain to the payment platforms:
If you are using a TPAP (third-party app providers) platform like PhonePe, Google Pay, PayTM, etc- call on the toll-free number to submit your complaint. Each of these platforms will have a grievance redressal mechanism, which you will need to follow to lodge the complaint.
You also need to lodge a complaint of fraudulent transaction with the UPI app developing company to investigate the issue. There are mechanisms in place to raise the issues in case of disputes with most of the UPI app developing companies. For instance, on Google Pay, there is a dispute option on each paid transaction to raise the complaint if you feel it is suspicious / fraudulent
The platform will be able to share some details related to the fraudster which may help you identify them.
Some platforms also offer an in-built complaint feature where you can easily raise a dispute against a transaction.
The bank and the UPI company should be able to resolve your complaint within 10 days.

Complain to the Cyber Crime Police:
- After you have notified your bank and the Payment platform and App developing company, you should file the first information report (FIR) with the local police station and request them to forward it to the cyber-crime cell in case the police station in your area does not have this division. This is because cyber-crime cells have the expertise to investigate digital fraud cases.
- While filing the cyber-crime complaint, you need to provide following:
  - your identity proof, contact details and address proof
  - your last six months’ bank statement,
  - details of the fraudulent transactions
  - and a copy/screenshots of the messages received while making those transactions.

Complain to PSP and NPCI:
In case the complaint / grievance remains unresolved, the next level for escalation will be the PSP (Payment Service Provider) Bank, followed by the bank (where you maintain your account) and NPCI, in the same order.
The complaint can be raised for both the types of transactions i.e. fund transfer and merchant transactions
You will be kept communicated by the PSP / TPAP (third-party app providers) by means of updating the status of such end-user customer’s complaint on the relevant app itself

List of 3rd party UPI based payment apps, which along with a partner bank offers payment app : https://www.npci.org.in/upi-PSP%263rdpartyApps

Complain to the Digital Payments Ombudsman:
- After exercising these options, you can approach the Banking Ombudsman and / or the Ombudsman for Digital Complaints, as the case may be. The Reserve Bank of India (RBI) in January 2019 has launched an Ombudsman scheme which specifically deals with digital transaction issues. The idea was to have the mechanism of ombudsman for redressal of complaints against deficiency in services related to digital transactions. The deficiencies identified and included are delays in payment/credit/refunds, unauthorized transfers, and failure to act on instructions given by the customer.
- Should you not get a response from you bank or payment service provider within a month, or if you are not satisfied with the response, you can approach the RBI’s Banking Ombudsman.
- You can send your complaint in writing with the ombudsman for Digital Payments. A form is also available on RBI’s website here: https://cms.rbi.org.in/cms/IndexPage.aspx?aspxerrorpath=/cms/cms/indexpage.aspx#, which you may use to file a UPI fraud complaint. You will be required to give following details to ombudsman for reviewing a case:
  - name and address proofs,
  - facts giving rise to the complaint supported by documents/screenshots/messages, the nature and extent of the loss and the name / contact number / address (any information that is available) against whom the complaint is made.

Note that frauds such as the ‘request money’ ones typically don’t fall under the ombudsman scheme as they are incurred by fooling the user into doing a spurious transaction. RBI’s ombudsman scheme does not accept complaints in cases where, legitimately, the consumer has entered the PIN and transferred the amount using UPI apps.

Be extremely cautious while transacting on app-based money wallets. You must always verify the identity of the other party before initiating a payment or sharing your details. Also, never delay in reporting such an occurrence- quick action can help your case by leaps and bounds

So, prevention is always better than cure. Here are the ways you should keep in mind while transacting online.:

