UPI FRAUDS AND RBI GUIDELINES ON

UPI FRAUDS

An Indian Perspective

Report by – ABHINAV AGARWAL

M.No. – 445335

FAFD BATCH NO. - 52

Unauthorized Disclosure Prohibited

Note:
This Report is Strictly Private & Confidential; and the research in this report is solely conducted for
educational purposes. The relevant data has been gathered from various verified sources stated under the
“references” head of the report.

CONTENTS
1.WHAT IS FRAUD?
2. WHY DO PEOPLE COMMIT FRAUD ?
3. CATEGORIES OF FRAUD
4. WHAT IS UPI?
5. CON JOB
6. UPI FRAUDS 101
7. EVOLVING FRAUD
8. HOW TO SMELL A FRAUD?
9. FALLING THROUGH CRACKS
10. HOW DO UPI SCAMS TAKE PLACE?
11. HOW TO AVERT UPI SCAMS?
12. RBI GUIDELINES FOR UPI FRAUDS IN BANKS
13. SAFE DIGITAL BANKING PRACTICES
14. REFERENCES
What is Fraud?
“Fraud” is any activity that relies on deception in order to achieve a gain. Fraud becomes a crime when it
is a “knowing misrepresentation of the truth or concealment of a material fact to induce another to act
to his or her detriment” (Black’s Law Dictionary). In other words, if you lie in order to deprive a person
or organization of their money or property, you’re committing fraud. 

Why Do People Commit Fraud?

The most widely accepted explanation for why some people commit fraud is known as the Fraud
Triangle. The Fraud Triangle was developed by Dr. Donald Cressey, a criminologist whose
research on embezzlers produced the term “trust violators.” 

The Fraud Triangle hypothesizes that if all three components are present —
unshareable financial need, perceived opportunity and rationalization — a
person is highly likely to pursue fraudulent activities. As Dr. Cressey explains
in the the Fraud Examiners Manual:

When the trust violators were asked to explain why they refrained from violation
of other positions of trust they might have held at previous times, or why they had
not violated the subject position at an earlier time, those who had an opinion
expressed the equivalent of one or more of the following quotations: (a) ‘There
was no need for it like there was this time.’ (b) ‘The idea never entered my head.’
(c) ‘I thought it was dishonest then, but this time it did not seem dishonest at first.’
 

Helpful ResourcesCategories of Fraud

Unfortunately, fraud is so common that it can be categorized in countless
ways. But fundamentally, every type of fraud is either organizational or
individual. Let’s look at some key characteristics of each. 

Against individuals 

This is when a single person is targeted by a fraudster — including identity

theft, phishing scams and “advance-fee” schemes. Perhaps one of the most
noteworthy and devastating individual frauds is the Ponzi scheme. 

Internal organizational fraud

Sometimes called “occupational fraud,” this is when an employee, manager or

executive of an organization deceives the organization itself. Think
embezzlement, cheating on taxes, and lying to investors and shareholders. 

External organizational fraud

This includes fraud committed against an organization from the outside, such
as vendors who lie about the work they did, demand bribes from employees
and rig costs. But customers sometimes defraud organizations, such as when
they submit bad checks or try to return knock-off or stolen products. And
increasingly, technology threatens organizations with theft of intellectual
property or customer information. 
WHAT IS UPI ?
The Unified Payments Interface (UPI), India’s real-time payments ecosystem, has
become an unstoppable force. In December 2021 alone, it saw 4.5 billion
transactions worth Rs 8,26,848 crore ($111 billion). But what happens when an
unstoppable force meets an immovable object?

UPI’s popularity lies in the multiple payment flows it offers to its users. Users can
scan a QR code to make a payment, send money to an UPI ID or a phone number,
or send a ‘collect money’ request. But scamsters have weaponised the very things
that make UPI so appealing, selling false stories to lure users into inadvertently
sending money. Playbooks range from ‘ click to win cashback’ and ‘scan QR code
to receive payments’ to ‘call customer care executive from a number listed on the
internet to report a problem’.

