Shivam Shukla installed the Paytm app in February to link it with FASTag—a reloadable smart tag operated by the National Highways Authority of India, enabling automated toll payments.
A few days later, on 24 February, he started receiving messages to finish his Paytm KYC (“Know Your Customer”)—a business process to verify a customer’s identity. He would lose the money in his Paytm wallet if he didn’t, the message warned, and ended with a number he was asked to call. He did, but no one answered.
The next morning, at 9.13 am, the 26-year-old, who lives in Kanpur and works as a professional anchor, got a call from a man who introduced himself as a Paytm employee. He gave him simple instructions to complete the KYC on his own: download a screen sharing app, connect it with Paytm, share the nine-digit ID, and wait. Shukla did everything he was asked to.
Next, the caller asked him to add ₹10 to his Paytm wallet. He wondered why this was needed. But he went ahead thinking it was harmless and added ₹10 through Unified Payments Interface (UPI). But minutes after that transaction, Shukla started losing money from his bank account. “My mind stopped working. I could not understand what was happening,” he said. Money drained out of his account as the caller kept him engaged on the phone. By 10.16am, in four different transactions— ₹19,990, ₹2,000, ₹9,999, ₹7,000—Shukla lost ₹38,989 from his account.
Here is what happened: With remote access to the device through the screen-sharing app, the fraudster could see every activity on Shukla’s phone. The seemingly harmless ₹10 transaction revealed Shukla’s UPI PIN (through the on-screen keypad) and the OTP messages he received for approving transactions. The scammer immediately used the credentials to transfer money.
Shukla got scammed. He went through what thousands of Indians experience every day: digital payment frauds, with sums ranging from a few thousand rupees to several lakhs.
Wallets and UPI have taken over the Indian digital payment ecosystem. Since its introduction in 2016 by the National Payments Corporation of India (NPCI), UPI has changed the payments paradigm. But even as the reduction of friction in payments is driving the growth of new businesses, it is also orchestrating fraud. And with a likely influx into new-age payments platforms in the aftermath of the coronavirus outbreak (with early studies indicating virus droplets can remain on currency notes for days), things may only get worse.
In Noida, the number of reported cybercrime cases jumped 400%: from 353 in 2018 to 1,697 in 2019, and a third of all the cases were KYC-update scams. In Bengaluru, 38% of the 12,754 cybercrime cases reported between January 2018 and August 2019 were UPI-related. Paytm gets around 1,300 complaints every day, said Vikendra Singh, a team leader in the risk and fraud management division of the company’s Noida office. Extrapolate that to the entire year, and we are talking about close to half a million annual complaints—on Paytm alone, excluding other UPI apps like PhonePe and Google Pay.
In the UPI world, there are two types of transactions: “pay” (send money to another account) and “collect” (send requests to receive a fixed amount from another person). The latter is what fraudsters are exploiting now. Vikas Singh, a data scientist at NPCI’s fraud detection team, said that roughly 1 million of the 40 million daily UPI transactions—around 2.5%—fall under “collect”, and that’s where they see most frauds being reported.
Nowhere is it more prevalent than the infamous—and wildly common—frauds on India’s largest classified portal: OLX.
Himanshu Kumbhare, a 30-year old Bengaluru-based IT professional, posted an OLX ad to sell an old sofa for ₹5,500. One Bhaskar Reddy desperately wanted to buy it. He was eager to pay an advance to freeze the deal. Kumbhare did not want the advance, but on Reddy’s insistence, he agreed. Reddy sent him a QR code—a machine-readable image with black squares and dots which UPI apps have adopted to ease the process of carrying out financial transactions.
When Kumbhare scanned the QR code worth ₹3,500, he landed on a screen where he would send money to Reddy—not receive it. Confused, he asked Reddy, who explained it is part of the process: “the money first gets debited and then it is credited”.
Reddy convinced him by sending a QR code worth ₹5. Kumbhare scanned it, entered his identification number (PIN) and paid the money, and received ₹5 within seconds. So, he went ahead with the ₹3,500 QR code transaction, but he did not receive any money. He only lost it. He tried again. And lost it again. Kumbhare was getting anxious. Try once more, Reddy said: “it must be a technical glitch”. He did. Only to lose more money.