If you are banking electronically, you must register yourself for SMS/email alerts and immediately inform your bank in case of a fraud;
According to RBI, you must only use sites with https while banking online. “https” tag is more secure compared to “HTTP”. Look at the name of the domain. Does it contain any unusual symbols, too many dashes, or suspicious attempts at mimicking big brands’ or other businesses’ names and products, spelling errors etc. Check the contact information. Legitimate websites, businesses, and organizations have no reason to hide. Other fake website red flags include poor grammar, spelling mistakes, gibberish in website copy or blog content, as well as a multitude of intrusive ads.
Avoid undertaking banking or other financial transactions through public, open or free wifi-networks.
Regularly change your password/PIN/ OTP;
Never share important details like debit card number, CVV, expiry date, registration, OTP with anyone. Many a time, the caller asks you these details in the name of bank executive stating that your card will be blocked. Do NOT fall for these types of calls. The Bank Officials will have all the details pertaining to your bank account. Apart from banks, SMS can also come in the name of IRDAI and EPFO. However, they also do not send any such message.
Do not share UPI MPIN with anyone. MPIN is the one which you enter in the UPI app to check your balance.
Do not click on any unofficial link from the SMS. Also, do not forward any such SMS.
Do not download any app or confirm payment from unknown accounts via UPI.
Do not store important banking data on the mobile, e-mail, electronic wallet or purse.
Do not share personal details on any social media platform and do not lodge complaint about the digital transactions on social media handle.
RBI also warned citizens to be wary and not fall prey to fraudulent tactics used by seamsters. RBI Helpline Number to report fraudulent activity in your bank account: 14440

So Be alert and Safe transacting!!!

This article contains general information only. It does not constitute legal advice. You should consult a suitably qualified lawyer on any specific legal matter or issue.

Articles published, Publications

Copycat OR Inspiration?

Where does one distinguish between “inspiration” and straight-up plagiarism?

The recent copyright infringement case filed with District & Sessions Court, Kozhikode by Kerala’s leading music band Thaikkudam Bridge is a classical instance of the ‘Idea/Expression’ dichotomy as enunciated by the Berne Convention and national copyright legislations globally.

The Thaikkudam Bridge has alleged that the ‘Varaha Roopam’ song from the hit Kannada movie ‘Kantara’ is a copy of their original song ‘Navarasam’, released in 2015.

The District & Sessions Court, Kozhikode has ordered an interim injunction on playing the song ‘Varaha Roopam’ in the movie as well as on any music online streaming platform without the band’s permission until the case is finally decided.

This case has again brought forth a question: Where does one distinguish between “inspiration” and straight-up plagiarism? As covers and remix versions of various popular songs using bits, loops and instrumental portions from original songs is a widespread practice and is uncommon these days. Many times, the original creators do not get their due credit and/or royalty.

The Copyright law does not protect an idea, it only protects the expression of that idea. Therefore, many movies have been made based on similar ideas. The law encourages the creativity of artists, musicians, and writers through their works like songs, books, paintings, dance, drama, etc. For seeking copyright protection you have to prove that your work is an original and creative expression of an idea. And if someone wants to remake a song or use a portion of the song or work there is a license fee they need to pay the right holder and give due credits.

In this case, Thaikkudam vs. Kantara, the makers of the movie, says that the two songs are similar because of the use of similar ragas in ‘Navarasam’ and ‘Varaha Roopam.’ They claim that there were no copyright violations since only ragas are the same, but the expressions (the music compositions) are different. However, Thaikkudam argues by pointing out similarities in song format, chord, the degree of similarities in the use of musical instruments, etc.

Perhaps the Court also agrees and that’s why the injunction order has been issued by the district and session judge until the case is finally decided.

The divergence in expressions is even more obscure when it comes to distinguishing novelty in musical compositions for one must draw comparisons on musical notes, lyrics, and overall sounds separately to conclude copyright infringement in each of these components. This is precisely where this case gets even more intriguing.

Let’s wait and watch the next move as there are reports of negotiations between the parties for settling the issue. However, if the parties decide to proceed with the litigation then this will be an interesting case to watch as this will set a precedent…

November 3, 2022/by cheltonlegal

Articles published, Corporate Law, Intellectual Property Law, Latest Updates, Publications

7 tips of IP Strategy for Startups.