Payments app PhonePe, for instance, sees 90% of the frauds on its platform
orchestrated via UPI, according to Anuj Bhansali, head of Trust and Safety at
PhonePe. Only 7% is on cards, says Bhansali. Since PhonePe has the largest
market share of UPI transactions, seeing nearly two billion transactions in
November 2021, most of the frauds on its platform stem from UPI. The company
did not reveal the proportion of fraud transactions on its platform.

Those in the payments industry estimate that each month, victims lose at least Rs
200 crore ($26.8 million). This is a drop in the ocean compared to the amount of
money that courses through the system. But the racket is big enough to pose a
headache for those whose job it is to tackle frauds—law enforcement agencies
(LEAs), the Ministry of Home Affairs (MHA), banks, payments apps, and of course,
National Payments Corporation of India ( NPCI), the retail payments body that
runs UPI.

According to KVM Prasad, Hyderabad’s assistant commissioner of police for

cybercrime, 80% of the complaints his cybercrime police station receives are UPI-
related. “We are observing that over 50% of all financial frauds are done via UPI,
as large numbers of people are using UPI,” adds a senior government executive.
This executive and others quoted in the story requested anonymity as they aren’t
authorised to speak to the media.

It’s a headache because for one, banks don’t recognise these scams as frauds.
Users, though duped and gullible, are complicit. And two, the payments apps
aren’t required to mandatorily report these scams to the NPCI. So, these scams
and cheating cases aren’t captured in their entirety.

The senior government official quoted above says that about 80,000 frauds are
reported each month. A senior risk executive from one of India’s leading payment
apps believes the actual number—including unreported cases—is 5X that. “I
honestly believe that we have never taken a true picture of what fraud looks like
in the Indian ecosystem,” says PhonePe’s Bhansali.
Con job

According to Google, a jobs scam—where users have to pay anywhere between

Rs 100 to Rs 10,000 to subscribe to get simple jobs such as ‘liking’ and ‘sharing’
online—has been the most popular scam of 2021. However, once users pay, the
fraudsters just vanish, leaving users in the dust.
As a result, there’s no official record of scamsters or their phone numbers.
CloudSEK, a cybersecurity company that helps banks and payments apps identify
frauds, tells The Ken that its tools found at least 12,000 scam phone numbers
associated with UPI, with each of these potentially involved in hundreds of scams.
“Just in December, we found 600 such phone numbers,” says Bofin Babu,
CloudSEK’s vice president for artificial intelligence.

Payments companies, then, just end up playing catch up, trying to retrofit
solutions after people have already been defrauded. And even with hundreds of
employees manning their risk departments, companies do not share data with
each other, meaning there’s no way to know if it’s the same person committing
crimes across apps.

The Indian government, however, has made it easier for victims to report cyber
frauds, including UPI-related ones. In January 2020, the MHA’s Indian Cyber Crime
Coordination Centre (I4C) improved the National Cybercrime Reporting Portal
(NCRP). Complaints are captured centrally here and the system alerts the
respective law enforcement agencies under whose jurisdiction the complaints fall
—currently, agencies from 32 states are integrated with the I4C. Since then,
about Rs 32 crore ($4.2 million) has been recovered, says the senior government
official.
UPI frauds 101
“The biggest issue is not the scam itself but how they are able to tap into trust,”
says a former Paytm* risk executive. Scamsters do this by tapping into behaviours
that internet companies have spent millions of dollars nurturing—like the love for
cashbacks or free deliveries.

For instance, links for cashbacks take users to their payment apps, where
scamsters posing as the app’s customer care executives convince users to enter
their UPI pin. Some even edit the text on the collect requests and QR codes to
support their narrative that the user is about to receive money. In reality, users
have to enter their UPI pin only to pay, never to receive money.

