Mitigating the risk of errors and frauds while making Digital Payments using UPI Apps

Thanks to?the pandemic induced lock-down,?digital payments for making bank transfers through UPI apps have doubled in 2020. However, there has also been a massive increase in cases of erroneous payments and digital frauds. Like many of you, I too have been a victim of this malady despite being a seasoned banker and risk management specialist.?This prompted me to further educate myself and carry out some research on the subject. Here are some insights around some common types of errors and frauds that we need to guard against.

These insights carry important lessons not just for users, but also have implications for virtually all players in the payment ecosystem- payment service operators (like NPCI) and service providers (like PayTM),?Regulators (RBI), Law Enforcement and Investigation Agencies and Policy Makers (NITI Aayog). I have gathered these insights through my own experience with using several of these apps over the past 5 years , a perusal of some of the key complaints made by users of some popular UPI apps as reported in mainstream and social media and by bench-marking these apps on a set of key design features.

The fraud that I was a victim of took place on June 11th, 2021 during the peak of the lockdown induced by the second wave of Covid. I tried to?place an order on the phone with a store in my neighborhood, belonging to a prominent chain. I searched online for their phone number by using a leading search engine and called a number that was displayed at the top of my search result. The person I spoke to, took my order and delivery address, answered some technical questions about the product,?asked me to make an online bank transfer?by using a popular digital payment app and promised delivery within 30 minutes.

Like most of you, I too do not make advance payments, especially using online tools as it is difficult to verify the identity of counter-parties, especially ones not used before. However, in this case I felt confident because the store/ chain in question was an established one, the individual at the other end seemed technically competent and the payment was being made to the chain’s own bank account.?I then made the payment and received a confirmation from the app to the effect that I had indeed paid the chain. However, the delivery did not materialize. When I called the number in question, I realized that it was being manned by fraudsters, who had decamped with funds. I promptly alerted the bank where the funds had been sent and asked them to freeze the account. However, the funds had been siphoned off. All this happened in the space of a few minutes.

Frantic complaints to the head office of the store in question, the police cyber cell and the bank/ app in question revealed to me that this type of fraud has been rampant during the lock-down.?A few days later, a popular Bollywood celebrity also tweeted about a similar experience she had faced which resonated with several other netizens, who shared similar tales of woe. Media reports too corroborate that this is an alarming and nation- wide trend, impacting businesses across several sectors- restaurants, grocery stores, liquor stores et al.?

This type of fraud essentially emanates from the user/ payer not knowing for sure, whether the owner of the account being credited is indeed the intended beneficiary.?Apart from such frauds, another set of key complaints with payment apps relate to data entry errors in inputting account number, bank name or IFSC Code - leading to funds reaching the wrong beneficiary.?The root cause for these errors is that local digital payments are conducted,?based purely on the account number. The bank receiving funds is not required to (and is also unable to)?match the payee name as provided in the payment instruction on the app , with the name of the owner of the account that they are crediting.??This is significant because it is completely unlike the case with traditional payment mechanisms like physical cheques and cash deposits, wherein local laws and regulations do require the bank collecting the proceeds, to perform this check. It is this loophole that is causing all this strife.

Fortunately, the solution to address this loophole already exists i.e?the technologies required to deliver each of these features/ services have already been developed by NPCI, which provides the UPI platform and payments backbone and the institutional framework on which all these apps depend on and work off.?Unfortunately, there are?gaps, delays and inconsistencies in the adoption of these technologies (APIs) among service providers. Here is a short list of some of these key features / capabilities?in question.?Users should look for these when choosing which UPI app to use. Service providers need to expedite the delivery of these capabilities on their apps . Regulators and payment system operators need to mandate/ drive their adoption across the ecosystem.

1.??????When payments are being made via "IFSC code + bank account number" option, a very important feature to look for is the ability of the app to “fetch”?the title of the account being credited . This feature enables the user to check whether the account being credited actually belongs to the intended beneficiary or to someone else ( e.g. a fraudster) . This feature is available in the apps with players like NPCI BHIM and SBI BHIM , but not in most of the others ( e.g PayTM, Amazon, Google Pay, Phone Pe)

2.??????While most other UPI apps do not have this capability, they partially mitigate the risk of wrong payments, by not asking for the beneficiary name to be input by the user ( since this detail cannot be verified by the beneficiary’s bank) . This provides a subtle alert to the user to be very sure that the account number being input , really belongs to the intended beneficiary. In most cases, this alert is too subtle and should be made more explicit.?(Amazon , Google, Phone Pe )

3.??????Instead of doing this, PayTM, which does not have the capability mentioned in point 1 above, increases the risk of frauds by actually asking for the beneficiary name. This feature often leads users to expect that this detail will indeed be matched off at the time of credit. Further, this app exacerbates this gap, by mentioning the beneficiary name , as input by the user,?in two other places on the app, which reinforces this false expectation. (I have alerted them to this point and they have advised me that my feedback is being worked upon).???

4.??????For the feature in point 1 to work, the receiving bank also needs to respond to the request for this information. Some banks do not respond to these requests.?In such cases, some apps like SBI BHIM alert users when they do not receive this information from the receiving bank, so that users may take a risk- aware decision on whether to proceed with the transaction (or not). Most apps which do have the ability to seek the beneficiary names,?do not provide such an alert in cases where these request are not responded to by the beneficiary’s bank (BHIM UPI).???

