Thiruvananthapuram: Fraudsters have come up with a new way to siphon off money from bank accounts by taking advantage of the loopholes in the Unified Payments Interface (UPI) payments system, which allows account holders to send and receive money from their smartphones without entering bank account details.
As many as 10 cases of UPI-based fraud involving Rs 12 lakh have been reported in Kerala in the recent time, an investigation by Cyberdome, a hi-tech centre for cybersecurity and innovations under the Kerala Police, has revealed.
A conman can easily take control of a gullible customer’s account and withdraw money by using a UPI-supported application linked to Aadhaar, said IG Manoj Abraham, nodal officer of Cyberdome.
The agency has requested the Reserve Bank of India to fix the security hole, he added.
Most of these banking frauds are believed to be conducted from Jamtara village in Jharkhand, which has emerged as one of the major hubs of cybercrime in the country. Though the Jharkhand police carried out raids on four premises across the village on Friday, based on specific inputs provided by their Kerala counterparts, no arrests have been made.
How to stay safe
• If an unauthorised or fraudulent activity in your account is noticed, make sure to contact your bank immediately and block the account.
• Do not respond to any call/SMS asking you to share your card number, account or Aadhaar details. Remember, banks will never ask for your confidential information via phone or email.
• Never share your OTP with anyone.
Modus operandi of e-banking fraudsters
• The conman would first download the UPI-supported interface to his phone. Normally, before linking the bank account with the UPI app, an encrypted SMS would be sent to the UPI server. Since the fraudsters would be using a phone number with zero balance, the message will remain stored in their phone's outbox.
• The conman would then call the customer posing as a bank official and offers to help the customer through the process of renewing his/her 'blocked' debit card. The caller will inform the account holder that he/she would receive an SMS within a minute.
• The fraudster would forward the encrypted SMS lying unopened in his outbox to the victim. Giving him/her a phone number, the person would instruct the victim to send it to the bank’s customer care.
• The contact given as the bank’s customer care number would in fact be the mobile number to validate the linking of the conman’s bank account with the UPI-supported interface. The encrypted message would be containing the details of his UPI account.
• Since the SMS was forwarded to the UPI server from the victim’s registered mobile number, the bank account would automatically be linked with the conman’s UPI account.
• The conman then can generate transactions without entering OTP or password. All he needs is a login password and transaction MPIN to withdraw money from the victim’s account.
Read more: Latest Kerala news
