UPI & QR Codes — A cool new tool for fraudsters?

To set the context for those who do not know, In India, The most frequently used mode of transaction these days is UPI, be it shopping for groceries roadside or paying bills at a pub, or shopping in a mall, everywhere this mode of payment is accepted.

The receiver would have a payment address in the format of XXXXXX@bank linked to his bank account and to that address payment can be made by other UPI accounts, and on a regular day, a common man in India would be scanning numerous QR codes for sending in the cash.

Where does the new scam technique occur?

The crucial point which I want to point out here is, It is a common thing for a person in India to scan the QR code which contains the UPI address and make the payment to that UPI address via desired payment apps such as phonePe, google pay, etc., and what we have to notice is, it is little uncommon for a common person to receive money from others as a day-to-day business transaction and this is the stuff that would be taken as advantage by the fraudsters.

How does it happen?

Here goes a story of an incident that happened to a friend of mine XYZ, so one day my friend XYZ wanted to sell an item that she no longer needed and she listed that item on some of the online markets such as Facebook, Olx, and Quikr,

and these ads are publicly visible and she had also listed her contact details,

and this is where the fraudster’s swindle starts, the scammer noticed the advertisement and called my friend XYZ as an imposter who liked the item which was listed and wanted to purchase the item and XYZ became happy that someone was interested in that item and can finally get rid of it and make some penny out of it, now the crucial part comes, the fraudster sends XYZ the QR code and asks to scan the QR code and Enter the UPI Pin and the amount would get credited to the account and XYZ being in spur of the moment scans the QR code and enters her UPI pin and submits and BHAM!

XYZ Just became a victim of fraud!

What happened here is that XYZ instead of receiving the payment, sent the amount to the fraudster and she realized this as soon as she got notified by SMS from her bank saying that XXXX amount have been debited from her account.

Why it was so easy to trick this person into the trap?

As a common joe, she was used to sending the money by scanning the QR code and she never before had received money from someone, at least as a trade and subconsciously she scanned the QR code and entered the PIN and fell into the trap.

Another thing about these UPI Payment QR codes is that they can be coded the payment amount along with the UPI address so that the payee can just scan and enter the UPI pin and don’t need to enter the payment amount, but this is too rare of a scenario where the QR code would be coded with payment amount usually, this adds another layer of dubiety for the person being scammed.

What other ways of getting scammed ?

Suppose you are buying an items from any of such sites and the seller pretends to be a army/defence personal and shares his IDs too (a fake one of course) and he says that he’s in immediate need of the money and he would want the payment in advance/as soon as possible and he would ship the item right away, and one would by default trust that person by emotional factors that he’s from defence and would make the payment and would never hear the end of it.

Fraudster may also try sending you ‘request for payment’ in google pay or phone pay… and you would get fooled by accepting the request for payment and paying the requested amount, be cautious while receiving as well as sending any payments to anyone.

What you should be aware of?

• The most important thing which you should always remember about these UPI payments is that you need to enter the PIN only when you are sending the money to another person and you would never ever require to enter the UPI pin while receiving from anyone.

• Be a little considerate while sharing your personal details in places like these (Facebook marketplace, Olx, Quikr, etc), I recommend you to have a spare phone number for doing this stuff.

I’ve got scammed, what should I do !?!?

First of all, sorry to hear that, now let’s look at what can be done.

India has got a special division in the police department for handling these online frauds and scams called Cyber Crime Cell. Immediately call Cyber Crime Cell at their toll-free number 155260 and 1930 and report the incident, while reporting you would be needing the following details,

• Transaction ID of the payment done (can be found in the app in which you transacted phonepe/google pay etc)

• fraudsters’ phone number if you have

• Your UPI address

• Your Aadhar card

• Your bank account number, IFSC Code, Branch details, and your Debit card number (Remember to share only the Card number and not the expiry date and CVV, they won’t be asking for expiry date and CVV anyway)

• Your phone number and email address.

• You might be asked for a screenshot of the transactionID screen and your aadhar card too.

Once you report this, they would generate a 9 character CIR ID, which would be looking something like this CIRxxxxxx (This part may vary from state to state, this is with respect to Karnataka state) and would be sent to your phone as an SMS, and now the Cyber Cell would get in contact with the bank and freeze the fraudsters’ bank account, and for this reason, I want to personally suggest you to keep your calm and not let the fraudster know that you know you have been scammed and you are in contact with authorities now, because if the fraudster comes to know about this, he/she may withdraw all the money from the bank account.

now you can take the CIR ID and reach your nearest local police station without further ado.

another fun fact which I would like to mention is, most of these frauds are being done by those who don’t even have proper literacy, I highly recommend you to watch the Netflix series jamtara where you can get to know about a group of small-town young men run a lucrative phishing operation on credit cards and debit cards.