New UPI scam alert: If you’re not careful, UPI auto-payment setup request can siphon money from your account

The Unified Payment Interface (UPI) has made online payments much easier with its QR code and UPI ID system. However, the downside is that scammers who have your UPI ID can inundate you with requests to collect money or make automatic payments. If you inadvertently approve these requests, you end up paying the scammer so they can use your money for their purchases.

This is how easy it is to commit “UPI money fraud”

This scam works on a simple principle: you are deceived into believing a fake story or you are surprised and approve an unknown UPI request for money collection or auto payment. You may wonder why you would approve such unknown requests. The reason is that you may not be able to differentiate between a genuine and a fraudulent request. It is important to note that the money collection or auto payment request itself is valid, but the person initiating these requests is a fraudster.

Look at the image below: It shows an autopay request for Netflix. Can you tell if this is a genuine request from Netflix for your account or it is a request from scammers for their Netflix account? This is a genuine UPI autopay request initiated by a scammer from his/her Netflix account. So, if you accidentally approve this request thinking it is your own Netflix subscription, you are basically paying money for the scammer’s Netflix subscription. This is exactly how the scammers could try to steal your money from you if they know your UPI ID.

(The above image was shared by a user who does not use Netflix)

“UPI IDs are generally expressed as phone numbers followed by the UPI provider extension. This is exploited by fraudsters. Phone numbers and details are easy targets as phone numbers are often shared and given in many places – e-shopping, restaurants, malls, parking lots, etc. Since UPI IDs are easy to crack, customers using them for online and digital transactions need to be aware of the risks. There have been a number of fraud cases in the past where customers approved transactions thinking it was a receipt but ended up transferring money from their account,” says Vikram Babbar, Partner, EY Forensic & Integrity Services – Financial Services. He is also the Chairman of the Indian chapter of the Association of Certified Financial Crime Specialists (ACFCS).

A UPI user who wishes to remain anonymous shares her experience: Over the past few weeks, she has been receiving many UPI money collection and automatic payment requests from Netflix, Google Pay, etc. on her Paytm account. However, none of these collection or automatic payment requests were initiated by anyone she knows and she does not have a Netflix subscription or Google Pay account. The following image shared by the user shows genuine UPI money collection requests received from unknown people.

“Since UPI IDs are essentially an extension of phone numbers, they can be easily duplicated or generated in different formats. This makes it easy for spammers to create multiple fake IDs and bombard users with requests,” says Sheetal R Bhardwaj, board member of the MENA chapter of the ACFCS.

What should you do to prevent such fraud from happening to you?

“Senior citizens are vulnerable to fraud and are considered as ‘mule accounts’. They should avoid directly linking their bank accounts with UPI ID and use a wallet with limited balance. This helps avoid high-value fraud. If they suspect anything, they should consult family members,” says Babbar of EY India.

Babbar informs that the UPI service providers themselves have taken additional measures to raise awareness among customers. “In some cases, such as high-value transactions outside the normal pattern, customers are warned before entering the UPI PIN that it is a payment transaction and not a receipt transaction,” he says.

Bhardwaj gives seniors some tips on how to use UPI safely:

• Higher risk of fraud: Older people may be less familiar with digital payment systems and the potential for fraud and hence are more vulnerable to fraud. Therefore, always check the UPI address and ask the intended recipient or service provider about its authenticity.
• Emotional manipulation: Scammers often use emotional tactics, such as pretending to be a family member in need. Older people may be more likely to respond to these manipulative tactics, which can lead to potential financial loss. Be aware of these tactics and do not give in to such solicitations.
• Education and awareness: It is important that seniors are informed about the risks associated with UPI transactions and know how to recognize legitimate requests. It may also be helpful to encourage them to consult trusted family members or friends before accepting such UPI requests.

What experts recommend to the government and other companies

According to Shobhit Goyal, Founder and CEO of BeFiSc, “NPCI should create or mandate every UPI wallet to create a security layer for sending autopay requests. UPI ID should not have a 10-digit mobile number, instead name or initials of name can be added so that auto-generation of UPI ID can be stopped. There can be numerous other technical solutions but the point is that NPCI should acknowledge this and consider it a big problem that needs to be solved. Unfortunately, there is no service if users want to disable autopay requests permanently, although they can reject the request. NPCI should come up with this feature.”

Bhardwaj points out that many UPI platforms may not have stringent measures in place to verify the authenticity of bulk or automated payment requests. “The lack of robust verification allows spammers to exploit the system more easily,” she says.