Unified Payments Interface (UPI) has revolutionised the way India transacts. It has gained popularity across the country given its unparalleled convenience and efficiency when conducting small-value transactions like buying vegetables or paying a plumber. NPCI data show that a majority of the transactions, around 73 per cent, are peer-to-peer and the average value of transactions was ₹1,477 as of April 2024.
However, alongside this rapid growth, there has been a concomitant rise in scams through UPI. Per recent inputs from the Indian Cybercrime Coordination Centre (I4C, Ministry of Home Affairs), most of the cybercrime complaints registered are financial (around 85 per cent). A report by the Future Crime Research Foundation in 2023 found that online financial fraud accounted for 77.41 per cent of all cybercrimes in India, of which, 47.25 per cent were via UPI. Dvara Research undertook a study that looked at ways to curb scams over UPI.
Scams over UPI typically manifest through social engineering, phishing or other ways to exploit user or system vulnerabilities. In social engineering frauds, scamsters manipulate and exploit user naivety too. In several of these cases, victims directly or indirectly contribute to the scam by authorising transactions, despite not intending to do so. We refer to these as Authorised but Unintended (AbU) transactions.
With 95.5 per cent of the total transactions taking place on popular Third-Party Application Providers (TPAPs), these apps play a crucial role in the UPI ecosystem. Since more than 80 per cent of UPI transactions are less than ₹500 each (derived from NPCI data), small-ticket frauds are likely to not get reported and hence we focus on what more can be done inside the UPI app by their providers, to prevent their users from falling prey to fraudsters.
In-app user education
The first line of defence against UPI scams is a well-informed user base. The proliferation of smartphones and the convenience of UPI has attracted many first-time digital payment users. However, a limited understanding of UPI features beyond basic functions (like sending money via mobile number or QR code) makes users, especially those less digitally savvy, more susceptible to scams.
Due to the rote and visual cue-based learning of essential functions, many users do not explore other app features. While fraud awareness campaigns are helpful, they by themselves may not be sufficient to prevent users from falling prey to scams, especially those where emotions such as fear, greed, guilt or shame may take over at the time of being defrauded. Ongoing awareness campaigns can be updated to include tools that help users identify the ‘hot state’ they are in when faced with manipulation from scamsters, pause and reflect before acting impulsively. It can also provide clear instructions on reporting fraud if they fall victim.
Regular alerts and in-app notifications about common scam techniques and precautionary measures can keep users vigilant. For instance, emphasising on not downloading applications from portals other than authorised app stores, or not sharing UPI PINs or OTPs (One-Time Passwords) with anyone, even bank representatives, can reduce instances of AbU transaction scams. Similarly, interactive tutorials and pilot transactions in a sandbox environment, such as in video gaming, can be deployed when apps onboard new users, when an app introduces new features or when a user attempts to use a new feature within the app. For example, if a user is detected to be interacting with a Collect Request for the first time, emphasis on the result of accepting such a request can reinforce users’ comprehension of such a feature.
Authentication mechanisms
The prevalence of fraudulent actors in the UPI ecosystem calls for active countermeasures to curb their entry. Vulnerabilities in the KYC norms for availing SIM cards, bank accounts being operated by persons other than the account owner, and Aadhaar number leaks replicate themselves into the UPI ecosystem, and authorities are already taking steps to plug these loopholes stringently.
In August 2023, the Department of Telecommunication (DoT) issued a directive to overhaul the KYC norms to tackle the issue of fake SIM cards. The I4C reported freezing 3.25 lakh “mule” accounts (bank accounts used for laundering cybercrime funds by using KYC documents of others) in the last four months, amongst other actions against malicious URLs, mobile apps, SIM cards and IMEI numbers. The NPCI, too, is considering the blocking of inward credit for inactive UPI IDs.
TPAPs may complement these efforts by reconsidering their user on-boarding process. Reviving existing mechanisms such as Central-KYC or Unique Customer Identification Code (UCIC) could help improve our abilities to prevent the entry of malicious users into the ecosystem. As such, the NPCI has discussed the usage of Aadhaar OTP-based and Digilocker-based UPI onboarding during its UPI and Services Steering Committee Meeting in January 2024.
Positive Frictions
Positive frictions at the time of authorising transactions can include confirming or validating the necessary actions through multiple screens, displaying cautionary messages when the next screen is loading, or introducing multiple layers of authentication (such as mobile OTPs) for payment amounts above a certain threshold. This will reduce the speed of transacting but will also give users some moments of pause before authorising the payment. Users should have the option to disable these frictions if they choose to, but they may be enabled by default.
Enhancing the UPI app experience to reduce users’ susceptibility to scamsters and other criminals is a multifaceted endeavour. The rapidly evolving nature of scams means that new vulnerabilities can emerge unpredictably. It is vital to remain agile and responsive to emerging threats and user needs. Information sharing and coordinated action among system participants, regulators and investigating parties will be crucial to combat these scams.
The writers are Researchers at Dvara Research