UPI Payments Fraud Concerns as Monthly Transactions Hit Two Billion

Dec. 16, 2020 | by Shriram Sekar

The year #2020 marks a landmark year, especially for us in India as we dreamt of becoming a ‘Complete Nation’ or ‘Superpower’ (or whatever one would like to term it), through balanced growth, technology driven economic stability and perceptibly the millennial’s potential. While the global news of COVID-19 has reminded us how vulnerable we are as humans, I have tried to find something optimistic to look forward to on the back end. I see a lot of opportunity, specifically with “The Digital Rush”. The digital adoption growth rate we are seeing in India cannot be compared with any other country globally, completely reimagining the way we operate and moving us out of our comfort zones.

By this time, everyone would has read something on how BIG the digital market is and projected to be. I won’t bore you with the business views projected by the various market analysts. But one thing which I would like to reiterate is that for financial Institutions during the pandemic, the transition to the digital world has become essential for existence, rather than just some sophisticated digital products being offered in Tier-1 cities/states. With NPCI clocking two billion transactions on United Payments Interface (UPI) in November, monthly growth rates of 100% and the number of mobile phones exported and imported during the festive season, this clearly denotes we are a mobile-first nation with everyone rushing to create and use their digital identities (for comparison, the U.S.-based payments network, Zelle, hit one billion transactions for the year in November).

As smart apps, digital wallets, IoT etc., are super-spreaders, all financial institutions and aggregators have capitalized on the smartphone penetration to generate revenues. The growth is so exponential that institutions forgot to realize the trap. On the other hand, financial institutions cannot not achieve their projected business value if they were conscious about the trap. Financial institutions are trying hard to strike a balance by bringing in various validations while ensuring users don’t lose their curiosity. In this process, they face a lot of challenges which are not only restricted to:

  1. User’s outlook on trusting people
  2. Belief over freebies
  3. Lack of education:
    • In using a Smartphone
    • Vulnerabilities of using Smartphone
    • Vulnerabilities in mobile APP
    • On the steps/process around making payments/transfers
    • On what is sensitive & personal information

With UPI transactions hitting an all-time high, RBI/NPCI have worked to ensure the safety and security of this huge flagship digital platform with constant mandates as there are many participants involved in the transaction. Due to the pandemic, there has been a surge in fraud around digital transactions, especially around UPI. Cybercriminals are using different ways to make this happen including:

  1. Phishing and vishing
  2. Social engineering
  3. Money mule accounts
  4. Malware and remote access tools (RATS)
  5. SIM Cloning

Frauds around UPI are rising, despite constant efforts pursued by RBI/NPCI and participants such as educating customers, deploying mobile security software, checking beneficiary handle/VPA (Virtual Private Address) and more. At the centre of most fraud scams is social engineering. Whether clicking on a link in a phishing email or getting a user to share their UPI PIN over the phone, cybercriminals have to convince a user to take an action.

Social engineering voice scams have been particularly troubling for financial institutions and consumers. It all starts with a phone call from a cybercriminal posing as a representative from a legitimate organization such as bank, utility company or government agency. Cybercriminals use a variety of tactics to trick consumers, most often claiming there is a cashback offer. The cybercriminal then tells victims that they have processed the cashback, and they can accept it through the UPI APP.

Cybercriminals who execute these attacks are well-scripted and often knowledgeable about security practices and processes.  What makes these scams so hard to detect is that the transaction or payment is being conducted by the genuine user who is logging in from their own device. In addition, even if required to provide additional authentication credentials, such as a one-time passcode, the legitimate user will be able to provide them or a cybercriminal can capture it through a remote access tool. A recent article in The Economic Times reported how many small towns have become the target of high-profile cybercrime gangs amid the accelerated growth in digital payments.

Working together with several of our customers, Biocatch set out to find whether digital behaviours could be used to detect social engineering scams, and if so, determine what behaviours should be examined.  How could we take what we know about digital behaviour based on clicks, swipes, and typing patterns and combine it with what we know about human psychology to develop models that produce highly accurate profiling to detect advanced social engineering?  

It is in these advanced scams that the power of behavioural biometrics comes into play. The assumption was to start with finding differences in actual human behaviour that was statistically significant enough to determine a user’s intent and emotional state in context of the activity being performed. Some of the differences in digital behaviour we uncovered to indicate a user was acting under duress or the coercion of a cybercriminal include:

  • Length of session.  The length of a session takes significantly more time and behaviours such as aimless mouse movements are common indicating a person is distracted while they wait for instructions.
  • Segmented typing.  These patterns indicate dictation such as a cybercriminal reading off the account number to transfer funds to.
  • The time it takes to perform simple intuitive actions, such as clicking on the Submit button, show a statistically significant increase on average.
  • This is indicated by actions such as changing the orientation of the device often. For example, continuous movement of the phone to suggest the user is picking up the phone to take instructions and placing it back down to perform the actions instructed by the cybercriminal.

While technologies such as behavioural biometrics have alleviated some of the risk from advanced social engineering scams, there is still no undermining the value of continued awareness and education. Today, with billions of monthly transactions happening on the UPI platform, there is even more motivation than ever to implement the right technology to prevent fraud losses from advanced social engineering scams and build trust with customers.

This post was originally published on by Shriram Sekar of BioCatch on LinkedIn. Read more here.