I get around five attempted fraud messages daily across my email, WhatsApp and text messages. That is five attempted attacks of phishing and spoofing, every day. Some examples include PDF files with an acknowledgement of financial transfer, a prospective foreign national reaching out to offer business and an unclaimed voucher attached to my credit card. The digital journey is now an arena of potholes, which one must navigate extremely cautiously. Given the ubiquitousness of the attacks and the increasing sophistication, it is only a matter of time that I step into a puddle. This is exactly what happened with two people I know.
The first relates to a senior citizen, who is mildly digital savvy. He got a text message saying that the accrued reward points on his credit card were due to expire in a few hours. Along with the message, was a link to conveniently redeem the accrued points. The message carried unique trustworthy identifiers including the name of the issuer bank, and last few digits of the credit card. For a financially prudent individual, the intuitive action was to click on the link and claim the reward points. And he did just that. It was only a matter of minutes before thousands of rupees were charged to his credit card. As soon as he realized that he had been conned, the elderly citizen rang up the bank’s customer service to block his card. Such was the customer service response, that he had to visit the bank branch to make sure the card was actually blocked.
While this first incident did not involve any human interaction, the second incident did. The victim here was in her 40s with a postgraduate degree. She had posted a used item to be sold on a classified site. The accused posed as a buyer and wanted to buy the item quickly at the listed price. Without much ado, he enquired about her UPD ID and transferred ₹2 to her account on the pretext of a test transaction. Once the receipt was acknowledged, he initiated another transaction to remit the list price. This time, however, it was a ‘collect’ transaction rather than ‘pay’. All of this happened without disconnecting the call and by creating a high sense of urgency. The victim entered the UPI PIN in a hurry. So, the amount got charged to the account instead of getting deposited. As soon as she realized this, she protested. The buyer unhesitatingly apologized and promised to pay double – the original amount and the amount wrongly charged. And sent another collect transaction. This time, the victim figured out what was going on and hung up the phone.
Apart from the monetary loss, such incidents make the victims of such frauds wonder if some of the digital platforms are partly culpable, be it due to negligence resulting in the leak of credit card numbers and other information. Unfortunately, these occurrences are not rare.
When these individuals walked into the cyber-crime police station to report their crimes, the attitude of the agencies was casual. It was a routine affair. Their amounts were dismissed as meagre as the busy personnel were fighting much larger frauds. They blamed the victim for not following Reserve Bank of India’s adage of ‘jaankar baniye satark rahiye’. Their complaints were noted and then dismissed. The credit card issuing bank refused to reverse the transaction, even though the incident was reported within an hour. This despite there being a lag in credit card settlement compared to UPI. The classified site routinely identifies some sellers as suspicious on their site and warns the customer of dealing with them. But that’s about it.
With all this going on, one may consider staying away from digital platforms. But, that’s not an option. In fact, the adoption of digital payments is becoming more pervasive. I was quite taken aback when my daughter’s school mandated that the canteen samosa can only be bought by a card and not cash. She is not even in her teens.
So, the only way out is to mitigate the risk as we navigate it. One such way is to buy a cyber insurance. Such policies cover several exposures including unauthorized digital transactions, social engineering, identity theft, and online theft. Cyber insurance has been existent in the market for a few years now, especially for companies. Most companies with exposure to online consumer payments buy this insurance. Considering the growing number of attacks, even traditional manufacturing firms are increasingly buying this cover. Thankfully, such policies are now also available for individuals. The sum assured starts at ₹10,000 for ₹30, to cover only UPI fraud. To cover other digital payment modes, it may cost ₹200 for a ₹25,000 sum assured. Since the ticket size is small, the traditional channel of distribution is yet to start marketing it aggressively. That’s why, this product is mostly bundled as an add-on product for anti-virus companies or other products sold online. However, given the number of incidents being reported, it would be only a matter of time before this becomes a mainstream product for individuals to buy along with their health and life insurances.
Whether it is buying an insurance, a telephone connection or opening a bank account, a common man must go through several hurdles of KYC and video KYC. How do such crime syndicates use the same tools and yet go undetected? Didn’t these criminals have to submit their PAN, link it to Aadhar, and verify their phone number via OTP (one-time password)? Collecting money through credit card requires a payment gateway. That requires opening a business, which is significantly more complicated than just opening a bank account. Banks and telecom companies, among others, must fix the dents in their user journeys.
Abhishek Bondia is principal officer and managing director at SecureNow.in.
Download The Mint News App to get Daily Market Updates.
Updated: 17 Jul 2023, 10:40 PM IST