UPI app users beware! In a recent case of fraud, a Noida-based UPI (Unified Payments Interface) app user has reportedly lost Rs 6.8 lakh from his SBI savings account. The person recently lodged a complaint with the police, saying that during the last two months the money got transferred 7 times from his bank account and he didn’t get any SMS alert may be because he doesn’t have a smart phone. He came to know about this fraud when he visited his bank branch to withdraw some money.
The question, however, arises: How was such a fraud possible, particularly keeping the fact in mind that the UPI app is claimed to be very safe and secure?
Legal and financial experts say that such frauds are not possible without resorting to high-end phishing techniques and tricking the users. “Indians are not yet equipped enough to prevent from such attacks. While the government proposes to make the economy cashless, but it must be kept in mind that Indian population is still at a nascent stage of adapting to this revolution. While technology may become 100% accurate, unless the person using the technology has adequate knowledge, including being cautious of such attempts, success of such apps will always be doubtful,” says Advocate Sumit K Batra.
In fact, various ingenious attempts are being made by fraudsters to fraudulently transfer funds available in bank accounts. Most of the time, this becomes possible because the victim might have shared critical information like his SIM number, ATM Pin number, personal information etc without application of mind, making it easier for the fraudsters to empty one’s bank account with duplicate or cloned SIM. Also, “the untrustworthy mobile repair shops are the weak link as they get in possession of someone’s mobile with the SIM card. Care should, therefore, be taken that a mobile is given for repair only to reliable shops or the SIM is not handed over if the mobile has to be repaired. Cloning becomes much easier if the SIM is handed over to someone,” says Sandeep Shah, Partner, N.A Shah Associates LLP.
However, when no personal information is shared and the user is having a feature phone with no Internet or wifi, it becomes very difficult to clone a SIM and a very high level security breach needs to be done by the fraudsters. The user many times does not see the text message that his phone is not available or is not in use, and he ignores such messages much to his peril.
In the given case, Shah says, assuming that the victim had linked his mobile number with his bank account and the fraudster cloned the SIM card and did the banking transactions with the UPI app, the victim should have outage of his mobile connection. However, since the fraud is said to have happened over a period of time, the victim certainly has been negligent. Also, currently, the UPI application developed by the National Payment Corporation of India limits the maximum amount to Rs 1.00 lakh per transaction. This means that at least 7 transactions might have happened.
Also, “since only bank to bank transfer is permitted, it would be easy to trace the bank account to which the money was transferred. However, if the victim had shared the critical personal information and the fraudster had opened one more bank account in the name of the victim in the same branch (as the security level is somewhat lower) and transferred the funds to the new bank account and from there had withdrawn the funds by cash, then the matter would get a little complicated. However, making such frauds are not easy without the connivance of some officials as opening of a bank account is not that easy,” informs Shah.
Moreover, if someone’s mobile number is not linked with his bank account, then there are various options for updating the new mobile number, but accessibility to personal information is a must. For example, information about ATM Pin, debit or credit card etc is a must. While there have been cases of leakage of personal information by hacking the security system, but many times, it is the victims themselves who have been responsible for providing or sharing such information.
Keeping all these facts in mind, “the claim of the victim on the bank will get jeopardised if the mode of receiving the banking transaction details is monthly automated statements and the bank has sent such monthly bank statements to the victim on time. In such a case if the victim has not reported to the bank about the unauthorised debits within the specified time lines, which in case of most of the banks is 14 days or less, the claim on bank will certainly be challenged. Assuming that the victim has opted for only the bank passbook and if the same was not updated for the period under consideration, then this may again be a matter of dispute. However, as mentioned, the innocence on the part of the victim will have to be established,” says Shah.