Sarita received some SMS messages on her phone that ended up resulting in her a loss of nearly Rs. 4,00,000. The text messages warned her that the KYC verification of her Paytm account was about to expire, and the 66-year-old, retired gynaecologist dialled the number in the message. Then, she spoke to what she thought was a customer care executive of the company, who asked Sarita to send a request from her phone to begin the KYC process. Since she couldn't find the option in the app, the customer care executive very helpfully sent her a link to download QuickSupport — a remote support app similar to TeamViewer or AnyDesk.
These are legitimate apps that require your consent to run, and are typically used for remote IT support, and need you to share a code with the other person for them to be able to log into your phone. But the way they work is to essentially give the other person full control over your phone after they have entered the security codes. As a result, the so-called customer care executive, who was actually a scammer, had full access to Sarita's phone. He installed further apps to silently track incoming OTPs, took out all the money from her SBI savings account, and ran up a bill of over Rs. 3 lakhs on her Standard Chartered Bank credit card. The whole process took minutes, but three months later, Sarita still feels trauma over the event.
“My mother was so disoriented because of the experience that she couldn't recollect all the details even today,” Sarita's son Mohan told Gadgets 360.
Lalit, 68, also got a sham SMS message this August, claiming the expiry of his Paytm KYC. That message also included a phone number that the retired physician dialled and ultimately lost Rs. 12,900 from his State Bank of India saving bank.
However, the fraudster targeting Lalit used the AnyDesk app along with a Google form that asked for his details, including full name, address, bank name, debit card number, and validity. All that was enough to transfer his hard-earned savings in just a couple of minutes.
Lalit's daughter Priya is now adding only Rs. 2,000 to his bank account at a time, so that there would be no balance in the account that could be stolen. He is also no longer using Paytm and other major online platforms, though he finds it difficult to order his medicines while staying mostly indoors in a rural area of Kolkata.
“I'm anxious that someone may not again do any cheat and steal my money,” Lalit said.
Many among India's older generation have fallen for the same kinds of scams that were used to rob Sarita and Lalit. According to experts, the number of such incidents is on the rise in the wake of COVID-19, and Amazon gift cards appear to be a popular way for the scammers to spend the money, as they can then be used later or even bartered to others in order to make it harder to track the crooks behind the scam.
Gadgets 360 spoke to dozens of victims and their family members, whose names have been changed here to keep them from being targeted further. A few of the victims said they were already targeted twice and thrice by the scammers using the same practice of falsely asking them about their KYC expiry and with the identical phone number.
Online financial frauds and digital payment scams are not exactly new in the country. In fact, in some past cases, scammers even targeted well-known politicians, including the erstwhile Maharani of Patiala and Congress Member of Parliament (MP) Preneet Kaur. However, the pandemic has brought a sudden and massive growth to all such cases. National Security Adviser Ajit Doval said that there had been “exponential increase” in online frauds in the country due to greater dependence on digital payment platforms following the COVID-19 outbreak.
Based on our interviews, the impact is quite high specifically on the users of Paytm — possibly due to its greater adoption by local vendors — though several Google Pay and PhonePe users are also being affected, as per user posts available on social media, and various complaints filed at the cyber crime branches across the country.
The data provided by the National Payments Corporation of India (NPCI) shows that in September, transactions based on Unified Payments Interface (UPI) hit a volume of over 180 crores — nearly double the 99.9 crores volume recorded in April. Total transactions have additionally reached Rs. 3,29,027 crores. Platforms including Google Pay, Paytm, and PhonePe have also seen a significant increase in their adoption. And as a result, scams have also increased alongside.
Despite the growth of digital transactions and new users making cashless payments, there has been a lack of awareness and very less digital literacy in the country. This is resulting in issues like KYC updation frauds. Digital payments platforms as well as the Reserve Bank of India are using their social media channels to make people aware of financial attacks that are termed as mishing, phishing, and smishing in the lexicon of cybersecurity.
Agent tha? Executive tha? KAUN THA?! 🤔 pic.twitter.com/mqqDExsPdJ— Paytm (@Paytm) September 13, 2020
.@RBI Kehta Hai..— RBI Says (@RBIsays) September 30, 2020
Be wary of messages, calls or links asking for
KYC updation, card details, PIN or OTP #BeAware #BeSecure#rbikehtahai #StaySafehttps://t.co/mKPAIp5rA3 pic.twitter.com/05ftREJow1
Law enforcement agencies in the country are also issuing advisories to prevent digital payment frauds in the country. But the increase in such cases and especially the way in which bad actors are converting the money they stole into Amazon gift cards and online vouchers are making it difficult for authorities and state police officers to limit their extent.
“It is getting difficult because you can't stop numerous transactions at once and also offenders are operating from different states,” said Rohini Priyadarshini, Cyberabad Deputy Commissioner of Police (DCP) for Crimes.