Startups and innovative ideas usually go in pairs. Protecting Intellectual property is critical to foster innovation. Without protecting ideas, businesses and individuals would not reap full benefits of their inventions and would focus less on research and development. But for a Startup at an early stage protecting IP takes a back seat as there are numerous other issues involving product development, hiring qualified employees, raising capital etc that are important at that moment. So many of you can feel distracted and may find it expensive and difficult to see a return on investment or contrary to your goals of racing to get your product to the market before someone else does. However, irrespective of the nature of your business, you should have a strategy in place to protect any unique products or services that you own as competitors can essentially steal or piggy back on your success to take away market share. Also not considering your IP will adversely impact on your company’s ability to grow and consolidate its revenue stream. Losing market share early on in a business’s development can be devastating and time consuming if you have never thought about protecting your IP or what you should do if faced with an infringement.

So here we are sharing a few tips for formulating your IP strategy, irrespective of the size of your business.

Identify your IPs.

Make a list of intangible assets you have. Determine if the IP rights need to be formally registered¹ or can arise automatically². (For example, Copyright and Trademarks need not be registered. Rights arise automatically at the time of creation and its use). So, keep a record of your ideas, the date and manner of its creation, date and manner of the use of IP, marketing photos, drawings, designs, code, people who are working with you to create your IP etc..

Rule of thumb new technical inventions for products or methods can be protected by patents.
the new shape of objects can be protected by designs.
trademarks protect brands, trade names, sound, colour combinations used to distinguish goods and services.
copyright is used to protect literary, artistic and musical works, but not the ideas they express.
and trade secrets protect confidential information.
Remember, all of these IP’s have limited time spans, except for Trademarks, provided the renewal fees are paid and the IP’s are used.

Prioritize which IP, How and Where to protect.

Once you have a list, according to your business plan check which IP on the list will help the business at which stage. This will help you come up with a plan to limit or delay spending the money until you can afford it. When you’re looking at your business’s assets, intellectual property, including patents, trademarks, and trade secrets, all have an impact on your valuation. So have your priorities set. For example: (1) for any business, the first thing you would want to prioritize is protecting your Trademark. So choose your mark prudently. Conduct a thorough search before finalizing your mark to avoid duplicity and possible infringement. Also if you intend to do business in other jurisdictions then you should ensure that your marks are not conflicting with the marks in use in those jurisdictions as well. (2) Patent applications must be filed before the invention is disclosed to third parties unless effective confidentiality agreements are in place. So, if you are working on an invention and want to file a patent, but you are not sure about its feasibility or it is at a very early stage or sometimes the invention is conceived but not fully developed, then you can file a patent application with provisional patent specification³. The date of the first filing of a patent application is called the priority date⁴. This date is important to claim priority in the Countries that follow the patent system of first to file like in the USA. After filing a provisional specification you will have a 12 months period to evaluate your invention and decide whether or not to proceed with the application.

Remember IP rights are territorial. There is no International IP registration. You will have to seek IP protection in each country separately where you may have business interest. One can directly file a trademark or patent application in the jurisdiction of interest with or without taking priority of domestic mark.

If you want to seek protection in other countries you have interest in, you can apply for registration of Trademark facilitated through the Madrid Protocol which acts as a vehicle to enable registration in multiple countries taking priority of one of the countries. This priority has to be claimed within six months. A list of jurisdictions that can be accessed through Madrid Protocol for filing trademarks is available here.

For patent application in multiple jurisdictions, one may file an application facilitated through the Paris Convention for all members of the convention which includes India and all major countries within 12 months from the priority date. Or else you may file through the Patent Cooperation Treaty System (PCT). PCT is a vehicular system that allows an applicant to file in PCT contracting states within 30-34 months from the priority date (varies from jurisdiction to jurisdiction) instead of 12 months. The PCT system also provides for an International Search Report on the invention – giving the applicant a glimpse of the chances of the patent grant in multiple jurisdictions.

There are times where the best IP strategy is not to file right away. Then, the answer is to keep it a secret. Because if you start filing, people are going to start trying to invalidate what you’re doing because you’re playing in a sandbox way bigger and the players don’t want you there. So strategize accordingly. Seek help from an IP lawyer.

