NEW DELHI: It was a regular workday morning commute for Neha Verma in Jammu in northern India. The bus was packed to the gills. Her phone rang. On the line was an avuncular-sounding stranger who sounded about the same age as her father, she said.

The man mentioned her father’s name, and asked if he could send her the 13,000 rupees (S$210) that he owed her father. Crammed into the bus without a seat, Verma said he could do it later.

But he insisted on repaying the money right away, as someone was helping him do so using India’s popular Unified Payments Interface (UPI). Introduced in 2016, the real-time payments system allows users to transfer money instantly using their mobile phones.

The 26-year-old nurse relented – empathising with someone who “knew” her father and sounded sincere – but little did she know that she was about to fall for a well-crafted scam.

Verma soon received an SMS telling her she had received 10,000 rupees. The message, while drafted meticulously like the ones sent by banks, came from a personal number, not the commercial SMS dispatch services that banks use.

It was a crucial detail that Verma missed. She then received a message that said her account had been credited with another 30,000 rupees. Soon after, the man, who was still on the phone, said he had inadvertently sent her 30,000 rupees instead of the remaining 3,000 rupees. He then asked her to return the additional amount.

“I just didn’t know in that crowd whether I should put my phone to my ear or check (the messages and my bank account),” she told The Straits Times, explaining how she was caught at a vulnerable moment. Verma transferred 27,000 rupees to him without a second thought.

The scammer did not let up. He then sent her a message saying her account had been credited again, this time with 350,000 rupees, which he again asked her to repay. Ms Verma became suspicious and checked her account, realising she had not received a single rupee from him.

When she asked him to return her money, the man hung up. All this took place in less than five minutes in March.

Verma is among many Indians who have been duped on UPI, whose instantaneous ease has made users vulnerable to frauds with tactics that range from social engineering attacks such as vishing (voice phishing) to malicious QR codes that install malware to extract sensitive customer details like UPI PINs.

The number of such victims continues to surge in India, with online fraud becoming an easy way for the country’s scammers – many of whom come from its large pool of unemployed youth – to make a fast buck.

Domestic payment frauds on UPI jumped from 195,000 in the 2021 financial year (FY) to 725,000 in FY2023, with losses increasing from 1.1 billion rupees to 5.75 billion rupees in the same period.

As UPI continues its frenetic growth – in May 2024, the 14.04 billion transactions involved more than 20.4 trillion rupees – demands are growing for the government to put in place the necessary security infrastructure and raise consumer awareness to mitigate online fraud and avoid sullying India’s successful digital payments growth story.

According to a June survey on LocalCircles.com, a community-based social media platform, 47 per cent of urban Indian households confirmed experiencing one or more financial frauds in the last three years. Among them, 43 per cent were victims of credit card fraud, while 30 per cent experienced fraud via UPI transactions.

The National Payments Corporation of India (NPCI), which developed UPI, did not respond to a request for comment. However, the authorities have maintained that UPI’s structural integrity remains intact, and that these frauds instead exploit users’ vulnerabilities.

The government has defended UPI, stating that despite the rise in frauds, the ratio between fraud and sales in value terms has declined marginally. In FY2021, it stood at 0.0017 per cent, falling to 0.0015 per cent in FY2023 (until February 2023).

But these figures include only frauds that are reported to the authorities, with many more going unreported as users remain unfamiliar with the institutional set-up in place to lodge such reports. Local police officials are also reluctant to record complaints to avoid an increase in workload.

Verma, for instance, was told by local police officials that there “was no point in getting a report filed” as the money she had lost would not be recovered.

Prasanto Roy, a Delhi-based public policy consultant, said the rise in UPI scams is a “matter of very deep concern” as the platform is the cornerstone of India’s massive digital payments push.

“Not only is there a risk concentration in the platform, but it also becomes the focus of all scamsters,” he told ST, noting the need to “de-risk” by enabling other payment platforms to thrive, including mobile wallets, cards and UPI alternatives.

The government has also supported UPI’s growing international expansion in an effort to promote its digital public infrastructure globally. In February 2023, a UPI-PayNow linkage was introduced, enabling a sender in Singapore to make a real-time payment to a recipient in India as well as receive a similar payment from India.

Responding to a question from ST on whether the rise in UPI scams is a potential concern for users in Singapore, a Monetary Authority of Singapore spokesperson said a sender should always verify that he or she is making payment to the correct recipient.

“Consumers should never disclose banking credentials and passwords to anyone, and be vigilant against fraudulent attempts that appeal to friendship, fear or false representations of investments,” the spokesperson said.

In June, India’s central bank, the Reserve Bank of India, proposed the setting up of a “Digital Payments Intelligence Platform” to deploy advanced technologies such as artificial intelligence (AI) to mitigate payment fraud risks.

The government is also mulling over introducing a minimum time threshold for first-time transactions between two individuals beyond a prescribed amount. This could entail a four-hour delay for transactions above 2,000 rupees to minimise risks of fraud.

Some UPI users are adapting too, including by setting up secondary small-value bank accounts for online transactions to avoid losing large sums of money. NPCI also appointed noted Bollywood actor Pankaj Tripathi as UPI Safety Ambassador in November 2023.

Srikanth Lakshmanan, founder of Cashless Consumer, an online collective working to increase public awareness on digital payments, said the authorities must carry out far greater and effective consumer awareness drives each time a new UPI feature is launched for ease of use as such measures can at times also potentially introduce risks for users.

“You just can’t launch feature after feature without educating the consumer... It is like putting roads first without teaching people about traffic rules,” he told ST.

Lakshmanan also noted the need for the authorities to be more forthcoming in releasing data collected on financial fraud. Unlike perfunctory details such as the number of cases and types of fraud that are currently released, they also need to put out granular data, including names of telecom operators, banks and payment platforms used to perpetrate scams.

“We need such data for a consolidated analysis to actually say which are the rogue entities that are a paradise for these fraudsters and why is it so?”

While India has seen deep penetration of smartphones and the internet, digital literacy has lagged behind. India has more than 820 million active internet users, with more than half coming from rural areas where digital literacy, especially over financial transactions, is poor if not non-existent.

As the country seeks to move its one-billion-plus population to digital payments, most of whom have been long habituated to the simplicity of cash, Roy said it was important to bring in technology and user interface interventions to alert users to potential fraudulent transactions.

This could include warnings to customers not to enter PINs when they are expecting to receive funds. Many users have lost money to fraudsters who pretended to pay them but actually sent them malicious “collect requests”, asking them to enter their PINs under the guise of receiving money.

“You have to use technology, including AI, to ensure that basic social engineering fraud attempts are intercepted and user trust in the system is not violated,” Roy added. - The Straits Times/ANN