Nothing has revolutionised digital payments in India more than the ubiquitous UPI. People no longer carry their bulging purses, nor go to ATMs as frequently as they used to, for cash. Instead, they whip out their cell phones and make the payment to both the itinerant vendor of vegetables and fruits as well as to the more rarefied restaurants. In addition, every service provider has his own wallet. Ola money is an adjunct to your Ola hailing app. If you have sufficient balance in it, you can walk away after reaching the destination with the fare being automatically reduced from your Ola money. Of course, the cab owners resent it because they are most happy when the fare is paid to them either in cash or into their own mobile wallets lest they are at the tender mercies of the ride aggregator. Be that as it may, financially literate people don’t keep too much in such single-purpose wallets especially if their usage of ride hailing apps is few and far between. After all, they do not want to keep money in outside wallets where the money doesn’t earn any interest. Phonepay and Gpay score over Paytm precisely for this reason — your money remains with yourself till you make the payment instead allowing someone the benefit of enjoying float at your expense.
While your mobile doubling as your wallet is indeed convenient, it also exposes you to greater dangers emanating out of phishing, vishing, surreptitious and quiet planting of malware and unctuous online help. The report titled “A deep dive into cybercrimes trends impacting India” shows from January 2020 to June 2023. Almost 50% (47.25% to be precise) of cybercrime cases were UPI frauds according to IIT-Kanpur incubated startup Future Crime Research Foundation. UPI was developed by National Payments Corporation of India in 2016. Seven years down, it has emerged as the most popular payment medium especially among the masses even though the classes too are not shy of flaunting it In FY21, transactions of the order of ₹41,03 lakh crore were carried out through UPI which more than doubled next year to ₹84. 17 lakh crore and to ₹139.14 lakh crore in FY 23 as per NPCI data. In lockstep with the usage, the crime rate has also been going up with the figures being 77,299, 84,274 and 95,402 cases respectively.
Phishing is not unique to mobile wallets or UPI as fraudsters tap into the vulnerabilities of the users by sending out authentic-looking mails to ferret out sensitive information like passwords or PINs. Malware is more dangerous as it is employed to copy data from an infected device. To this a cell phone is more vulnerable as it is the most used device even while on the go on the back of data packs. Vishing is fake calls ostensibly from banks. To be sure, even a laptop is as much vulnerable but cell phones bear the brunt thanks to their ubiquitous and multi-purpose nature.
Apart from the usual protection like using dual locks and PINs, one to open the payment app like Gpay and another to draw out funds ie, authentication of payments and their frequent change, the most sensible thing one can do is to keep the balance to the minimum in the bank which has been activated for UPI. The lion’s share of one’s bank balance must be kept in the bank not linked to your UPI. The downside risk emanating out of loss of the cellphone or due to the machinations of online fraudsters is thus minimised. Of course, one would need to replenish the balance in the UPI-linked bank account every now and then but that is the price one has to pay for preempting predatory attacks on one’s mobile-linked bank accounts. BTW, while tapping instead of inserting the card may be convenient (no authentication PIN required), it entails the risk of one finding a card landing on his lap so to say having a field day till the loss is reported and the card deactivated by the bank.
At the end of the day, it seems the tried and trusted OTP is the most effective bulwark against frauds. Some banks don’t allow withdrawal from ATM unless you have fed in the OTP which is generated by the bank almost real-time which cannot be second-guessed by fraudsters unless they have in their hands the cellphone of the victim. There is no reason why the same additional safeguard cannot be prescribed for UPI payments — OTP. Never share your OTP, a warning given by banks and service providers must be taken seriously. Net-banking payments namely IMPS, NEFT and RTGS come out trumps from the point of view of safety as first one has to log into the targeted bank account before decamping with the balance though it is also vulnerable to phishing and vishing.
Let the RBI then mount an awareness campaign seriously on the following lines:
Use two-step passwords — one to open the payment app and another to authenticate the UPI payment ie, the UPI PIN.
Use two bank accounts, one for UPI payments through cellphones and another to harbor one’s war-chest. In other words, UPI is merely transactional or for day-to-day use.
Making OTP mandatory for all digital payments including at the merchant establishments.
Every convenience brings with it an element of risk. But that doesn’t mean we should cling, or atavistically revert, to the tried-and-tested cheque payments and withdrawals at bank cash counters. Account holders must be safety-conscious and banks and the RBI must foster such consciousness. Besides, the digital footprints left by the fraudsters can be tapped into by the law-enforcing agencies. That should chill them if there are enough success stories of them getting their comeuppance.
S Murlidharan is a freelance columnist and writes on economics, business, legal and taxation issues