Have your contracts in place. Don’t let other people claim ownership of your IP.

IP asset ownership can be a real struggle for start-ups where there’s usually more than one founder or where a third party is involved in creating or developing the IP. You must define and agree on the terms of your relationship in a founder agreement. This will give protection that your co-founder will not walk away with the ideas, concepts or other intangible assets. It is absolutely necessary for the Company to own or control all its IP. Have contributors assign their IP to the Company. Ensure that you have set clear boundaries dealing with the ownership and exploitation of IP. You also need to have the appropriate language in place with your employment contracts to ensure your intellectual property is protected if an employee leaves and goes to one of your competitors.Generally the company will own the IP in whatever produced by its employees during their employment, subject to anything contrary agreed. Therefore it is important to make sure there is a clear chain of title for any IP brought to the table. We have largely discussed the importance of the contracts here.

Confidentiality Clause

Include confidentiality provisions in your contracts to protect against disclosure of confidential information or trade secrets including in employment agreements and consultancy agreements . To avoid breaches of your confidentiality, make sure you have employees, partners, and suppliers sign non-disclosure agreements (NDAs). You’ll also want to password-protect all computers, limit which employees have access to certain information, and limit the type of information employees can access on personal devices.

IP strategy is business strategy.

You should consult your team to determine where you spend your money, where you think you actually need protection. Involve your entire leadership team, marketing, sales etc in creating IP Licensing agreements. If your team doesn’t know what’s going on with IP, they’re gonna muck it up for you. Your Salesperson and Service team should be aware of the IPs owned or licensed before committing anything to the customer or else, they’re going to make mistakes. There should be a clear written Licensing agreement specifying how long the license runs for, who can use the IP, where they can use it, what they can use it for, how it can be ended, and whether it can be forced to share it with other people.

Protecting IP is part of your Company culture.

Make intellectual property discovery part of your company culture. Formulate and set up an IP Policy. Create awareness and educate your employees that intellectual property is an asset, and it has value. As you’re coming up with new ideas, as you’re developing the product, as you’re doing more code, as you’re doing more drawings, make sure that any new IP is identified. Follow a procedure to maintain the record of the IP created and maintained.

IP audit and Landscaping .

Remember, to revisit the list that you have made above to check if you are still working as per your business plan. Conduct an IP audit periodically and maintain the registered IPs. Intellectual property can also be a tool for competitive research for your startup in the form of IP landscaping.IP landscaping is a way of using global IP filings to discover what competitors are protecting, where they’re protecting it, and what litigation is happening there. This can help you make a decision.

So do not underestimate the role of IP protection in the growth of your company. When looking for funding, IPO, or sale, the investors will assess your IP strategy.

We are sharing a questionnaire that will help you know the IP situation of your business. It has questions from different sections dealing with IP. After you complete, we will share a report that gives you recommendations and further information on IP and business competitiveness to your email address .Click here to know https://forms.gle/8hjNhkLXpkB8juKq8

This article contains general information only. It does not constitute legal advice. You should consult a suitably qualified lawyer on any specific legal matter or issue.

^{Registration helps you secure exclusivity over your IP throughout the country/region of registration. It gives you legal rights of injunction and compensation over third-party infringers, and in turn, helps you create a brand value.}
^{No suit can be instituted for the infringement of unregistered trademarks. Registration is the prima facie evidence of the proprietorship of the trademark or copyright under registration. For unregistered marks, action can be brought against any person for passing off goods or services as the goods of another person or as services provided by another person.}
^{A provisional specification is required to give only the key novelty and inventive aspect of the invention in an abridged form and may not have claims provided.}
^{This date becomes important, since if there are two patents/ patent applications with the same/substantially similar subject matter, the earlier priority date patent application/patent survives the other. If you are filing an application in other countries, the subsequent applications shall have the same priority date as the parent application.}

October 14, 2022/by cheltonlegal

Data Protection and Privacy, Intellectual Property Law, Latest Updates, Legal News, Research paper