India is home to nearly 40% of the world’s total online transactions, these banking transactions showcase the huge customer base and technology penetration among the Indian netizen. This boom has been facilitated and strengthened by the easy accessibility to high-speed internet and the spike in technology dependence due to the Covid-19 pandemic. UPI payments have now become the new normal daily money exchange medium. The fin-tech platforms have been keen on providing ease of monetary exchange without being worried about change and it also allows the user to keep a track of his/her spending. However as good as it may sound, the same is now being targeted by cybercriminals and bad actors for financial fraud and scams.
The Google-Pay scam
This scam like any other works on the aspect of social engineering and vulnerabilities, here the bad actor will make a payment to your UPI account, this transaction is nearly Rs 15,000 and above. Once the payment is received by the victims, he/she is contacted by the bad actor and informed that the money was transferred by mistake and was meant for someone else who has a very similar UPI ID or mobile number. Once the bad actor establishes the fact that the transaction was an honest mistake, the victim is requested to transfer the amount back to the bad actor’s account and for this, the bad actor shares a QR code. This QR code, in turn, is a faulty and fake one, which once scanned takes out all the money in the victim’s digital account/wallet. The victims often fall for such scams as the scamsters have a well-fabricated story as per which the payment was for an important task or cause and the whole scenario was an honest mistake. There are several potential routes via which a fraudster person may commit the “money received scam.” This can be accomplished through social engineering, in which a victim is duped into making a fraudulent payment, or through the use of malicious software, in which a user’s mobile device screen is taken over, one-time passwords (OTPs) are collected, and potentially suspicious, unauthorized transactions are carried out.
Precautions and safeguards
The payment portals and platforms herein are not at fault because their security measures and protocols are not designed to find out the intent of anyone’s payment and the victims make the payment themselves and consent to the same, the primary issue here is in regard to awareness and social engineering. The netizen’s participation is the only way to combat such cyber crimes. Firstly in the case of the “Money Received Scam”, one needs to consider the fact the victim has the money and has the upper hand. At this point in time, the victim has the ability to change the direction of the scam just by simply implying that the money received is safe and the person can come and receive it in form of cash in person only after verifying his/her identity. In cases where major amounts of money are received, ask the bad actor to meet you at a Police station so that there is no conflict of any kind. This scam is a little different than phishing, here the victim initially is given some money to win his/her confidence but this is the critical time when the victims can either fall into the trap or save themselves. Always remember there are no free lunches and hence treat this instance just as a responsible citizen would in case he/she finds someone else’s money lying on the roadside.
Do’s & Donts
Protocols in case of financial fraud
- Inform your bank immediately and call 1930.
- Share the details of the fraus with the RBI ombudsman via mail for timely action.
- Deactivate your payment wallet and account.
- Report the fraud to the nearest police station or cyber cell.
- File a complaint on the national cyber crime reporting portal.
- Avoid sending the money back to a suspicious sender, use Google Pay’s Contact Us section to get it resolved and reported.
- Never tell OTPs to anyone who claims to send you money by accident.
- Never install any apps that might be used by a sender to extort payment from you.
- Do not scan a QR code that an anonymous person sends to you.
- Do not reveal your bank account details to the suspected anonymous user.
- The most efficient method to refund it would be to request that they come to your location in person, present their identification, sign, and receive their money back.
The bad actors/ fraudsters are often seen engaging in new forms of cyber attacks but being aware will help in minimizing such crimes to a fraction, and the lack of awareness is the only aspect that is targeted by the cybercriminals hence, as an active netizen it is our digital duty to be informed and aware of such forms of crimes and also inform other about it and most importantly always keep the cyber instance analogous to a physical event and think how would one react. Technology or the internet is not the criminal it’s still an individual who is using technology as a medium and weapon.
“Know Your Technology & Digital Responsibilities and Safeguard your Digital Rights”
Author:Money Received Scam – Mr. Neeraj Soni, Intern, CyberPeace Foundation