Sharing of OTP is where fraud end. But where do they begin?
Kaspersky has predicted that cyber fraud in India will increase going into 2021 owing to more users connecting to the internet and adopting digital payment modes.
This hardly comes as a surprise after seeing the sheer number of UPI and other consumer fraud we did in the last one year.
It has almost come to the point where every step we take towards growing our digital economy & increasing financial inclusion also presents an opportunity for fraudsters to con their way into the lives of common men.
For instance, consider the PM CARES fund. As soon as the government took the initiative to pool donations and create a UPI ID (pmcares@sbi), fraudsters instantly came up with several fake UPI IDs (pmcare@sbi/ pncares@sbi) to cheat gullible citizens.
We have been gathering insights based on our research on instances of fraud in the recent past. And the more stories we hear, the more we realise about the countless different ways of getting defrauded.
However, there is one thread that connects most of the stories that we came across.
Let me paraphrase some of the stories for you, and see if you too can spot the link.
An elderly man loses money to online fraud
An elderly person from Pune wanted to transfer money. He was not able to do it and the UPI application he was using showed a ‘server down’ message (we’ve all been here at some point).
As he was not able to transfer the money, he thought of calling the helpline number of the UPI app he found on Google.
The person who picked up the call sent him an SMS and asked to click on the link to download an app. After downloading it, the victim was asked to share a code which was generated on the app. As soon as he shared the code, a hefty sum was deducted from his account in 15 transactions. All in a matter of minutes.
The victim was made to download a remote screen sharing app called ‘AnyDesk’.
Here’s another similar story we stumbled across
A man in Uri wanted a refund for the cancellation of his air ticket and contacted the customer care number of his airline service provider he found online. He immediately received a call back and was told that the refund amount could be transferred immediately via Google Pay.
All he had to do was download a mobile application called ‘AnyDesk’ on his cell phone.
On following directions on the phone, all the money in his bank account got debited in a few transactions. This too, in a matter of minutes.
The common link in the two stories above seems fairly clear.
And if you’re thinking ‘AnyDesk’ was the culprit here, you’re not seeing the entire picture.
Yes, one might say that clicking on a link and downloading a third party app is never advisable, but that is something that just enabled the fraudsters to carry the fraud out. The real damage was done when victims called on the customer service numbers they found online.
That is the incidence point of most frauds we come across today and that is where the real game is being played. The first point of contact — where there is no certain way of telling the fake apart from the genuine.
Many unsuspecting customers end up looking for customer care numbers on Google rather than opening a service provider’s website or app and calling from there.
Or for that matter, many of the UPI and KYC related fraud that we encounter these days are similar in nature. They all begin with a call from an unknown number, impersonating to be a person of authority and asking for confidential information to take matters ahead.
Perhaps, one way to tighten the screws around the security of our digital payments infrastructure could be to stop calls from such fake numbers coming through altogether.
Are you a financial institution looking to protect your customers from such frauds? Come talk to us at IDfy…