Scamsters have also evolved their strategies to counter users’ scepticism. They
offer trial transactions involving low sums of money as a show of faith to convince
their targets. For example, when a user enters the UPI pin to ‘receive’ Rs 1, the
amount is debited from the user’s account, but the scamsters also credit the user
account with Rs 2 at the same time, duping the user into thinking that they’ve
received money.
Evolving fraud

Anuj Bhansali, head of Trust and Safety at PhonePe, says that 60-65% of the
frauds were peer-to-peer transactions (P2P) earlier, but now PhonePe sees nearly
as many fraudulent peer-to-merchant transactions as P2P.
Luring customers in with free deliveries requires a more complex set up.
Scamsters create fake websites for popular brands or services such as liquor
delivery, which is uncommon in India. Users pay via UPI but the scamsters just
disappear with the money. “They’re exploiting the trust that e-commerce
companies have created,” says KVM Prasad.

As the nets get more elaborate, scamsters’ requirements also shoot up—access to
databases to send bulk messages and targeted ads, fake websites hosted in
HongKong or China, SIM cards, a current account with KYC documents, and more.

Ashish Reddy, a cybercrime inspector in Cyberabad, says one can buy such a
current account for about Rs 80,000-1 lakh. “We’ve seen bank accounts that can
even be rented from those opened during the Jan Dhan Yojana drive,” the risk
executive from the leading payments company quoted earlier. Jan Dhan Yojana is
the Indian government’s financial inclusion drive to open bank accounts for
India’s unbanked multitudes.

The extent of planning in some cases is so advanced, says Reddy, that some of the
cases in October 2021 used bank accounts registered in 2020. “Once they shut
down one operation, the fraudster is ready with the next bank account. This way,
the scamster doesn’t lose business, and can move on to newer victims,” says
Reddy.
How to smell a fraud
To combat frauds, some payment apps are assembling an army. Google Pay, for
instance, has a 300-strong risk team. Of this, 200 are reviewers, manually
scrutinising accounts flagged as problematic. Usually, this job is outsourced to IT
companies or cybersecurity companies. Payment apps use both the services of
third parties and its own algorithms to scour the internet for red flags such as fake
customer care numbers. Google said it cannot comment on the size of its risk
team.

A team of analysts and engineers then look at case patterns and come up with
ways to negate them. Every time a new modus operandi comes to light,
companies update their fraud rule engine, which watches for signals of what
could possibly be a fraud, such as the cashback scam we mentioned earlier.

“If we see this pattern of Rs X and 2X between two people who have never
interacted, and it is a brand-new account, we develop a model around it,” says
the risk executive. If the app is confident that the transaction is fraudulent, it
denies the transaction. If there are doubts, on the other hand, it sends a warning
pop-up to the user.

The other signals that the companies watch out for is a high volume of money
coming in. But the chances that it’s either a scammer or a merchant are equal, in
which case the payments companies look at the transactions’ success rate. “If we
see a lot of transaction initiations and the success rate is poor, we will deny that
transaction as it is most likely a scammer,” says Bhansali.

To proactively watch out for scams, PhonePe has also developed a way to score
its merchants and customers, and assign a risk score to them based on their
transaction history, adds Bhansali.

If the payments companies are moving fast, scammers are moving faster. When
they see that transactions from a newly created UPI are blocked, they use an
older, dormant account, says the risk executive with the leading payments app.
Companies are fully aware that it’s not possible to stop fraud. But they want to at
least make it unviable for scammers. “A scammer also has limitations. They need
to reach out to at least 20-30 victims so that at least two or three will fall for it,”
says the risk executive with a leading payments app.

Here, they say, adding unexpected friction by means of a pop-up message, for
instance, can help. “If the scammer guides them and the user comes across
unexpected friction, their script goes for a toss. That can prevent a transaction
going through,” they say.

Despite all this, the reality is that these payments companies are just patching up
the holes in the system. In order to come up with a model to combat fraud, the
fraud has to happen in the first place. Companies then review what went wrong
and try to close the loophole. But it’s not enough.

Falling through cracks

When it comes down to it, payments companies have no institutional mechanism
to help them go after fraudsters. Only banks are mandated to report frauds, not
payments apps. There’s no infrastructure through which they can share data on
phone numbers tied to scams either. Nor is there a central pool of information.
While companies inform NPCI about new scams, they don’t share data about
scamsters with each other, says the risk executive from a leading payments
company executive quoted earlier.

