Digital money heist: What's behind surge in online payment fraud?

“Beti, meri awaaz pehchani nahi?”

“Dear, do you not recognise my voice,” said the voice at the other end of the phone. The woman of 30, a resident of Mumbai, who received the call last week, was first perplexed and then besieged with guilt as the caller went on to introduce himself as Waghmare, “a close friend” of  her father’s.
 

Now she was eager to make up for  her lapse of not recognising her father’s close friend.
 

Waghmare went on to say he wanted to transfer Rs15,000, which he owed her father, to the woman’s account because her father’s “bank server was unavailable to accept payments”. Waghmare sent her a message with details of an NEFT transaction amounting to Rs60,000. Immediately, he was on the phone again. “I made an error. Can you send me back the extra Rs45,000 and keep the rest? Please do it quickly. I’m at a hospital and will need the money any time.”
 

The woman promptly transferred  the Rs45,000. She had just become a victim of digital payment fraud. Waghmare’s message with details of the supposed transfer of Rs60,000 was fabricated.
 

Tens of thousands of digital payment users have suffered a similar ordeal.

Trust and greed
 

Ayush Agarwal, a 29-year old information technology professional in Delhi, recently received a phone call from someone who sounded like he was in his late fifties, and claimed to be speaking on behalf of Agarwal’s friend. “He knew my name, and he wanted to transfer Rs5,000 into my account. I received a ‘split bill’ request for Rs5,000 and a UPI (Unified Payments Interface) PIN was required. I did not proceed as I found it fishy,” says Agarwal about his close shave.

One reason why fraudsters sound convincing and trustworthy is that they have been trained. The average fraudster has a strong command over Indian languages, including Hindi. Their language and diction evoke trust 

and confidence.

“There are training centres where  200 to 400 people are trained for this job. The training alone may cost Rs50,000 

to Rs60,000, after which people are promised jobs. Furthermore, these people are placed in call centres where they have targets to complete, which includes duping users,” says Prashant Mali, a cyber and data protection lawyer.
 

Despite the know-your-customer norms, fraudsters appear to have control over dormant bank accounts or accounts of strangers to facilitate their fraud. “Money is routed through dormant bank accounts that may belong to a labourer to whom some commission is paid. It is thus transferred from one account to the other and eventually taken out of the system,” says Shashank Shekhar, founder of Future Crime Research Foundation (FCRF), a think tank incubated at Indian Institute of Technology Kanpur.
 

A person who did not wish to be identified told Business Standard his account was frozen af­t­er transactions amo­un­ting to nearly Rs15 lakh in a single mon­th were reported by the cyber cell. “I was not aware of the consequences when I took up this job,” he says.
 

Strength and weakness
 

More than 47 per cent of all cybercrime is linked to UPI payments, making it the most common form of financial fraud, says a report by FCRF. 
 

The reason could lie in UPI’s ever increasing popularity: It clocked a record 11 billion transactions in October. On the flip side, more than 95,000 fraud cases lin­ked to UPI were recorded in 2022-23,

 a 13 per cent increase from the  previous year.
 

“After the pandemic, everyone shifted to digital transactions and the transition happened nearly overnight. Unfortunately, a large chunk of users is not aware of the nitty-gritty of payment processes,” says Shekhar of FCRF.

Scammers resort to social engineering techniques such as phishing, sending malicious links, or asking their victims to download third-party apps that have a user interface similar to a banking app. Deep fakes and artificial intelligence (AI) are the newest threats.
 

“The next set of challenges will arise from deep fakes and generative AI. Fraudsters may impersonate biomet­rics such as voice and face to sound and look familiar. It is critical to be prepared to address these challenges, too,” says Jatinder Handoo, chief executive officer (CEO), Digital Lenders Association of India, an industry body for digital lenders.
 

He points out that the UPI’s strengths are misused by fraudsters, who somehow convince their victims to transfer money.

Mali, the lawyer, says UPI-linked frauds have a pattern. “A theme of this entire issue is that these frauds have a smaller size, anywhere between Rs5,000 and Rs50,000. As a result, getting justice becomes even more difficult,” he says.

Industry players say UPI is safe as a system and these frauds occur outside the payment system’s control. “These are not UPI frauds as the origination of such scams happens outside the system,” says a person close to the National Payments Corporation of India (NPCI).
   

Who is responsible? 
 

Industry participants believe the responsibility for such frauds lies with the customer as the user authorises the transaction with the two-factor authentication. 

“In such cases, the customer bears  the loss since this is a two-factor authentication and both the factors are bypassed due to the customer’s mistake,” PhonePe, the digital payments firm owned by Walmart, said in response to queries from Business Standard. 
 

The person close to the NPCI agrees: “When a customer is authorising a transaction after being armed with a two-factor authentication, how can anyone else take responsibility?”

The standing committee on finance, in its report this year, said filing for a compensation claim is complex and time-consuming for customers and it puts the burden of proof on the victims. The committee recommended an automatic compensation system for cyber fraud victims. 
 

Agarwal, who had a close shave, says his father avoids transacting digitally because he fears the risk.

Mali says he keeps getting clients who have fallen victim to such frauds. “They avoid transferring me the fees 

via UPI and, instead, insist on cash or cheque,” he says.

Safeguards
 

Mali suggests mandatory digital payments insurance to guard against losses incurred by fraud victims. “The country should have something called digital India insurance, where people 

can apply and get their money back immediately,” he says. 
 

Pankit Desai, co-founder and CEO of Sequretek, a cybersecurity firm, says the challenge with digital payments fraud is that individuals are unable to spot them. “One would be aware if one could identify the fraudster, but the problem is people just can’t. It’s akin to avoiding bad neighbourhoods to prevent being robbed, but one needs to recognise what ‘bad’ looks like in the first place,” he says. 
 

Desai says there is a need to “gamify” the payments systems and rate a person on the basis of their risky behaviour, such as through a small quiz in the language of the user’s choice. “One can pose questions and the system can check if the user can detect frauds after processing his or her responses. This can be done every six months, thus assessing a person’s risk profile through a score and a set of recommendations can be provided to the person,” Desai explains. 

In the meantime, if someone calls you and laments that you did not recognise their voice, do not feel guilty.