It is the era of Digital Transactions, and we are thriving in this revolution, the cashless economy.

As our daily lives increasingly revolve around digital transactions, the Unified Payments Interface [UPI] has recently become the crowd favourite for the most preferred payment methods.

And why wouldn’t it be?

You only need a 4-digit PIN to authorise your transaction, and the deal is done in seconds. 

With UPI transactions hitting an all-time high in 2023, the NPCI’s monthly reports of astronomical volumes are easy to understand. 

But these numbers have a caveat attached to them. A troubling trend can be seen in recent statistics, where, according to the finance ministry’s data, there were over 95,000 occurrences of UPI fraud detected in the 2022–2023 financial year alone.

As the saying goes, convenience is often shrouded by the potential risk of fraud; let’s break down the rising incidence of fraud and chart a way forward to safeguard the burgeoning digital economy.

What is a UPI Fraud?

UPI (Unified Payments Interface) fraud refers to any fraudulent activity or scheme that exploits vulnerabilities within the UPI system to obtain money or sensitive information from users illegally. Fraudsters may trick users into revealing their UPI PINs via UPI IDs, OTPs (One-Time Passwords), bank account details, or other sensitive information they use to carry out unauthorised transactions or access the victim’s funds.

To put things into perspective, there were 84,000 cases of UPI fraud in 2021–22, and in 2020-21, 77,000 such cases were recorded. Our current number could be as high as 95,000, sparking some primary concern. 

What is the actual scale of these frauds? 

Let’s talk numbers. 

The sheer volume of scams affecting UPI users across India is based on the stunning volume and value of UPI transactions in India. Official data from NPCI, as of 31 December 2023, shows that the total volume of UPI transactions has crossed 12 billion per month. The value of these transactions was a whopping Rs 18.2 lakh crore, or nearly USD 220 billion, for December 2023. 

This figure has also seen staggering year-on-year (YoY) growth. The volume of transactions rose by 53.5% over December 2022’s 7.83 billion monthly transactions on UPI. The value of UPI transactions also grew by 42.2% since December 2022, when it was Rs 12.8 lakh crore or USD 154.5 billion for that month.

This is the pool that fraudsters operate within. It is believed that if the fraudsters can capture 1% of the overall UPI transaction value annually, the total value of cybercrimes through UPI will be at least USD 1.8 billion, or at least Rs 15,000 crore. Mind you, this is a conservative estimate. The actual value of money Indians lose to UPI scams is far higher.

An IIT Kanpur’s Future Crime Research Foundation report in September last year said that between January 2020 and March 2023, there were approximately 23,000 cybercrimes daily. Of this, nearly 77% were financial scams and crimes, and 47% involved UPI scams.

How does a UPI scam happen?

Believe it or not. Most of these scams on the consumer side of things follow a template of taking advantage of a user’s emotional vulnerability and technological awareness. Either there is a promise of a lottery win or a threat of an account suspension. 

In most cases, users are often asked to make small-ticket payments under the pretence of ‘verification’. In most cases, scammers promptly refund such small amounts to gain trust. Once they have gained a user’s trust, they subsequently send requests for bulk UPI payments from users. 

In other cases, they also show QR codes to users, urging them to enter their security PINs when prompted to verify their identities. These QRs are prepared with bulk money requests—thereby duping users of their hard-earned money.

Types of UPI scams

While the broad template of the UPI scams remains as is, there are categorisations of the types of UPI scams that are common in the ecosystem today. 

Phishing: Fraudsters send fake messages or emails pretending to be from banks or UPI apps, asking users to share their confidential information, such as OTPs, UPI PINs, or login credentials. They then use this information to carry out unauthorised transactions. Most of the time, these messages come from unknown numbers rather than bank Bulk push notifications. 

QR Code Tampering: Fraudsters tamper with legitimate QR codes at merchant outlets or create fake QR codes that redirect payments to their accounts instead of the merchant’s. Unsuspecting users scanning these QR codes transfer money to the fraudster’s account.

