Uncovering a complex UPI fraud that is using social media to target victims

If you have ever come across a person seeking resolution on social media for a faulty purchase they recently made, chances are you’ve witnessed a fraud in the making.

This is not to say that social media is unsafe to seek redressal for your grievances. It is fast becoming one of the quickest and most reliable ways to resolve issues, if done rightly. All it takes is one tiny crack for the fraudsters to enter and trick you into falling prey.

One such crack that is being exploited en masse is providing your phone number publicly as a part of your grievance.

Many banks in the industry receive thousands of complaints every month with respect to this UPI fraud which involves layering and multi-level laundering.

The fraud is carried out in multiple stages, we understand from our findings. These parts, when viewed in isolation, don’t tell a story. It is only when we are able to connect the dots do we really understand the true breadth of the elaborate scheme at play here.

As it involves multiple victims across the stages, let us try to look at it from the perspective of how victims are targeted at each stage.

Stage 1:

• Victim 1 posts their grievance on social media. They tag the service provider (Amazon, Flipkart, Swiggy etc.) and provide their phone number hoping for a speedy resolution.

Customer complaint on Twitter

• Victim 1 then gets a phone call from the fraudster gang, who tell them that they are sending a confirmatory link on the provided phone number.
• Clicking on the link installs some sort of spyware on victim 1’s phone. Now the fraudsters download a Payment Service Provider (PSP) app such as Google Pay (on the victim’s phone). They have access to the OTP that comes on the victim’s phone.
• This way, the fraudsters don’t need to access victim 1’s bank account (which saves them time as they don’t have to reset the password). Neither does a beneficiary need to be registered (which takes a bit of time).
• The fraudsters link all the bank accounts which are linked to victim 1’s mobile number. The victim now has a PSP account in their name for which they don’t have login credentials or the UPI PIN.

Stage 2:

• Once the fraudsters have access to victim 1’s funds, they move onto targeting their next victim for opening a fresh account at a bank.
• Such an account is also called a mule account, since it is essentially used to bounce money off from one account to another such account.
• To begin with, they first need to furnish Aadhar and PAN details of, let’s call it, victim 2. In more than 80% of the cases, victims willingly give up these details in the interest of receiving a small bribe from the fraudsters.
• In case you’re feeling perplexed, these are mostly rural people who have little to no knowledge about why they are being asked to reveal their personal data other than receiving a handful of cash.
• Even if they did know, it wouldn’t be surprising to learn that they are happily complicit in these frauds to make some quick money.
• For those 20% of people who get genuinely defrauded, the saga continues to unfold.
• Fraudsters then use a SIM card procured for these frauds and provide it as part of the application for opening a limited KYC account at any of the banks (there’s a gestation period of 11 months to furnish full KYC documents at a branch or to regularise the account via video KYC).
• Victim 2 then receives a call from the fraudsters. They are told that their existing bank account might get blocked as their Aadhaar is not linked to their number and are coaxed into sharing the OTP.
• Although customers are slightly more aware about these OTP frauds today, a hit rate of even 2 out of 10 such calls made serves their purpose.
• There is no In-Person Verification (IPV) at the branch or video KYC leg involved in opening such limited KYC accounts. Hence there is no extra verification.
• A limited KYC savings account is opened in victim 2’s name without their knowledge. All details related to the account opening (account no., customer ID/ CIF no., etc.) are sent to the number which the fraudsters are using.
• Banks take around 7 days to dispatch the welcome kit (debit card, cheque book, etc.) to victim 2’s communication address as maintained in their Aadhaar. This gives the fraudster ample time to create net banking login credentials and carry out the fraud.

Stage 3:

• Money is transferred from victim 1’s PSP account to victim 2’s limited savings account, from where it is transferred to another such account created by the fraudsters’ network. The longer the chain, the more difficult it becomes for the police, banks and law enforcement agencies to track.

While banks and cyber security agencies are doing their part to clamp down on these fraudsters and further tighten their security, we can do our bit by being informed and raising awareness about the different ways of getting defrauded.

Share this with your peers and circles and let them know about the potential implications of being careless with their personal information. Don’t give in to rogue calls manipulating you into sharing OTP and other credentials. Be vigilant and educate people when you come across instances of them sharing more details than are needed on social media.

Are you a financial institution looking to protect your customers from this fraud? Come talk to us at IDfy or write to us at shivani@idfy.com