“UPIng” the ante: How to effectively mitigate fraud threats for digital payments in India

UPI is the preferred form of digital payments in India

In October 2020, UPI payments touched the 2 billion mark monthly, up from the 1 billion volume recorded in October 2019. This statistic is representative of the explosive growth that the UPI payment ecosystem has seen. Year on year growth in volume between 2019 and 2020 was 70%, while the transaction value growth has been 105%.

The successful uptake and mass usage of UPI payments can be traced to the ease of use of the platform and the push by the government and regulators to move customers to digital channels.

Fraud threats have been an integral part of the evolution

Unprecedented growth in UPI payments present players in the market with new challenges. The rise of UPI payment providers and increasing consumer adoption – has led to an upsurge in fraud in the digital channel. Increasing sophistication of social – engineering techniques employed by criminals on unsuspecting customers, pose complex fraud prevention challenges. Proliferation of malware and other fraud enabling technologies exacerbate the situation

A multitude of threats are faced by UPI players

Due to the sensitivity of fraud related data and current regulations, there is limited publicly available information on the quantum of loss and split by categories. Nonetheless, banking industry insiders have pointed out that there are several criminal syndicates who are industriously perpetrating different types of fraud on customers using the UPI ecosystem. According to industry experts the predominant types of fraud are:

·      Account takeover

·      SIM swap fraud

·      Collect request fraud.

Account takeover is often perpetrated by fraudsters using social engineering. One common modus operandi involves customers who may have complained about their UPI app on twitter or other social media channels. They are contacted by the fraudster posing as a bank representative who asks the customer to download a screen share app so they can assist with the technical issue they are facing. Once they obtain control of the app, the fraudster initiates transactions to their own account.

SIM swap fraud often happens when criminals under the pretext of offering better SIM services, extract information for a cloned SIM and gain access to OTPs sent to customers.

Collect request fraud is another common type of social engineering led fraud where fraudsters send “request money” messages while posing as buyers. Customers mistake it for an inbound transfer and enter their PIN to authorize the debit from their accounts. This is a cleverly orchestrated fraud with criminals building a credible narrative which usually involves the criminal expressing interest in purchasing goods/services that the customer might have advertised for.

Other types of fraud include:

·      QR code-based merchant fraud where QR codes of genuine merchants are tampered or replaced with a criminal’s account details

·      Impersonation of company officials where customers divulge sensitive information including OTP and PIN when contacted by purported bank officials. Fraudsters are also known to target customers airing grievances on twitter and other social media platforms.

·      Fraud using malware attacks in which customer inadvertently provides information on device by downloading malware from fake mail attachments or websites

How to tackle this epidemic of crime

There are multiple ways to address these challenges.

a)     Data and analytics-based fraud detection is an important line of defense that can be employed by apps, banks and NPCI. Leveraging analytics and ML techniques to detect out of pattern spend is a critical tool for flagging up anomalous behavior. Usage of signals like location, device footprint etc. to flag up suspicious users/activity can help mitigate risks

b)    Creating robust app interfaces including biometric access and step up authentication in case of dubious transaction attempts. Warning beacons can be utilized to identify ‘strangers’ or ‘spam contacts.

To tackle the issue of collect request fraud, pre-debit notification highlighting balance after accepting a ‘request money’ message can prompt customer to read be vigilant before entering their PIN.

c)     Customer education campaigns can go a long way. Regular notifications on fraud ‘dos and don’ts’ and importance of anti-virus software on mobiles have a crucial role to play. Customer education creatives need to be rolled out in all mainstream & regional languages to ensure maximum outreach

d)    Effective collaboration between PSP banks, apps facilitated by the regulator, Reserve Bank of India, and operationalized by National Payment Corporation of India, the nodal government agency, especially in the area of data sharing is crucial. Sharing of known fraudster details between app providers and banks can help reduce the fraud incidence substantially.

 Conclusion

The Reserve Bank of India, in its Vision 2021 document for Payment and Settlement Systems in India, speaks of the need to enhance “Confidence” as a goal post alongside Competition, Cost and Convenience; together forming the 4Cs that the Vision aims to accomplish. Creating a framework for collecting data on Frauds in the payment systems is an integral part of the “Confidence” tenet.  The RBI goes further and says that it promotes usage of analytics that can help distinguishing fraudulent transactions from legitimate ones. UPI players and Banks who are able to follow these directives alongside policy controls mentioned in this piece will be well-positioned to tackle the fraud and criminal threats that plague the UPI ecosystem and emphatically restore customer confidence in digital payments.

Disclaimer: The postings on this site are the author's personal opinions. This content is not read or approved by their current or former employer before it is posted and does not necessarily represent their positions, strategies or opinions