Meanwhile, it’s the banks that victims first approach after they’re defrauded. “But
banks are reluctant to pursue it further. They redirect them to approach the
police,” says assistant commissioner Prasad.

“That is the process,” confirms a senior tech executive working with a Mumbai-
based bank. “We need to ascertain that the fraud is real.”

As a result, UPI’s fraud dispute mechanism suffers because of who is incentivised

to solve it. Keeping UPI simple and easy is in the payment apps’ best interests.
“They get more users and higher valuations. So they are not incentivised to solve
for it,” says the senior tech executive. And since the entire transaction happens
on another application, the banks can’t control anything.

Tech solutions are one way to prevent fraud. Take Vouch, for instance. The
bootstrapped startup, founded in 2020, sets up escrow accounts between buyers
and sellers. The money is only transferred to the seller after the goods are
delivered. But this is also an anti-UPI solution.

“This is meant for transactions where you don’t need instant settlement, like
payments for freelancers,” says Krishna Jonnakadla, Vouch’s co-founder. So far, it
has processed two million transactions and has 2,000 users.

As for LEAs, the cyber crime department of police in cities such as Hyderabad
respond only in cases where the victim has lost more than a certain amount, like
Rs 1 lakh ($1,342), says Prasad. For cases with lower ticket sizes, victims are sent
to the local police stations.

“Direct bank transfers are easy to investigate. We are informed of the account
number, so we can send a direct notice to the bank to freeze the account,” says
Prasad. But that is not possible with UPI. “People don’t know the bank account
number of the person they’re sending money to. Banks can’t immediately tell
which account it is linked to, either, slowing the process,” says Prasad.

Many times, the UPI handles used by victims aren’t even their own. “People who
don’t know how to operate UPI go to a nearby shop and ask the owner to do the
transaction for them for Rs 5 to Rs 10 using their UPI,” says Cyberabad’s inspector
Reddy.

The [UPI transfer] system is very favourable to the criminals. And it is a headache
for investigators.
“UPI today needs some kind of support infrastructure to tackle frauds. But it can’t
have an overbearing mechanism. It needs a robust follow up mechanism in the
form of easy chargeback policies,” says Jonnakadla.

Chargebacks, where the money is transferred back to the originating account, is

one of the most widely used methods of dispute resolution. But it’s easier for
banks to respond this way to frauds that happen on their channels, such as with
immediate payment transactions (IMPS).
Currently, the MHA is working on building a response mechanism with the
National Informatics Centre (NIC), which manages the government’s IT
infrastructure and network. It would help LEAs, banks, and financial
intermediaries respond better to financial fraud complaints. “This way LEAs can
issue legal notice to the respective stakeholder so that the defrauded amount
could be prevented from exiting the banking system in real-time,” says the senior
government official quoted earlier.
The NPCI, on the other hand, is working with payments apps to implement a
chargeback system for UPI. “If the UPI payments app does not implement the
NPCI’s security measures, it will pick up the tab,” said the senior risk executive
quoted earlier. NPCI did not respond to questions sent over email.

This makes the potential to make payments even more unviable for payments
apps. UPI transactions have no fees, so apps already don’t get much in the way of
money from this. But as the UPI juggernaut rolls on, it’s a bullet that payment
companies may have no choice but to bite—for it to be a reliable real-time
payment system, it must build a reliable real-time dispute resolution system.

Amidst the pandemic, when the government is putting extreme

emphasis on introducing the concept of a cashless Economy in India, digital
transactions have become the need of the hour. Digital transactions, like any
other system, have both pros and cons. Therefore, it is necessary to stay
vigilant of all the loopholes of the system. One of the primary pillars of the
digital economy is UPI, which is the most preferred and used method of online
transactions as all you need is a 4-digit PIN to authorize a transaction.
However, UPI frauds like phishing, malware, money mule, SIM cloning and
vishing are taking place quite often these days.

With the growing popularity of convenient and fast UPI transactions,

numerous UPI fraud cases are occurring all over the country. Recently, UPI
scams make cover page stories of newspapers regularly. The stories mostly
revolve around fraudsters/hackers stealing money from users’ Bank accounts
via UPI. In cases like these, often the mobile phones of the users are remotely
accessed via device control apps like AnyDesk or any other.
How do the UPI Scams Take Place?