Fraud Sellers: Fraudulent sellers thrive in online marketplaces, deceiving unsuspecting buyers by selling counterfeit products or processing orders without delivering the purchased items. The Consumer Affairs Ministry has been working on tightening e-commerce rules to make online retail platforms liable for fraud committed by sellers to protect consumer interests in this emerging digital economy. 

SIM Cloning Fraud: A recent addition to UPI fraud tactics, SIM cloning has surged after banks implemented OTP-mandatory rules. If a fraudster clones your SIM, they can get the OTP on their device and even change your UPI PIN. Once they control the victim’s phone number, they can access the UPI ID and intercept OTPs and other authentication messages, enabling them to carry out fraudulent transactions.

Vishing (Voice Phishing): Fraudsters call users posing as bank representatives or UPI service providers and deceive them into revealing their sensitive information, such as OTPs, UPI PINs, or bank account details, over the phone.

App Cloning: Fraudsters create fake UPI apps that closely resemble legitimate ones and trick users into downloading and using them. These counterfeit apps capture users’ sensitive information, allowing fraudsters to conduct unauthorised transactions.

Deceiving UPI IDs: Fraudsters create deceptive UPI IDs to trick unsuspecting users, often using enticing offers or urgent payment requests. These scams occur across various platforms, including social media and online marketplaces, enticing users to transact with fraudulent UPI handles.

Unauthorised Transactions: Fraudsters access a user’s UPI IDs and PINs through various means, such as AnyDesk or screen monitoring apps and carry out unauthorised transactions from the victim’s account without their knowledge or consent.

Social Engineering: Fraudsters use social engineering tactics to manipulate users into disclosing their UPI IDs or performing transactions under false pretences, such as promising rewards or claiming to offer technical assistance.

How can users safeguard themselves from UPI fraud?

Scams aren’t inevitable; they can be avoided by taking essential precautions. Remember the following fundamental things before indulging in any monetary transaction in this digital era. 

Stay Informed: Be aware of the different types of UPI scams and stay updated on the latest fraud tactics and trends. Knowledge is your first line of defence against scams.

Verify Sources: Always verify the authenticity of messages, emails, or calls claiming to be from banks or UPI service providers. Avoid clicking on suspicious links or providing sensitive information without confirming the source’s legitimacy.

Use Official Apps: Download UPI apps from official app stores like Google Play Store or Apple App Store. Avoid downloading apps from third-party sources or clicking on links provided in unsolicited messages or emails.

Enable Two-Factor Authentication: Enable two-factor authentication (2FA) for your UPI transactions whenever possible. This adds an extra layer of security by requiring both a password and a one-time password (OTP) or biometric verification for transactions.

Set Transaction Limits: Set transaction limits for your UPI transactions to minimise potential losses in case of unauthorised transactions. Review and adjust these limits based on your usage patterns and security preferences.

Secure Your Device: Keep your mobile device and UPI apps updated with the latest security patches and antivirus software. Use strong passwords or biometric authentication to unlock your device and UPI apps.

Protect Personal Information: Avoid sharing sensitive information such as OTPs, UPI PINs or even UPI IDs, or bank account details with anyone, including friends, family members, or strangers claiming to be bank representatives.

Verify QR Codes: Before scanning QR codes for payments, ensure they belong to legitimate merchants and have not been tampered with. Check for any signs of tampering or alterations in the QR code.

Monitor Transactions: Regularly monitor your bank statements and transaction history for any unauthorised or suspicious activity. Report any discrepancies or unauthorised transactions to your bank immediately.

Report Suspicious Activity: If you suspect that you have been a victim of UPI fraud or have encountered suspicious activity, report it to your bank or the relevant authorities immediately. Prompt reporting can help prevent further fraud and protect other users.

Step-by-Step guide on reporting UPI Frauds in India

In case of fraudulent activity, you, as a user, can follow the following steps. 

