The murky world of India’s fintech scamsMarch 23, 2020
A few days later, on 24 February, he started receiving messages to finish his Paytm KYC (“Know Your Customer”)—a business process to verify a customer’s identity. He would lose the money in his Paytm wallet if he didn’t, the message warned, and ended with a number he was asked to call. He did, but no one answered.
The next morning, at 9.13am, the 26-year-old, who lives in Kanpur and works as a professional anchor, got a call from a man who introduced himself as a Paytm employee. He gave him simple instructions to complete the KYC on his own: download a screen sharing app, connect it with Paytm, share the nine-digit ID, and wait. Shukla did everything he was asked to.
Next, the caller asked him to add ₹10 to his Paytm wallet. He wondered why this was needed. But he went ahead thinking it was harmless, and added ₹10 through Unified Payments Interface (UPI). But minutes after that transaction, Shukla started losing money from his bank account. “My mind stopped working. I could not understand what was happening,” he said. Money drained out of his account as the caller kept him engaged on the phone. By 10.16am, in four different transactions— ₹19,990, ₹2,000, ₹9,999, ₹7,000—Shukla lost ₹38,989 from his account.
Here is what happened: With remote access to the device through the screen-sharing app, the fraudster could see every activity on Shukla’s phone. The seemingly harmless ₹10 transaction revealed Shukla’s UPI PIN (through the on-screen keypad) and the OTP messages he received for approving transactions. The scammer immediately used the credentials to transfer money.
Shukla got scammed. He went through what thousands of Indians experience every day: digital payment frauds, with sums ranging from a few thousand rupees to several lakhs.
Wallets and UPI have taken over the Indian digital payment ecosystem. Since its introduction in 2016 by the National Payments Corporation of India (NPCI), UPI has changed the payments paradigm. But even as the reduction of friction in payments is driving the growth of new businesses, it is also orchestrating fraud. And with a likely influx into new-age payments platforms in the aftermath of the coronavirus outbreak (with early studies indicating virus droplets can remain on currency notes for days), things may only get worse.
In Noida, the number of reported cybercrime cases jumped 400%: from 353 in 2018 to 1,697 in 2019, and a third of all the cases were KYC-update scams. In Bengaluru, 38% of the 12,754 cybercrime cases reported between January 2018 and August 2019 were UPI-related. Paytm gets around 1,300 complaints every day, said Vikendra Singh, a team lead in the risk and fraud management division of the company’s Noida office. Extrapolate that to the entire year, and we are talking about close to half a million annual complaints—on Paytm alone, excluding other UPI apps like PhonePe and Google Pay.
Much of the onus on protection from such…