Hackers succeed in carrying out UPI scams when you are not aware of
exactly cyber malpractices and heedless while downloading apps from Google
Play store and links from emails. This might be because of the lack of
knowledge about how do the fraudsters design their scams. The most
regularly occurring scams are:

1. Phishing Scams
Many fraudsters send you unauthorized payment links via SMS. These
bank URLs though will look very identical to the original one, but are
fake. When you are in a rush and click on that link without looking at it
meticulously, it will direct you to the UPI payment app installed on your
phone. It will then ask you to select any of the apps for auto-debit. Once
permission is given from your end, the amount gets debited from the
UPI app instantly. Also, clicking on a fake link may cause a virus attack
on your phone, created to steal crucial financial data stored on the
device. Hence, the URL needs to be carefully read before clicking on it,
because the difference of even a dot should be considered before
clicking on any link. These are called “Phishing Scams”.
2. Scams through Apps

With the growing acceptance and adoption of the work-from-home culture

globally, working professionals are downloading remote screen monitoring
tools, using which one can connect their smartphones and laptops via Wi-F
with smart TVs. Along with authentic verified apps, there are also numerous
unverified apps on Google Play and the apple app store. Once you download
an unverified app, it gets full control of the device and extracts data from your
phone. Also, fraudsters often pose as bank representatives and ask you to
download a third-party app for “verification purposes”. Immediately after
getting downloaded, the third-party apps will provide the hackers with remote
access to your phone.

3. Fake UPI App and Social Media

Though a UPI social media page(Facebook, Twitter etc) has the word NPCI,
BHIM or names similar to a bank or government organisation, it is not always
authentic. Hackers design similar handles so that you get deceived and reveal
your account details through a fake UPI app.

4. OTP Frauds

To complete an online transaction through a UPI app, you need to either

enter the OTP (One Time Password) or UPI PIN. The OTP is sent by
your bank through an SMS on the registered number. One of the most
common ways hackers try to scam people is by requesting them
toshare their UPI PIN or OTP over the phone. Once you give them the
information, they authenticate UPI transactions and money from your
account gets transferred to their accounts.
How to Avert UPI Frauds?

1. Identify Fraudsters Your bank will never Call and ask you about
sensitive data. Therefore, if someone calls you and requests to share
the account related information, understand the person on the other
side of the call is not a bank executive. There is a feature on apps like
Google Pay, PhonePe, BHIM, called “request money”, which fraudsters
take advantage of.

2. Fraudsters will ask for PIN. Swindlers often show interest in

purchasing a product advertised on different online platforms and
engage with the seller on a phone call. If someone, claiming to be a
buyer, asks you to share a PIN with him to receive the payment of the
product you are selling, you should understand, he is trying to scam you
as receiving money requires no PIN. Therefore, never reveal your PIN
to strangers on phone, under any circumstance. Secure your UPI apps
with biometric recognition software. Also, you can install anti-virus
software for optimum security. Today, on online marketplaces like OLX,
UPI frauds are taking place quite often. People get calls from self-
claimed buyers who show interest in buying their advertised products.
These buyers, who are actually scammers, start convincing the sellers
to send their UPI address so that the amount could be transferred. Once
they share the UPI address, they get trapped and lose a hefty amount
from their accounts.
3. Spammers will send request on Google Pay and PhonePe Google
Pay and PhonePe always give a spam warning to the users, if they
receive a request from an unknown account. Always keep your eyes
open and in case of such suspicious accounts, always lodge a Google
Pay fraud complaint.

4. Be aware of the fake apps on Google Play Store Make sure the apps
you are downloading from Google Play Store are verified and authentic.
If you mistakenly or carelessly downloaded a fake app, it becomes easy
for a hacker to extract sensitive data and steal money from your
account. Numerous fake apps like Modi Bhim, Bhim Modi App, BHIM
Banking Guide, etc. have been reported to have extracted personal data
of customers in the name of providing some valuable banking service.