Inform Your Bank and Payment Company: Report the UPI fraud incident to your bank and the relevant payment company.

File an FIR with Local Police: Lodge a First Information Report (FIR) with the local police outlining the details of the fraud.

Complaint to NPCI: Raise a formal complaint with the National Payments Corporation of India (NPCI), providing a comprehensive account of the whole sequence of events.

Contact Digital Payments Ombudsman: Write to the Digital Payments Ombudsman, furnishing the complete history of the fraud.

Utilise RBI’s Redressal Scheme: Take advantage of the scheme launched by the Reserve Bank of India (RBI), where the Ombudsman can address digital transaction issues for resolution.

Leveraging tech to fight UPI fraud

In the face of the increasing pace and volume of fraud threats, businesses can leverage technological tools like machine learning and data analytics to help detect, mitigate, and customise fraud solutions based on their needs. Here’s how some of them are implementing fraud mitigation plans: 

Fraud Analytics 

Detection and prevention of fraud need work. The only way to minimise the risk of fraud is by detecting irregularities at all transaction stages. New technologies and tools must be leveraged to support constant monitoring and surveillance by companies, banks and fintechs. As per a report by the Association of Certified Fraud Examiners (ACFE), a typical fraud can cause a median loss of $117,000 per case and lasts about 12 months before detection. However, the proliferation of data-science-backed technology and fraud analytics tools can drastically reduce detection time, mitigate risks and minimise losses.

Fraud analytics combines various quantitative sciences, such as Business Intelligence (BI), data mining, Machine Learning (ML), and Artificial Intelligence (AI), to deliver solutions that help detect, understand, predict, and prevent fraud.  

Fraud analytics tools can also analyse large volumes of Know Your Customer (KYC) and payment transaction data to trace fraudulent activities and spot anomalies or behaviours that do not align with regular transaction patterns. These intelligent tools are essential for the payments industry, helping banks, NBFCs, fintech, and insurance companies identify and prevent fraud and manage anti-money laundering activities. 

Machine learning

Today’s machine learning-based fraud systems can point to emerging vulnerabilities and adapt to changing behaviours using automated model building. Machine learning evaluates how many customers use a particular IP address, their countries of origin, and those known for fraud incidents, as well as device fingerprints. Applying machine learning can detect fraud in scenarios like document forgery, duplicate IDs, fake applications, payment frauds and mimicking buyer behaviour.

The Decentro Connect

From a business perspective, when choosing a technology partner that can assist you with instant background verifications, there are several factors to consider, from the accuracy of the technology at hand to the customisation of the journey to best suit your needs. 

This is where Decentro’s UPI ID verification API comes into play. With these APIs, establish the following. 

Verification of Ownership

The background verification at the time of onboarding a new vendor/merchant/customer/user.

Validation of Existence

The need to validate the transactions before:

• Accepting funds from the users. This strengths risk monitoring and ensures funds are flowing from the user’s registered bank account only
• Withdrawal/payout is made to the UPI ID of the user

Apart from this liveness engine, we also have a cluster of other products in the form of APIs, SDKs, and Hyperstreams that come under Decentro Farsight, built to enable your verification and validation journey. With advanced image recognition and machine learning capabilities, this Farsight offering enables precise document forensics, classification, extraction, masking, and fuzzy matching. 

• Liveness Engine: This API allows businesses to check the liveness of their customers by capturing a short video or a photograph of the customer. Our product suite covers whether you have a use case catering to active liveness or require passive liveness for your onboarding journey. Read more about this capability here.
• Image Recognition: This API allows businesses to scan, classify, and extract information from a standard government-issued ID number and verify it from its source repository (optional). This also includes additional capabilities such as image transformation and masking. Read more about this capability here.
• Face Match: This API allows businesses to match two faces passed by the customer by giving a match percentage and failure or success based on a threshold. Read more about this capability here.

Maximum scrutiny, with minimum hassle.

Do you wish to integrate this into your product flow?

Let’s Connect