Beware! Hackers might be fraudulently accessing your e-wallets, mobile banking app and UPI Wallet. A complete guide to secure your wallet.

India is thriving towards digitalisation. Since last year due to imposition of lockdown and the social distancing norms followed, digital transactions are preferred over cash, for being a contactless mode of payments. Significant percentage of consumers have increased their usage of digital payments via credit and debit card, mobile wallet and other UPI-based payment methods. However, with the surge in the digital transaction, the number of online fraud transaction such as phishing, cyberattacks etc., where fraudsters manage to target your bank account or extract money from your Debit Cards/Credit Cards, payment wallets such as Google pay, Paytm, Phonepay etc., have also shot up.

The Schemers keep looking for information about you. Data is the new gold. Most of the data are provided by you. The Question is How?

Let me give you instances: 1^st scenario…. When you visit a Mall/ Restaurant, you will find some youngster approaching you with a form to fill the details saying that you are eligible to participate in the Luck Draw!!. You will fill the details. Bhoom….you have given your vital information: Your Name, Your date of birth, your anniversary date, your email ID, address etc…

2^nd Scenario… Most of you like posting details of your life events on the social media handler’s page. Your Birthday celebrations, The Pictures of your family/ friends, the places you visit, the restaurant you eat etc, etc.. Your information is scattered all over the digital media, which if pooled in together gives the whole picture about you.

This information is gold for these schemers. The Schemers deploy new tactics for looting money digitally. Fraudster by collecting the information may call you and say they are the representative of some Bank/ Telecom Company and say you are eligible for some loan, or some gift and ask you to confirm your DOB and other details to empty your bank account over a call. And unsuspecting you will give away the information.

To create awareness the telecom service provider such as Airtel, have during the outward calls are playing the pre-recorded warning against sharing the OTP Pin, ATM Pin, CVV Number etc over the phone. National Payments Corporation of India (NPCI), Banks and the Reserve Bank of India (RBI), are also issuing advisories on these fraud transactions. Despite this, people are falling prey to such frauds.

This reminds me a plot of the web television series Jamtara – Sabka Number Ayega that was released on the Netfilx OTT Platform on 10^th January 2020. The storyline of the series is based on phishing operations being conducted from a village, Jamatra remotely located in Jharkand State, by a bunch of young illiterate boys and girls using minimal infrastructure like mobile phones and a laptop and looting lakhs of rupees from the urban literate unsuspecting people like us. Worth watching it!!!

Every Schemers have his/her own special modus operandi.

1. Remote Screen mirroring tool:

Since the Lock down was imposed in March 2020, Work from Home is the new norm in the business. Many Companies are insisting on downloading remote screen mirroring applications to keep track on their employees. These applications work to connect one device to another. So, any person gaining access to your device through this application will be able to view and control your device.

However, fraudster are using these applications to commit fraud. Many times, hacker pose as bank official or the customer service provider of the online payment wallets and say that your wallet or bank KYC is invalid or debit card is blocked and you will need to download an app to claim the money or validate the KYC to continue to use the payment wallets. This Application could be Remote Screen Mirroring tool. Sometimes while transacting through the online wallet, you may get a message that the transaction has failed or declined or some error, but the amount would have been debited from your bank account. At such instance a victim will search for the helpline numbers listed in the search engine, but it may out to be fake number. This has happened to many.  Apparently, the fraudster had created a fake website page, that was an exact copy of official page of the actual service provider, the Bank, where he put fake helpline number. The victim ended up complaining on this fake helpline number or calling them for all complaints. The schemer convinced him to download the remote mirror application for resolving the payment issue. The victim fell prey to the scam. Once the application was downloaded in the victims Phone, the Fraudster could access the victims phones, read his messages and OTPs, the clicks on the phone etc.. The Victim lost all his hard-earned money from his bank account. One should always look at the authenticity of the website of the Banks. Do not search for the helpline numbers in the search engine. Always contact the number listed in the Official Website of the bank and not on any other social media pages.  

Now a days as a trend, most of the people choose to contact the officials through the twitter account to seek the attention of the service provider for quick redressal. They post the details of the failed transaction online, thinking that it will be resolved soon. However, the schemer will also be reading such posts. The fraudsters may contact you as the representative of the redressal agency and will make you reveal further details and will convince you to download an application to solve your problem or for verification purposes.

Just because a UPI social media page, has the words BHIM, NPCI, or names similar to any banks or government agencies, it does not make it authentic.

What happens once you download the remote screen application?

After downloading this remote screen mirroring application, a 9-digit code is generated on your device, which allows the hacker to remotely access your device. After inserting this 9-digit code on your device, the hacker asks you to grant certain permissions, which are like what is required while using other apps. Once they gain the access to your device, the hackers can view the screen and control your device via this application and carry out the transactions fraudulently through mobile banking application or payment related applications including UPI wallets. You will get an OTPs for all these transactions which Fraudsters also can view. They use your credentials to transfer huge amounts from your account and delete the SMS, which you may never know. And Boom… your bank account is empty.

