How Not To Be a Victim of UPI Frauds

Recently, a Moneylife reader complained about how his brother lost about Rs1 lakh through unified payments interface (UPI) when he linked his State Bank of India (SBI) account on GooglePay app. Someone hacked into his GooglePay account and transferred his money in to a Paytm account through UPI.

He immediately contacted SBI and Paytm, but is unable to get any response from both of them. He is finally approaching police to file a first information report (FIR). Four banks, Axis Bank, HDFC Bank, ICICI Bank and SBI act as acquiring bank for GooglePay in India.

This, however, is not the lone incident where UPI app was used to siphon off money. Last year, three bank customers from Kerala found their accounts wiped clear through UPI app for account-to-account cash transfer. They lost Rs12 lakh in a blink, says a report from The Hindu .The police said the hackers transferred the money from the compromised accounts to a few accounts they operated under fictitious names in rural Jharkhand.

So what is UPI and why there is an increase in number of frauds taking place through this interface?

According to National Payments Corporation of India (NPCI), which created the UPI, it is a system that powers multiple bank accounts into a single mobile application (of any participating bank), merging several banking features, seamless fund routing and merchant payments into one hood.

UPI also caters to the 'peer to peer' collect request that can be scheduled and paid as per requirement and convenience.

For using UPI, the bank customer needs to download a mobile app that facilitates such transactions. Since there are no restrictions, the user can use any app from private developer or one provided by her bank.

The user needs to create a virtual ID or payment address and password and then link her bank account/s with this ID. The user is also required to create UPI personal identification number (PIN) used for carrying out transactions. Using these credentials, the user can transfer (push) or request (pull) money through the UPI app.

If the transaction is successful, there are no issues. However, in case there are some issues or someone illegally accesses the UPI account and siphons money from the user’s bank account, there is no one to help her.

NPCI, Not Responsible!

NPCI, a Section 25 company created under the Companies Act, says it should not be held responsible for any loss, claim or damage suffered by the user.

In its terms and conditions for use of the Bharat Interface for Money application (BHIM) UPI app, the company, says, "NPCI does not hold out any warranty and makes no representation about the quality of the UPI services or BHIM application. The user agrees and acknowledges that NPCI shall not be liable and shall in no way be held responsible for any damages whatsoever whether such damages are direct, indirect, incidental or consequential and irrespective of whether any claim is based on loss of revenue, interruption of business, transaction carried out by the user, information provided or disclosed by issuer bank regarding user’s account(s) or any loss of any character or nature whatsoever and whether sustained by the User or by any other person. While NPCI shall endeavour to promptly execute and process the transactions as instructed to be made by the user, NPCI shall not be responsible for any interruptions, non-response or delay in responding due to any reason whatsoever, including due to failure of operational systems or any requirement of law."

The T&C (terms & conditions) of NPCI are not easily available and one needs to search for it. But whatever is stated in the T&C documents, appears completely one-sided.

Take, for example, point 6.2, which emphasises that only the user is responsible for any failed transaction or any loss and neither NPCI nor the bank can be held responsible. It says, "NPCI shall not be liable for any loss, claim or damage suffered by the User and/or any other third party arising out of or resulting from failure of any transaction initiated via BHIM App on account of time out transaction i.e. where no response is received from NPCI or the beneficiary bank to the transaction request. NPCI or the beneficiary Bank shall also not be liable for any loss, damage and/ or claim arising out of or resulting from wrong beneficiary details, mobile number and/or account details being provided by the User."

This means, even if NPCI or the bank fails to send the necessary response, it is the user who is liable for the loss. Therefore, NPCI, the developer and promoter of this UPI BHIM app, and banks on its platform, are under no obligation to send responses to these transactions within time.

"NPCI shall not be responsible for any electronic or mechanical defect, data failure or corruption, viruses and bugs or related problems that may be attributable to User telecommunication equipment and/ or the Services provided by any Service Provider," it says.

So how do frauds through UPI take place? At the base level, it could happen due to two factors, either the user shared information with someone or there is some bug or trap in the app used for the transactions.

In the above-mentioned case from Kerala, the users were made so share their personal information, bank and card details along with PIN and one time passcode (OTP) to ‘their bank officer’, who had called them on phone. Using these credentials, the fraudsters, created another account on a UPI app and transferred funds to other account/s.

Two years ago, fraudsters siphoned about Rs25 crore Bank of Maharashtra using a bug in the Bank’s UPI app. This bug was exploited by the fraudster for initiating two messages from the Bank.

Under normal circumstances, when the UPI app receives any request for fund transfer, it sends a query to the other party and after obtaining acceptance checks fund availability in the UPI-linked bank account of the sender. In the Bank of Maharashtra case, the bug sent two messages, first as ‘success’ and second (after few seconds) as ‘error: insufficient funds’.

Read: UPI bug costs Bank of Maharashtra about Rs25 crore ) However, since NPCI reads only first message, the payment transactions were cleared even when there were no funds in the bank accounts of customers. (

This is an interesting situation because the money was taken from accounts, which did not have necessary funds. So, who will bear the loss? As per NPCI's T&C, it cannot be the company or the bank, but the user. However, in this case, the user was not even aware about this fund transfer. In addition, NPCI is not under any obligation to keep a record of instructions, making the job of the investigation agencies difficult.

As pointed out by Hyderabad-based technology expert Srikanth (@logic), there virtually no support from banks, payment services provider or financial technology entities for consumer grievance redressal for UPI. At the same time, there are number of 'call centres' luring duped customers under the pretext of helping resolve the UPI issue, he says.

#UPI support is so absent from banks / PSPs / technology giants that people setup & advertise fake call centers to attract people who have already lost some money in transactions to extract info & defraud them #DigitalPayments #Trust cc @Moneylifers @suchetadalal @amol_kulkarni1 pic.twitter.com/EGsZs4UjWU — Srikanth ??????????? (@logic) April 12, 2019

Use Other Options

This brings us to the most important part about how one can protect herself from becoming victim of UPI frauds? Do not to use UPI or any system that uses a virtual ID and, thus, makes it difficult to track the beneficiary or trace route the transaction. If you want to use UPI, the least you can do is use the app provided by your own bank and not by any third party. At every step in the UPI transaction, take a screenshot from your mobile so that you can have a record, in case something goes wrong.

For online money transfers, banks use two payment systems, National Electronic Funds Transfer or NEFT and Real Time Gross Settlement (RTGS), which have a permanent audit trail for each transaction. In NEFT, you can transfer funds up to Rs2 lakh directly into bank account of the beneficiary in the hourly schedule of payables and receivables from each bank.

For transferring Rs2 lakh and above, you need to use RTGS, where the money is moved directly from your account to the beneficiary’s account. In both NEFT and RTGS, if the transfer fails, your money is credited back in your account. Both NEFT and RTGS charge a small fee.

In addition, if you want to transfer small amount instantly, you can use immediate payment service (IMPS). Many banks offer this service through their official mobile app. For transactions, up to Rs1 lakh, you need to pay Rs5 plus taxes for IMPS.

UPI also levies fee for every transaction. For transactions up to Rs1,000, the charges are 10 paise and for transaction above Rs1,000, it is 50 paise per transaction. According to reports, so far, UPI has been predominantly being used for person-to-person fund transfer with merchant transfer accounting for just 15% volume.