Late October, at least three bank customers in Kerala found their accounts wiped clean.
They had one thing in common: all used a United Payments Interface (UPI) smartphone application for "account to account" electronic cash transfer. In total, they had lost ₹12 lakh in a “blink”.
Inspector General of Police Manoj Abraham, chief, Kerala Police Cyberdome, told The Hindu that the fraud was “ingenious”. The con men had “hijacked” the accounts of the victims through an elaborate and technically complicated phishing trick.
They pulled off the con by downloading a UPI application on their smartphones. The victims told the police that the phishing messages appeared to be from their bank. The fraudsters then used the phone number and account details of the victims to complete the activation of the UPI app on their mobile. They then used the “hijacked app” to move money out of the accounts of their unsuspecting victims.
It remained a mystery how the con men chose their targets. The police are investigating the angle.
The hackers also tricked the victims into parting with their bank ID password, one- time passcodes and credit and debit card numbers. The police said the hackers transferred the money from the compromised accounts to a few account they operated under fictitious names in rural Jharkhand.
The Cyberdome has traced the mobile phone numbers used for the fraud.
“We have their numbers, not their real-world identity. Officers in Jharkhand are on their scent,” an investigator said.
Investigators said some phone payment apps that facilitated account to account transfers did not always notify customers of the digital transactions.
The con men had exploited the weakness. The victims had come to know about their losses only belatedly. They, later, told investigators that their attempt to curtail the illicit cash transfers by blocking their credit/debit cards were in vain. The beleaguered banks had to freeze the imperilled accounts finally.
The police have written to the Reserve Bank of India (RBI) about the fraud. They have also asked UPI services to use more anti-fraud protections such as two-way passcode authentication and analysis of customer payment behaviour to prevent rogue cash transfers.