Lack of concrete government policies to limit attacks
Experts believe that apart from low digital literacy and less knowledge about online frauds, scams are taking place due to the lack of data and IT policies in the country.
“With no data standards, there are no digitisation standards, and there are no payment standards — neither defined by the government of India nor by the Reserve Bank of India (RBI) nor by the Indian Computer Emergency Response Team (CERT-In), people have been left aside from the security point,” said Sateesh Kumar Peddoju, Associate Professor of the Department of Computer Science at the Indian Institute of Technology (IIT), Roorkee.
KPMG Director for Risk Consulting Vikram Jeet Singh agreed with Peddoju and stated that India was good 10 to 15 years behind some of the developed economies if we looked at the entire cyber policy for the country.
“Even if we don't want to compare ourselves with a developed economy, but then we can at least replicate what they have done,” he underlined. “So the bodies or the entire ecosystem of really creating that regulation or bringing that kind of control mechanism is slightly both flawed and delayed.”
NSA Doval while delivering a lecture on cybersecurity at the data privacy conference c0c0n XIII-2020 last month mentioned that the central government was coming up with the National cybersecurity strategy 2020 to enhance safety and security of Indian citizens in cyberspace. But nonetheless, progress towards the planned strategy is yet to be seen.
No active cooperation from platforms including Amazon, Paytm
The Reserve Bank of India back in June 2017 sent a notification to all scheduled commercial banks, small financial banks, and payments banks in the country to limit liability of customers in unauthorised electronic banking transactions. The central bank also recently revised rules to disable online payment services of all credit and debit cards in the country that have never been used for digital transactions.
Several victims have told Gadgets 360 that while the scheduled banks were able to cooperate with them, they didn't receive any explicit support from platforms including Paytm or Amazon despite providing them with all transaction details and the contact numbers of the scammers. In a couple of cases, the victims said that Amazon customer care assistants even declined to register a complaint against scams and directed them to reach via their state police. The company, however, claimed that it actively worked towards taking action against fraudsters.
“Customer trust is paramount to Amazon Pay. We have several measures in place to prevent fraud and protect our customers,” an Amazon Pay spokesperson told Gadgets 360 in a prepared statement. “We work closely with financial service institutions, regulators and Law enforcement agencies to assist in recovery and action against bad actors.”
Paytm on its part has so far blamed telecom operators in the country for not taking action against the fraudulent SMS messages that most of the time include fake headers, claiming the expiry of users' KYC verification on the platform. The Noida-headquartered company owned by One97 Communications in May filed a lawsuit against the Telecom Regulatory Authority of India (TRAI) and Indian telcos for not blocking unsolicited traffic flowing over their networks. That legal fight was recently joined by Paytm rivals including PhonePe and MobiKwik through a writ intervention submitted by the Internet and Mobile Association of India (IAMAI). The industry body represents 90 mobile wallet platforms and digital payments firms.
A Paytm Payments Bank spokesperson told Gadgets 360 that it had a dedicated team of over 200 cybersecurity and fraud detection experts that work around-the-clock to monitor transactions and take action whenever they detect any fraudulent activity. It is also claimed to add new security features to combat payment frauds taking place through its platform.
“We warn our users never to make any advance payments to any non-trusted stranger or merchant,” the spokesperson said in a prepared statement. “Also, we encourage them to report all such incidents to us and also to the crime branch so we can take concrete action against these fraudsters. Our cyber cell department is connected to police crime branches to effectively tackle cyber frauds as and when they are reported. We are constantly working to inform customers to safeguard themselves from such incidents.”
Nevertheless, The Directorate of Enforcement in a Chinese online betting apps case stated that online wallets including Paytm have “lax due diligence mechanisms” and did not report “suspicious transactions to the regulatory authorities.” The platform also seems to have issues with the KYC process as a number of users have raised complaints on social media around weeks long delay in its completion.
Some Paytm users have also pointed out that the mobile wallet app was asking them about KYC even after they submitted their documents through the app. Similarly, there are some users who were not informed about the expiry of their KYC verification at the time of adding money to their Paytm wallet but were later not allowed to use the wallet for any transactions.
Gadgets 360 provided some of the user complaints to the Paytm team to get clarity on the issues reported online. The spokesperson for Paytm Payments Bank responded saying that it was serving more than 10,000 customers a day through the video KYC process that is touted to be the largest video KYC set up in the country. The platform is also claimed to have completed KYC for over six lakh customers using the video KYC process.
“During this time, a few users have faced minor issues in completing the process due to a patchy Internet connection or non-submission of all documents,” the spokesperson said. “In such cases, our 24-hour customer services team helps these users in every way possible to complete their KYC with us.”
