Payment Frauds And Cyberattacks Rise In The Wake Of Covid-19 Pandemic

The Covid-19 pandemic has opened up new avenues for fraudsters trying to hoodwink unsuspecting customers.

A lock screen from a cyber attack warns that data files have been encrypted on a laptop computer. (Photographer: Simon Dawson/Bloomberg)
A lock screen from a cyber attack warns that data files have been encrypted on a laptop computer. (Photographer: Simon Dawson/Bloomberg)

The Covid-19 pandemic has opened up new avenues for fraudsters trying to hoodwink unsuspecting customers. More and more customers have moved to digital payments for items ranging from groceries to bill payments due to restrictions on movement placed to curb the spread of the virus. A fallout of this has been increased frauds.

On June 22, the Reserve Bank of India issued an advisory to all payment system operators and participants, saying that customers must be alerted about cyberfrauds and threats. “Incidence of frauds continue to bedevil digital users, often using the same modus operandi users were cautioned about, such as luring them to disclose vital payment information, swapping sim cards, opening links received in messages and mails, etc. There are also cases of users being tricked into downloading spurious apps that access critical information stored on devices,” it said.

All authorised payment systems operators and participants are hereby advised to undertake targeted multi-lingual campaigns by way of SMSs, advertisements in print and visual media, etc., to educate their users on safe and secure use of digital payments, the RBI added.

Old Tactics, New Targets

Payment industry executives say that while the nature of frauds has not changed, fraudsters have changed the way they approach vulnerable customers.

“One of the main tactics we have seen this time around is fraudsters, pretending to be bank employees, were asking customers to pay a fee in order to avail the RBI moratorium on equated monthly instalments on their loans. These were done either through ‘collect requests’ on UPI, asking customers to send money to a particular UPI ID or by sharing their card details,” said Anuj Bhansali, head of fraud and risk prevention at PhonePe.

‘Collect requests’ are transactions initiated by merchants. These transactions are like invoices sent by the payee to the payer, who approves the request to make a payment on their UPI application.

Also, since most consumers are at home and prefer to buy groceries and other goods online, Bhansali said fraudsters have also been able to defraud those who searched for such services online through fake websites and mobile numbers. “Merely clicking on a link does not lead to a fraud. In most cases we have seen, where a link is sent through a text message, the fraudster calls the customer and seeks more details,” he said.

A second payments industry executive said that users often fall for these scams since phishing emails and texts include the brand name or logo of a known company.

In a collect request fraud, many customers do not check the UPI ID. But sometimes the fraudster creates a UPI ID with a known brand name, so the customer will accept the request and make the payment because they believe the UPI ID is genuine, the person said on the condition of anonymity.

One example of this type of fraud emerged when a wave of fake but seemingly authentic UPI IDs lured consumers to make donations to the Prime Ministers’ Citizen Assistance and Relief in Emergency Situations Fund.

The payments executives quoted above said that most payments companies were able to de-list these UPI IDs and only allow customers to send donations to the verified PM CARES UPI account, although many customers may have been defrauded before this.

The tactics and methods used by fraudsters have remained the same but their messaging has evolved throughout the last few months, said Himanshu Dubey, director, Quick Heal Security Labs. “Attackers have leveraged the pandemic to defraud customers through false websites that market pharmaceutical products like medicines or face masks, for instance,” he said.

Types Of Phishing Attacks

There are several phishing tactics employed by fraudsters which include:

  • Dubious emails or SMSs using the brand name and/or logos of known companies that ask customers to share sensitive information or download files or applications with a malware.
  • SMS with links to update Know-Your-Customer details.
  • Extracting One-Time-Passwords, Card or UPI PIN numbers through telephone calls, texts or online forms.
  • Illegitimate but authentic UPI handles so the customer sends money to the wrong account.
  • ‘Collect request’ frauds wherein merchants pretend to send a payment but actually pull money from the customers’ UPI wallet.

Over last two months, banks and payment companies have also been alerting their customers to beware of such potential fraud attempts.

A popular phishing tactic used by fraudsters is to send customers a message with a website link for them to update their Know-Your-Customer details.

Paytm, for instance, has been plagued by this problem losing over Rs 10 crore of their customers’ money to fraudsters between June 2019 and April 2020, according to a petition filed by the company with the Delhi High Court against the government and telecom companies.

The fraudster sends the customer a text message, stating that their account is suspended and that have to update their KYC details through a particular website, to continue using Paytm’s application.

Once the customer clicks on the link in the SMS and fills in their details on an illegitimate website, fraudsters call the customer and seek more information such as their bank details. Thereafter, money is withdrawn from the customers’ Paytm account. According to the petition, a copy of which BloombergQuint has seen, fraudsters also lure customers to claim a cashback or win prizes through these false links and online forms.

Queries sent to Paytm went unanswered.

How Big Is The Problem?

Data on the increase in frauds in recent months is not available. However, over the last three months, government organisations such as CERT-IN, state police authorities, the RBI’s IT and cyber-security arm ReBIT Pvt. Ltd. and the Central Bureau of Investigation have been issuing alerts on the rise in cyber threats in the wake of the Covid-19 pandemic.

In its June newsletter, ReBIT said the surge in cyber crime and frauds during the recent months is due to the shift in work environments, forcing organisations to allow their employees to work from home.

Cyberattacks and fraud campaigns are being perpetrated with Covid-19 and related government relief themes to increase their success rate and take advantage of public susceptibility during this time. Banks and other financial institutions should place checks to identify and scrutinize attempts to open/operate accounts and UPI IDs with names similar to any Covid-19 relief effort or fund.
ReBIT June Newsletter

Individual customers are not alone in seeing an increase in fraud risk. Institutions are also seeing elevated threats.

In April this year, hackers targeted institutions like the RBI, the Department of Refinance within the National Bank for Agriculture and Rural Development and IDBI Bank, with emails which contained a malware, according to IT Security company ZScaler.

Similarly, researchers from QuickHeal Technologies found that Indian cooperative banks were also targeted through phishing emails in April this year. The email claimed to be from the RBI but contained an excel file that had a malware, which would be downloaded on to the receiver’s computer allowing the hacker to gain administrative control.