“Your phone is your wallet,” said Bill Gates in 1996. It sounded right out of the soon-to-be launched Harry Potter fantasy-fiction series!
In just a couple of decades, it’s an everyday reality, and how! Not an elitist, exclusive or luxe technology. I just paid the milkman with my UPI app and so, I am sure, do you. Mr. Anand Mahindra just tweeted a photo of a ceremonial cow, like our own boom-boom maadu down South, on whose forehead is pasted a QR code to scan and make a donation.
UPI, the payment method at the basis of this, has cut across the Indian socio-economic digital divide quite well and amazingly fast. However, it is a different type of digital divide that we should watch out for, namely, the chances of being defrauded when we use our phones to pay.
What is UPI
First came Internet banking, more than 15 years ago, relieving us of physical cheques, exchanging them in person or through post, presenting them at a bank, and waiting for funds to be realised. All of this could take up to 15 days depending on the location of the two banks, banking holidays and postal delays.
It was magical to sit at your computer and make these NEFT (National Electronic Funds Transfer) payments, which would be realised in just two or three days. Soon, the service segmented itself into near instant payment for large amounts (RTGS or Real-Time Gross Settlement) and instant payments without waiting to enable a payer account (IMPS or Immediate Payment Service), handy for one-time payments.
When smartphones and apps took over, Internet banking moved to apps and IMPS transformed into mobile wallets, which was one step removed from your bank account. You had to put money from your bank account into the wallet and know information about my wallet to pay me, more complicated if you and I dealt with different banks.
This struggling step that saw lukewarm response evolved in 2018 into United Payments Interface or UPI-based payments. UPI is the clearing house for payments across almost every bank. Pick an app, download and install it on your smartphone, authenticate your SIM through an OTP process, enable your (same) mobile number-linked bank account, and you are good to go. You can make or receive payments and also check your balance.
You can feed a bank account number and IFSC (Indian Financial System Code) as for NEFT and start paying! In the far simpler world that we live in, your vendor’s VPA or virtual payment address, is sufficient. This will be vegetableshop@bankname or even mobilenumber@bankname which makes it easier to share! Going a step further, on some apps, if you and the vendor use the same app, just his mobile number is enough for you to make the payment.
The easiest method is to scan the QR code of the payer and make payment. This cuts across language barriers and misspelling and mishearing errors.
You can link more than one of your bank accounts to the app and make a specific payment from a specific bank account. The top UPI apps today include PhonePe, Paytm, Google Pay, Amazon Pay and BHIM, the latter being the Government offering. There are dozens of others and their collective use is growing phenomenally.
Demonetisation and the pandemic may have been the triggers, but the sheer ease of use and accessibility of the technology surely laid the foundation.
The rose always has thorns. Technology easy enough to use by the mass of people will be susceptible to fraud. We need not go as far as hacking or high-tech methods, but simple confidence tricks are enough to cheat people using UPI apps.
For example, writing down your password or pin can land you in trouble if it gets into the wrong hands. Sharing them with strangers and allowing them to use your phone and app are equally risky.
Some common frauds take advantage of the fact that we may be unclear how the app works and dos and don’ts of online transactions.
For example, when you initiate a payment, you have to key in your PIN to complete the transaction. However, to receive payments you don’t need a PIN. This can be grounds for confusion. Let us say you are selling your used furniture online. A fraudulent buyer would, instead of paying you, generate a request for money from you through the UPI app and ask you to approve the request saying that you have to enter your PIN to receive the money. Do that and, in effect, you have paid them!
To ensure you are flustered and confused they would put pressure on you smoothly, not allowing you the time to think or get suspicious.
Some UPI apps have an online/ real-time chat and its easy for users to mistake the chat as being official instructions from the app itself. So, if the fraudster asks for your PIN on the chat you may wall believe your app is prompting to enter the PIN. You just have to be alert always.
Another fraud is based on your registered mobile number (RMN). The SIM card of your phone/ your RMN is at the heart of your account, its authentication and operations. Fraudsters try to replicate your SIM by cloning it or simply conning you to cooperate so that they can get a replacement SIM!
Then its theirs to get OTPs (one-time passwords) and make digital transactions on your accounts.
For example, you may get a call from somebody posing as staff of your mobile phone company offering anything from upgrade of SIM to requiring a KYC verification. They will offer to do this for you online/ on their end if you just give them the OTP.
The process can even be initiated by an SMS that sounds alarming or threatening. Something along the lines of your bank account or credit card being deactivated, or your SIM.
Of course, you won’t respond to the Nigerian prince offering you a fortune if you help him access his super fortune. But when you get an SMS saying your bank account will be deactivated, wouldn’t you get anxious and want to respond?
On the contrary, your antennae should perk up if anything like this happens as you should never share any OTP with anybody and certainly not something pertaining to your SIM card or bank account. Your bank will never ask you for it and neither will your mobile service provider. Another widely prevalent fraud is through fake apps. Once downloaded and installed, these apps can steal much of your personal information. Bottomline, never download apps except from authorised sources.
A basic precaution would be to keep a low balance in the bank account linked to your UPI app. That way you minimise the risk should you fall prey to some scam.
Should something happen, what should you do. Call your bank immediately and lodge a complaint. Your UPI app itself has a link to raise a complaint. You can complain to the cybercrime cell as well.
As with cash, being alert and being circumspect, even a little paranoid, will go a long way in keeping you safe!
(The writer is a business journalist specialising in insurance & corporate history)