5. Scammers will send downloadable content on E-Mails E-mails often

comprise content that lures you to download. Make sure you don’t
download anything without scanning it for viruses/Malware.
6. Hackers can access your phone through an Open Wi-Fi Try to avoid
using open Wi-Fi as it may give a hacker a chance to access everything
on your device. Therefore, always check if the Wi-Fi is safe and
trustworthy, before connecting to it.
 RBI Guidelines for UPI Frauds in Banks

1. The Chairmen and Managing Directors/Chief Executive Officers

(CMD/CEOs) of banks must provide focus on the "Fraud Prevention and
Management Function" to enable, among others, effective investigation of
fraud cases and prompt as well as accurate reporting to appropriate
regulatory and law enforcement authorities including Reserve Bank of India.

2. The fraud risk management, fraud monitoring and fraud investigation

function must be owned by the bank's CEO, Audit Committee of the Board
and the Special Committee of the Board.

3. Banks with the approval of their respective Boards, shall frame internal
policy for fraud risk management and fraud investigation function, based on
the governance standards relating to the ownership of the function and
Accountability resting on defined and dedicated organizational set up and
operating processes.

4. Banks shall send the Fraud Monitoring Returns (FMR) through the XBRL
system. Banks should specifically nominate an official of the rank of General
Manager who will be responsible for submitting all the returns referred to in
this circular.
 SAFE DIGITAL BANKING PRACTICES
 Never share your account details such as account number, login ID,
password, PIN, UPI-PIN, OTP, ATM / Debit card / credit card details with
anyone, not even with bank officials, however genuine they might sound.

 Any phone call / email threatening the blocking of your account on the
pretext of non-updation of KYC and suggestion to click link for updating the
same is a common modus operandi of fraudsters. Do not respond to offers
for getting KYC updated / expedited. Always access the official website of
your bank / NBFC / e-wallet provider or contact the branch.

 Do not download any unknown app on your phone / device. The app may
access your confidential data secretly.

 Transactions involving receipt of money do not require scanning barcodes /

QR codes or entering MPIN. Thus, exercise caution if asked to do so.

 Always access the official website of bank / NBFC / e-wallet provider for
contact details. Contact numbers on internet search engines may be
fraudulent.

 Check URLs and domain names received in emails / SMSs for spelling
errors. Use only verified, secured, and trusted websites / apps for online
banking, that is, websites starting with ‘’https’’. In case of suspicion, notify
local police / cybercrime branch immediately.

 If you receive an OTP for debiting your account for a transaction not
initiated by you, inform your bank / e-wallet provider immediately. If you
receive a debit SMS for a transaction not done, inform your bank / e-wallet
provider immediately and block all modes of debit, including UPI. If you
suspect any fraudulent activity in your account, check for any addition to
the beneficiary list enabled for internet / mobile banking.

 Do not share the password of your email linked to your bank / e-wallet
account. Do not have common passwords for e-commerce / social media
sites and your bank account / email linked to your bank account. Avoid
banking through public, open or free networks.

 Do not set your email password as the word “password” while registering in
any website / application with your email as user-id. The password used for
 accessing your email, especially if linked with your account, should be
unique and used only for email access and not for accessing any other
website / application.

 Do not be misled by advices intimating deposit of money on your behalf

with RBI for foreign remittances, receipt of commission, or wins of lottery.

 Regularly check your email and phone messages for alerts from your
financial service provider. Report any un-authorized transaction observed
to your bank / NBFC / Service provider immediately for blocking the card /
account / wallet, so as to prevent any further losses.

 Secure your cards and set daily limit for transactions. You may also set
limits and activate / deactivate for domestic / international use. This can
limit loss due to fraud.
References

a. https://indiankanoon.org/ - For Case Laws

b. https://www.sebi.gov.in/ - For Insider Trading Regulations
c. https://economictimes.indiatimes.com/ and https://www.business-standard.com/
-For News snapshot and other information.
d. https://www.acfe.com/ - For relevant data
https://www.icai.org/ and https://na.theiia.org/ for relevant data and research paper format