Most interesting thing is that these hacking applications are freely available on the search engine and play store of Android, that allows you to use their tools to hack into anybody’s phone. Hackers can read through your chats, SMS, and other applications and gather all personal information about you, without you even noticing it. You always need to be alert. Read the permission sought by this app at the time of downloading a new app. Do not download the application from unknown source. Be cautious.   

2. Scams using UPI Pin or OTP.

Recent ways adopted by the schemers are sending the “request money” link via SMS/Website. Once you click the link and authorise the transaction thinking that you will receive the money, on the contrary your savings will be deducted from your bank account.

There was this instance where PhonePe customers received SMS from fake header ‘AX-PHONEPE’ instead of legitimate ‘AX-PHONPE’, claiming that their account has expired or blocked, or KYC verification is due etc to transfer user’s money. Customers of other payment wallet including Eko India, Paypoint, Pay1, and Infibeam Avenues have also encountered phishing calls via illegitimate SIM cards.

One of the classic ways in which the fraudster tries to scam you is to convince you to share the OTP or UPI Pin over the phone. Once they have the details, they will authenticate the UPI transaction and steal your money.

Generally, during the process of on-boarding in any UPI application, the app and banks send text messages (SMS) at various stages—registration, adding a bank account and while setting the UPI PIN. If you are not registered for UPI services on any app but happens to receive an SMS regarding the on-boarding process having been initiated, then reach out to your bank immediately and lodge a complaint.

3. Phishing Scam

This is the most common way scammer use to scam you. The Schemer will call you informing that you have won crores of Rupees through Lottery or that your bank account is blocked and to unblock it you will need to click on the link (unauthorised URLs) provided by them via SMS. These fake bank URLs will look almost identical to the original URL. If you are in hurry you click on that link, it will direct you to the UPI payment app installed on your phone and will ask you to select any of the apps for auto-debit. Once, you give permission, the amount will get debited from the UPI app instantly.

Often, after such financial accidents you may be uncertain about how to seek redressal through formal channels. Here are the steps to be taken.  

As soon as you realise that a suspicious bank activity is taking place or that you have been a victim of a UPI scam- collect evidence.

• Preserve the transaction details:
  • Take screenshots of the transaction, of SMS, email, fraudulent website, UPI handle;
  • Note the transaction ID, beneficiary’s bank account details, phone number of the fraudster, etc.
  • If you are defrauded through e-commerce platforms, you should save a screenshot of the merchant’s web page.
  • If you fall victim to ATM skimming, which means stealing your details through a device placed illegally at an ATM terminal, you should document the ATM location, address and number which is listed on top of the machine.
  • Similarly, you should note the merchant’s address if a point-of-sale device has skimmed your card details.

This is vital information and will be useful while lodging a complaint with the Police or the Bank or payment wallet companies or Application developer Company. Always remember to change all your passwords & PINs related to your bank account or mobile wallet immediately. Never search for the service providers helpline number in the search engine. Always get the number from the service providers official website. Look out for the genuine websites.

• How to file Complaint with your Bank:
  • Immediately inform your bank of the unauthorised transaction on the bank’s toll-free helpline (always mentioned in the banks’s official website) or send an email to your bank or visit your bank’s home branch to alert them of the fraud. Sooner you inform, the safer your money will be.
  • In case of a payment fraud on an e-commerce website, a PoS device or an ATM, customers should file the complaint with the card issuing bank.
  • In case any fraudulent transaction has been committed with your bank account linked to the UPI app, immediately register a complaint by giving a call or sending an email to your bank. Also, request your bank to block future UPI transactions associated with the account.
  • Submit a request to block your bank account. The banks will verify your identity by asking some personal details before finally blocking your account. It will stop future UPI transactions. You’ll be able to access your bank account after you change the passwords or issuance of new details.
• Complain to the payment platforms:
• If you are using a TPAP (third-party app providers) platform like PhonePe, Google Pay, PayTM, etc- call on the toll-free number to submit your complaint. Each of these platforms will have a grievance redressal mechanism, which you will need to follow to lodge the complaint.
• You also need to lodge a complaint of fraudulent transaction with the UPI app developing company to investigate the issue. There are mechanisms in place to raise the issues in case of disputes with most of the UPI app developing companies. For instance, on Google Pay, there is a dispute option on each paid transaction to raise the complaint if you feel it is suspicious / fraudulent
• The platform will be able to share some details related to the fraudster which may help you identify them.
• Some platforms also offer an in-built complaint feature where you can easily raise a dispute against a transaction.
• The bank and the UPI company should be able to resolve your complaint within 10 days.