“I had realized by then my money was stuck. But I don’t know why I kept going with it,” Kumbhare recalled. “I wanted my money back.” The call went on for a couple of hours, and by the end of it, he lost ₹58,000 in total. “I made a mistake. I don’t know how I fell for their trap,” Kumbhare said. “I know frauds happen on cards. I know we don’t have to share OTPs or any banking details. But I never imagined that I would be defrauded on OLX.”
Reddy had tricked Kumbhare in the first ₹5-transaction by manually sending ₹10 to mislead Kumbhare on the functioning of QR code.
In many cases of OLX collect fraud, scamsters misrepresent themselves as Indian Army officials to build trust—they send stolen ID cards as proofs—and exploit the goodwill associated with the armed forces. Ahmedabad’s cybercrime division receives 25 complaints every month of “OLX army fraud”.
This is crucial. Many people fall for the scam because scammers are good at making stories to fool innocent people. But it’s not just that: identity theft perpetuates these scams. Companies acknowledge this. “The more information a fraudster has about your identity, such as your address, age or date of birth, the easier it is for them to convince you that their scam is legitimate,” Paytm wrote in a blog post.
Fact is, the policy conversation around data protection and individual privacy—centred around concerns of government surveillance and the economic interests of companies—shows up in the everyday life of users too, in the form of cyber frauds.
Shukla has done everything a victim is supposed to do. He filed a police complaint at the local cyber cell, sent a written complaint to the bank and the Reserve Bank of India (RBI), and he came from Kanpur to Noida to meet Paytm’s customer care in person and recover his money. But every stakeholder is saying there is little they can do.
Paytm said they can’t refund: The amount of “INR 19,990 and INR 2,000 has been used by the user, so it can’t be refunded. Other transactions do not belong to Paytm,” the company wrote in an email to Shukla.
When the company receives a complaint like Shukla’s, they immediately blacklist the reported phone number and deactivate the linked Paytm wallet, Singh explained. If the money is not withdrawn from the Paytm ecosystem, they can reverse the transaction. But the money doesn’t stay there for long, he added, as scammers take the cash out from ATMs within 20-30 minutes.
The police are not helping Shukla either. “I have all the details,” he said. “The name of the account holder, his bank account number, the address of the bank ATM from where money was withdrawn, details and timing of each transaction—everything. What more does the police need to catch the scammer?”
To be sure, the details do not always guarantee traceability. It is not too difficult to build fake identities for every tool in the scam chain which begins with fabricated SIM cards and extends to bank accounts.
But even when the scam is not so sophisticated, and the details are not deceptive, the police don’t always act or are incapable of catching the criminals. For instance, many cyber frauds, including Shukla’s, trace back to Jamtara, a district in Jharkhand and a cybercrime hub. Another one is emerging in Bharatpur district of Rajasthan. Cases go unsolved even when the police have the evidence.
If an ordinary citizen goes to the police, Singh said, they say nothing can be done. “But if a VIP complains, the police work hard: they trace, they catch and even imprison the criminal,” he added.
A cyber cop, on condition of anonymity, explained why the police often fall short. “According to the IT Act, only an officer with the rank of inspector and above can arrest a cyber-fraud criminal,” the cop said. The geographical spread leads to abysmally low arrests. “There should be a national level task force. If I give details to the Jharkhand police, they should be able to arrest the person, instead of us going to the state,” he said.
In repeated interviews, Shukla mentioned a 2017 notification of RBI which says that the consumer has zero liability—meaning banks will have to pay the money—if an unauthorized transaction is reported within 72 hours to the bank and law enforcement agencies.
But there is a catch. “If you unintentionally contributed to the transaction, say, by accidentally disclosing your PIN, then you are not entitled to the benefit,” Pawan Duggal, a cybersecurity lawyer, said, which means that most petty cyber frauds fall out of the purview of this notification.
To reduce UPI frauds, banks have set a cap on the transaction amount. In February, Paytm wrote to telecom companies asking them to “act fast to counter the menace of online frauds” along with a list of requests: prohibit selling shortcodes similar to “Paytm”— “PYTM”, for example—that mislead users into believing that a text message is coming from the company and allow traceability of fraudulent bulk messages.
The accelerated growth of the digital economy in India will find it difficult to sustain if users lose trust in the payment systems owing to these frauds. Shukla, for instance, has removed all payment apps from his phone, including PhonePe and Google Pay.
“I am a professional anchor. All my work is online. But now, I can’t trust it anymore,” he said. “I will prefer to physically go to the bank and take out my money.”
(With inputs from livemint)