ADVERTISEMENT

As UPI frauds net Rs 2,145 cr in less than three years, experts call for stronger laws against cybercrime

As digital criminals grow more and more creative in the age of AI, cyber security experts underline need for concerted action – including from you, the user

Aniket Jha
Published 03.12.24, 12:54 PM

India’s Unified Payments Interface (UPI), hailed as a global benchmark for payment innovation, has revolutionised digital transactions with its seamless QR code and UPI ID system. A concerning rise in fraudulent activities has accompanied this rapid adoption.  

1 8
According to a 2024 report by global payments technology company ACI, a whopping 49 per cent of real-time payments transactions across the world take place in India. (Shutterstock)

In the ongoing financial year (2024-25) until September, people across the country reported losing a staggering Rs 485 crore across 6.32 lakh cases of UPI-related fraud, according to data given by Pankaj Chaudhary, Union minister of state for finance, in Parliament on November 25.

In 2023-24, about 13.42 lakh fraud cases caused a loss of Rs 1,087 crore. This was an almost 100 per cent increase from 2022-23 when 7.25 lakh fraud cases led to a loss of Rs 573 crore.

That adds up to Rs 2,145 crore in less than three years. 

“The world lost over $6 trillion to cybercrime in 2023, and this figure is projected to exceed $8 trillion by the end of 2024 and a staggering $10.5 trillion by 2025,” said Dr Pavan Duggal, Supreme Court advocate and cyber law expert. 

“Cybercrime has become a global menace, but India, as the world’s most populous nation, faces unique challenges,” he said.

“India’s relatively weak cybercrime laws and a dismal conviction rate of less than 1 per cent have turned the country into a testing ground for new cybercriminal activities. Perpetrators are using India as a guinea pig to experiment with innovative ways to defraud people of their hard-earned money,” he added, underlining the urgent need for stronger regulatory frameworks and enforcement.

UPI has emerged as the most preferred mode of real-time payments for millions across India, thanks to its user-friendly interface and the expanding network of participating banks and fintech platforms.

Since its launch in April, 2016 there has been rapid adoption with the number of UPI transactions growing from 92 crore (of Rs 1 lakh crore) in 2017-18 to 13, 116 crore (Rs 200 lakh crore) in 2023-24. 

According to a 2024 report by global payments technology company ACI, a whopping 49 per cent of real-time payments transactions across the world take place in India. 

“While people have enthusiastically embraced digital payments, they have yet to incorporate cyber security, cyber hygiene, or cyber resilience into their daily lives,” said Duggal. 

“Without these practices, economies are suffering — and India, in particular, is bleeding due to the rising tide of cyber fraud and cybercrime.”

2 8
Downloading APK files from corrupted or untrustworthy websites can lead to installation of malware which are harmful, according to experts. (TTO graphics)
ADVERTISEMENT

How are these frauds done?

Professor Triveni Singh, former IPS officer and head of the Future Crime Research Foundation, an IIT-incubated startup, shared some of the latest tactics used by scammers in the digital world.

“Scammers are increasingly using APK files, a type of malware, which can be embedded in various forms, such as through wedding cards or other innocuous-looking files. Once a person downloads these files, the malware gains access to the phone, allowing it to perform a wide range of malicious activities, including reading OTPs, accessing UPI details, and even operating the phone remotely,” he explained.

APK files, or Android Package Kit files, are files used to install apps on Android devices. All Android apps, including those downloaded from the Google Play Store or downloaded manually, use APK files.

Downloading the files from corrupted or untrustworthy websites can lead to installation of malware which are harmful, according to experts.

3 8
Shutterstock

Fraudsters send QR codes claiming they are for cashback offers or refunds. Scanning these codes leads to phishing websites or malware installation, allowing fraudsters to steal credentials or initiate unauthorised transactions.

Fraudsters also place fake QR codes over legitimate ones — on parking meters, donation boxes, etc. When users scan them, the payment goes to fraudsters’ accounts.

“Another alarming method involves scammers swapping QR codes in small shops and businesses to divert payments. This practice is becoming more common, allowing criminals to trick unsuspecting merchants into making payments to their own accounts,” Singh said.

He emphasised the growing sophistication of cybercriminals and the need for heightened awareness and security measures.

Real experiences often travel to the reel. In the Tamil action movie Vettaiyan, Actor Fahadh Faasil portrays a character called Cyber Patrick Battery. How does he scam people? He goes to shops and swaps QR codes.

4 8
Shutterstock

How to protect yourself from cyber fraud

“Ensure your devices are protected with a reliable antivirus program and an activated, robust firewall,” advised Duggal.

“Limit the sensitive information stored on your devices — many unknowingly save banking details or credit card information on their phones, leaving themselves vulnerable to cyberattacks.

“Make data backups a regular habit. Too often, people believe cybercrime won’t affect them, only to realise the importance of backups when it’s too late,” he added.

5 8
Charcoal_burst/Reddit

The rise of call bombing and message bombing websites has added a new layer of complexity to cyber fraud. These websites, easily accessible through a quick Google search, allow users to flood a target phone number with endless OTP notifications.

Scammers exploit this tactic to create confusion. By overwhelming the victim with fake OTP notifications, they can slip in a real OTP request amidst the chaos, tricking the victim into sharing it.