5.??????When payments are made via the?“Virtual Payment ID or VPAs” option , this problem of knowing who the beneficiary is, is addressed by all apps, as the beneficiary name is clearly "fetched" and displayed.?Similarly, when paying using the “mobile number” option, all apps fetch the beneficiary details, but this option can only be used if the beneficiary has also registered his / her mobile number and bank account number with the same app .

6.??????Blind Key verification:?this feature requires the user to input the beneficiary account number twice , including once without being able to see what is being typed, to mitigate the risk of incorrect data entry.?All the Apps mentioned above, have this feature, but several others do not.

7.??????The ability to “fetch” the name of the bank (where the bank’s IFSC code is keyed in) and the ability to “search” for IFSC code, by choosing bank name and branch.??These features help avoid errors in bank name / branch .?Again, all the apps mentioned above, have this feature, but several others do not.

Now to the way in which the loophole mentioned in point 3 is being misused on a large scale by fraudsters. As shown in my personal example above, the modus operandi involves fraudsters masquerading as popular stores / brands, placing online ads on their behalf , collecting orders for home delivery of products on their behalf and then decamping with the proceeds.??This fraud takes place because victims are convinced that since they are making payments into the accounts of well- known companies/ stores ( as explained above), using well known payment apps, the party collecting the order is genuine. Hence they often agree to make an advance payment , instead of payment on delivery.

Another variant of the same fraud involves fraudsters convincing victims to "send them a text message" using the messaging feature on these apps, ostensibly for the purpose of "authenticating their order" or creating a "user account" in the database of the store. Instead of sending a message, users end up sending funds, often much larger in value than the original transaction, and that too several times. This happens because users don't realize that when they are inputting their UPI code on the app, as requested by the fraudster, they are actually consenting to releasing funds from their account.

Apart from weaknesses in the payment apps, this type of fraud is also enabled by the fact that the search engine in question, actively promotes these paid ads , making them appear on the top of search results,?without even conducting basic due diligence on the advertiser. In other words, they do not even check whether the advertiser is indeed who he/she claim to be. In mainstream media such a gap or practice is rare. However, online platforms and search engines seem to have major weaknesses in their controls, processes, business practices and business models.

Importantly , the victims of these frauds are being lulled into a false sense of security and being duped by these ads, because they are actively promoted by the search engine and because these ads have websites with a domain name that is related to them. If this issue remains unresolved , it may require businesses, to implement other compensating controls at their end, in order to mitigate the risk of fake ads being placed on their behalf. This issue may also damage the public’s trust in, and the image of, such search engines. (This feedback too has been shared with the Search Engine/ Platform in question and?is reportedly being worked upon)

Another factor that allows fraudsters to continue with their scam without getting apprehended is the fact that they recycle bank accounts and mobile numbers quite rapidly. This is further enabled by virtual/digital account opening processes that have been recently introduced, which make it easy for fraudsters and their accomplices, including some unwitting ones and some persuaded by modest financial reward, to easily open a large number of bank accounts remotely, across several banks (including payment banks) with low barriers to entry and exit. The same is done with prepaid SIM cards of mobile phones.?Controlling these practices is relatively more cumbersome , but not impossible, especially given the Artificial Intelligence and Machine Learning tools at the disposal of Risk Managers in these firms , particularly in the area of transaction monitoring and fraud detection.?Integrating the risk management efforts of mobile companies, banks and search engines will make it easier, but the legal,?regulatory and institutional framework to enable this is yet to be born.

In the interim, consumers would do well to exercise caution while making any bank transfers on these apps especially into accounts held in payment banks . More broadly, they should not make advance payments to unverified beneficiaries, especially first time ones, and especially for E-commerce transactions. Further, they should be careful of “spoofed “ websites of popular companies. In such cases the URL used by such fake websites will be very similar to and the look and feel of the websites will be identical with, the genuine ones. Fortunately, paying very close attention to the URL will indicate minor difference in spellings, or the presence or absence of some characters, that distinguish the fake sites from the genuine ones.?

Most importantly, users should use digital payments apps that offer the features listed above and be very careful when using those that don’t.?They should also follow the Dos and Don’ts shared by their bank and by regulators . For example , they should not share banking information, personal details, OTPs, passwords etc with anyone- including those who claim to be employees of banks , e-commerce companies and payment apps, who often perpetuate frauds in the guise of completing KYC refresh, “unblocking” of accounts, facilitating various types of transactions including credits/ refunds?or and even while ostensibly resolving complaints.

They should also not click on unverified links or scan QR codes received via email or messaging apps, including those purportedly sent by such prominent and trusted firms, ostensibly for the above purposes, including those received during / post telephonic interactions with individuals claiming to be employees / agents of such firms. These methods can be used to make fraudulent payments from the user's account to the fraudstser's account or " take over" control of the users device, which could lead to compromise of passwords and inadvertent release of OTPs.

In summary, in the world of digital payments and e-commerce, the price for security and convenience is eternal vigilance and constant education.