Issues impacting PhonePe, Google Pay users as well
Just like Paytm, several users on PhonePe have also complained about false SMS messages claiming the suspension of their KYC verification. Some users on the digital payments platform that is claiming to have a user base of over 23 crores have also been reached out by scammers for cashbacks.
A PhonePe spokesperson told Gadgets 360 that it had been “working proactively” to tackle the industry-wide issue of fraud and was working with TRAI and telecom partners specifically on the fake SMS issue.
“We had seen a few aggregators who were not following the protocol and were allowing sending SMS to a bulk list of users without any verification,” the spokesperson said. “With the help of our telecom partners, we have been able to get some of them suspended and this is a critical area of focus for us. We are also working with IAMAI and are a party to the case where we have raised the issue of fake calls and SMS to TRAI.”
The PhonePe spokesperson also stated that it had published blogs and sent out a regular communication to its users to keep them aware and safe from such frauds. “We actively block fraudsters on our internal investigations as well as based on customer complaints,” the spokesperson added.
Similar to PhonePe users, multiple Google Pay users told Gadgets 360 that fraudsters on the platform were preying on them with a link pretending to give cashbacks that eventually vanished money from their accounts. In a few cases, some bad actors simulated as customer care agents of Google Pay that helped them gain users' confidence and stole their money.
Google Pay Product Manager Mallika Kodali told Gadgets 360 that her team invested in “advanced and sophisticated security and fraud detection technology” that helped ensure all transactions are safe.
“What we have seen though are cases where unsuspecting users have fallen into the trap of social engineering,” said Kodali. “It is incumbent upon us as an industry to come together to ensure that people are as alert when using digital payments as they are when dealing with cash or their ATM cards. This is an ongoing journey and the industry has much to do here, with user education being at the heart of these efforts.”
The Google Pay team worked with the ecosystem and brought a limit of Rs. 2,000 per transaction for peer-to-peer payment links and displays a blocker warning screen for high-value QR and payment link transactions to warn users and ensure they approve transactions after due deliberation. It also provided a dedicated toll-free customer care number, which is 1800-419-0157, and the Contact Us section in the app to help users reach the team natively. Furthermore, the PIN entry screen on the Google Pay app is claimed to be secured against remote desktop attacks.
That said, fraudsters seem to know some flaws in the system to abuse the mechanism and continue to steal users' money.
Loopholes in the existing system
Manny Chadha, Regional President for the Asia Pacific and Japan (APJ) region at Illinois-based cybersecurity service provider ProtectedIT, told Gadgets 360 that there are plenty of loopholes in the existing digital payments system and the most significant one seems to be at the banking layer despite annual checks.
“Indeed gullible people are falling prey to fraudsters who transact via digital payment platforms but what is far more troubling is that once the money is transferred into another bank account, it tends to disappear without subsequent traceability to an actual person that can be held liable for the fraud perpetrated,” Chadha said.
Singh of KPMG also pointed out that the growth of online financial attacks is mainly due to the fact that the cost of such attacks has gone down much.
Many cybersecurity experts additionally believe that there should be a biometric authorisation — at least for high-amount transactions — instead of allowing all payments simply by entering OTPs and passwords.
“Passwords — any type of passwords — are knowledge-based authentication and any type of knowledge-based authentication is inherently weak,” said Matthew Unger, founder and CEO of British Columbia-based startup iComply Investor Services that provides anti-money laundering (AML) and KYC technologies to global digital payment platforms.
Unger also emphasised that most of the digital platforms use API-driven services for KYC onboarding and document authentication that makes them exposed to online attacks. “We need to look at technologies like edge computing that allow you to process the KYC data of the persons on their devices, without them having to download apps or leave your websites. It can make the KYC process easier for the end-user, especially for elderly clients,” he said.
Global increase, but India amongst the most affected countries
Apart from India, there has been a global increase in digital payment frauds. Unger of iComply told Gadgets 360 that such frauds have grown by over 500 percent in 2020. He also stated that fraudsters use similar techniques to exploit individuals in worldwide markets.
“It's remarkable how fast you see that if a new strategy appears in the UK, it's amazing how fast you see it popping up in the US or in India or in other parts of the world. So, you do see the same once a new type of fraud has proven to fraudsters to be profitable, they jump on it very quickly,” he said.
However, the faster growth of digital payments adoption with bare education and the historical record of relying majorly on paper currency in India are making the country one of the leading in the world of digital payment frauds.
KPMG's Singh stated that while the growth of online financial attacks is a global phenomenon, the propensity of those attacks would be higher in India as the paper currency usage was very high in the country and the adoption of digital payments started suddenly following the demonetisation happened in November 2016.
“Our number of attacks or quantum of attacks per million would be slightly higher viz-a-viz somewhat mature markets,” he said.
Disclosure: Paytm's parent company One97 is an investor in Gadgets 360.
Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.