Once the legitimate OTP is shared, scammers gain access to sensitive accounts or UPI wallets, enabling them to steal money.

“Never share your OTP over the phone or install apps like Anydesk or Quicksupport on the advice of a scammer,” said cyber security expert Sandeep Sengupta, CEO of the Indian School of Anti-Hacking.

“Be cautious about trusting every website you find through a Google search — many are fraudulent. Always enable two-factor authentication on platforms like Gmail, Facebook, Twitter, and LinkedIn to enhance your security.”

6 8
Representational image - TTO graphics

Ways to hack get more creative every day

A 27-year-old software engineer lost nearly Rs 2 lakh to a fraudster within minutes of listing his air cooler for sale on OLX, according to a report in The Times of India published in September 2024.  

“The victim received a response within three minutes of posting the advertisement. The respondent, who identified himself as Srikanth Verma, duped the victim by repeatedly sending QR codes under the pretense of payment, eventually siphoning off over Rs 1.9 lakh.”

Senior citizens, of course, remain a favourite target of cyber fraudsters. A Kolkata-based Indian classical musician, who is now deceased, lost Rs 50,000 within minutes of his sharing an OTP with a fraud caller. 

The musician’s wife had undergone treatment in a Delhi hospital and he had applied for medical insurance reimbursement. The fraud caller had all details and had said they needed the OTP to process the payment.

What to do if you are the victim of cyber fraud

When asked about effective redressal mechanisms for UPI fraud victims, Pavan Duggal emphasised the importance of immediate action.

“If you notice an unauthorised transaction, report it promptly through the National Cyber Crime Reporting Portal at cybercrime.gov.in,” he said.

You can also call the National Cyber Crime Helpline at 1903, where trained police officers work directly with banks to resolve such cases,” he explained.

The Supreme Court advocate highlighted that if the money is still within the banking system when reported, authorities can freeze the transaction, increasing the likelihood of recovery.

Delays may allow the funds to move out of the system, making recovery nearly impossible.

“Quick action is crucial to minimising losses,” he advised.

He highlighted an additional remedy for victims of unauthorised transactions.

“Under the RBI’s zero liability notification issued on July 6, 2022, you can request your bank to reimburse the lost amount. The bank is obligated to compensate you, provided there is no negligence or wrongdoing on your part, and no unlawful activity is involved,” he explained.

“If the bank fails to return your money, you can seek compensation under the Consumer Protection Act by approaching the National Consumer Disputes Redressal Commission or the respective State Consumer Redressal Forums,” he added.

7 8
Shutterstock

What the government is doing to fight cybercrime

MoS finance Chaudhary, in his reply, highlighted several initiatives undertaken by the government, the Reserve Bank of India and the National Payments Corporation of India (NPCI) to combat payment-related fraud, including those involving UPI transactions. 

These measures include device binding, which links a customer’s mobile number to their device, two-factor authentication using a PIN, daily transaction limits, and restrictions on specific use cases. 

The NPCI provides banks with an AI- and machine learning-based fraud monitoring solution that helps detect and mitigate fraudulent transactions by issuing alerts or declining suspicious activities. Public awareness campaigns, such as SMS alerts, radio campaigns, and other promotional efforts, have also been launched by the RBI and banks to educate citizens about preventing cybercrime.

“The government has established the Indian Cybercrime Coordination Centre (I4C) under the Union home ministry to create a coordinated and efficient response to cybercrime across the country,” Triveni Singh said. 

The I4C serves as a central hub for cybercrime-related data, enabling better coordination between states and national agencies.

But disposal of the cases by police has been abysmal.

According to a report by the data journalism portal Factly, between 2016 and 2021, on average, only 35 per cent of the digital fraud cases were disposed of by the police. The rest of the cases were pending for further investigation.

Duggal emphasised the importance of raising awareness through mass communication platforms like television and radio, along with mandating service providers to disseminate public safety messages to users on their platforms.  

Sengupta highlighted two critical measures: “First, there must be a mechanism for the quick reversal of funds to victims if fraud is reported promptly. And amending existing digital and cyber laws is crucial to address the evolving nature of cybercrimes.”

8 8
TTO graphics

How AI is enabling cybercriminals 

According to Sakkshar Duggal, a Delhi high court lawyer specialising in cyber and intellectual property rights, there are two significant AI tools enabling cybercrime: deepfakes and voice cloning. 

“AI has revolutionised fraud tactics, especially with advancements in deepfakes and voice cloning. For instance, I recently encountered a case in Bengaluru where a man received a call from someone mimicking his uncle. Previously, fraudsters would rely on imitating voices, but with voice cloning, it’s almost impossible to tell the difference. The caller, sounding exactly like his chacha, claimed to be using a new number and requested ₹25,000, successfully duping the victim,” Duggal explained.

AI is also a powerful ally in the fight against cybercrime, noted Sengupta. 

“It is increasingly being utilized for fraud detection and prevention," he said.

Dr. Pavan Duggal also underscored the responsibility of service providers in this ecosystem: “Service providers must be compelled to implement robust security measures on their platforms. When facilitating financial transactions, ensuring user safety should be their top priority.”

Digital Transactions QR Code Pankaj Chaudhary Cyber Security Malware Attack OTP Phishing Fahadh Faasil Antivirus Software Artificial Intelligence
Follow us on:

MORE IN PICTURES

ADVERTISEMENT

Share this article