• Complain to the Cyber Crime Police:
  • After you have notified your bank and the Payment platform and App developing company, you should file the first information report (FIR) with the local police station and request them to forward it to the cyber-crime cell in case the police station in your area does not have this division. This is because cyber-crime cells have the expertise to investigate digital fraud cases.
  • While filing the cyber-crime complaint, you need to provide following:
    • your identity proof, contact details and address proof
    • your last six months’ bank statement,
    • details of the fraudulent transactions
    • and a copy/screenshots of the messages received while making those transactions.

• Complain to PSP and NPCI:
• In case the complaint / grievance remains unresolved, the next level for escalation will be the PSP (Payment Service Provider) Bank, followed by the bank (where you maintain your account) and NPCI, in the same order.
• The complaint can be raised for both the types of transactions i.e. fund transfer and merchant transactions
• You will be kept communicated by the PSP / TPAP (third-party app providers) by means of updating the status of such end-user customer’s complaint on the relevant app itself

List of 3rd party UPI based payment apps, which along with a partner bank offers payment app : https://www.npci.org.in/upi-PSP%263rdpartyApps

• Complain to the Digital Payments Ombudsman:
  • After exercising these options, you can approach the Banking Ombudsman and / or the Ombudsman for Digital Complaints, as the case may be. The Reserve Bank of India (RBI) in January 2019 has launched an Ombudsman scheme which specifically deals with digital transaction issues. The idea was to have the mechanism of ombudsman for redressal of complaints against deficiency in services related to digital transactions. The deficiencies identified and included are delays in payment/credit/refunds, unauthorized transfers, and failure to act on instructions given by the customer.
  • Should you not get a response from you bank or payment service provider within a month, or if you are not satisfied with the response, you can approach the RBI’s Banking Ombudsman.
  • You can send your complaint in writing with the ombudsman for Digital Payments. A form is also available on RBI’s website here: https://cms.rbi.org.in/cms/IndexPage.aspx?aspxerrorpath=/cms/cms/indexpage.aspx#, which you may use to file a UPI fraud complaint. You will be required to give following details to ombudsman for reviewing a case:
    • name and address proofs,
    • facts giving rise to the complaint supported by documents/screenshots/messages, the nature and extent of the loss and the name / contact number / address (any information that is available) against whom the complaint is made.

Note that frauds such as the ‘request money’ ones typically don’t fall under the ombudsman scheme as they are incurred by fooling the user into doing a spurious transaction. RBI’s ombudsman scheme does not accept complaints in cases where, legitimately, the consumer has entered the PIN and transferred the amount using UPI apps.

Be extremely cautious while transacting on app-based money wallets. You must always verify the identity of the other party before initiating a payment or sharing your details. Also, never delay in reporting such an occurrence- quick action can help your case by leaps and bounds

So, prevention is always better than cure. Here are the ways you should keep in mind while transacting online.:

• If you are banking electronically, you must register yourself for SMS/email alerts and immediately inform your bank in case of a fraud;
• According to RBI, you must only use sites with https while banking online. “https” tag is more secure compared to “HTTP”. Look at the name of the domain. Does it contain any unusual symbols, too many dashes, or suspicious attempts at mimicking big brands’ or other businesses’ names and products, spelling errors etc. Check the contact information. Legitimate websites, businesses, and organizations have no reason to hide. Other fake website red flags include poor grammar, spelling mistakes, gibberish in website copy or blog content, as well as a multitude of intrusive ads.
• Avoid undertaking banking or other financial transactions through public, open or free wifi-networks.
• Regularly change your password/PIN/ OTP;
• Never share important details like debit card number, CVV, expiry date, registration, OTP with anyone. Many a time, the caller asks you these details in the name of bank executive stating that your card will be blocked. Do NOT fall for these types of calls. The Bank Officials will have all the details pertaining to your bank account. Apart from banks, SMS can also come in the name of IRDAI and EPFO. However, they also do not send any such message.
• Do not share UPI MPIN with anyone. MPIN is the one which you enter in the UPI app to check your balance.
• Do not click on any unofficial link from the SMS. Also, do not forward any such SMS.
• Do not download any app or confirm payment from unknown accounts via UPI.
• Do not store important banking data on the mobile, e-mail, electronic wallet or purse.
• Do not share personal details on any social media platform and do not lodge complaint about the digital transactions on social media handle.
• RBI also warned citizens to be wary and not fall prey to fraudulent tactics used by seamsters. RBI Helpline Number to report fraudulent activity in your bank account: 14440

So Be alert and Safe transacting!!!

This article contains general information only. It does not constitute legal advice. You should consult a suitably qualified lawyer on any specific legal matter or issue.