Will PayNow-UPI Integration Trigger More Payment Scams?UPI Adoption Led to Surge in Payment Fraud Complaints in India in 2022
India and Singapore on Tuesday announced the integration of their real-time payment systems to facilitate peer-to-peer transactions between bank accounts or e-wallets in real time. The integration enables low-cost, cross-border financial transactions but also opens up another window of opportunity for cybercrime.
India launched its Unified Payments Interface in 2016 to enable people and merchants to send and receive money in real time using their phone numbers or unique virtual payment addresses. This removed the need to share bank account numbers or store funds in third-party wallets. The interface also gave people the option to link multiple bank accounts to a single smartphone and use two-factor authentication - a six-digit MPIN - to authorize each transaction.
The real-time payment system in January 2023 enabled over 8 billion transactions worth over $157 billion in India. UPI's integration with Singapore's PayNow, according to the Monetary Authority of Singapore, would cater to the growing volume of remittance traffic as it uses a scalable cloud-based infrastructure to accommodate future increases in volume.
The UPI-PayNow integration ensures customers in Singapore and India will be able to send and receive funds between bank accounts or e-wallets using mobile numbers, UPI identity or virtual payment addresses. But can they do so without running the risk of their data and money falling into the hands of malicious actors?
Exploiting the Human Factor
The UPI interface hasn't resulted in any reported data leaks or vulnerability exploitations so far, but its rising popularity has led to a steep rise in cybercriminals using social engineering to make money off victims. A Ministry of Home Affairs report revealed that UPI-related fraud complaints rose to 84,145 cases in Q2 2022, up from 62,350 in Q1 2022.
In response to questions from Parliament on unauthorized PayNow transactions, the Monetary Authority of Singapore disclosed that victims reported 133 incidents of scammers deceiving PayNow users into giving them their digital banking credentials in the first half of 2022, enabling scammers to perform unauthorized PayNow transactions resulting in a median loss of $1,200 per report.
The Singapore Police said that in 2022, at least 975 people fell victim to phishing scams involving fake buyers on online marketplace Carousell, losing at least $938,000 - a significant portion of which involved unauthorized overseas PayNow transfers. Security company Lookout reported that threat actors masqueraded as the Singapore Post and Singtel in 2022 to con at least 85 people out of $237,000.
Why Vigilance Is Key
The Monetary Authority of Singapore warns that scammers use a variety of techniques to trick businesses and people into sending them money from their mobile payment apps. A lack of information about how scammers operate is often the reason people fall victim to such scams, and Wee Ee Cheong, the chairman of the Association of Banks in Singapore, says a "whole of ecosystem" approach is necessary to combat online fraud.
"As an industry, we are constantly reviewing and putting in place sensible and secure measures to safeguard our customers from scams while allowing them to bank with ease," Cheong says. "Combating scams, whether digital or otherwise, requires the effort and cooperation of everyone - banks, ecosystem players and also customers. Public awareness and staying vigilant are key."
The Association of Banks in Singapore joined with MAS last year to introduce new rules to prevent payment fraud. These included requiring additional customer confirmation to process significant changes to customer accounts and other high-risk transactions, setting a default transaction limit for online funds transfers, facilitating rapid account freezing and fund recovery operations, and providing an emergency self-service "kill switch" for customers to suspend their accounts quickly.
Banks, other financial institutions and government agencies are waking up to the threat posed by payments fraud, but as cross-border money transfers become cheaper and easier, cybercriminals could latch onto the opportunity to target people abroad and enjoy the safety of international borders to avoid incarceration. Ransomware actors have employed this tactic with promising results, and a lack of public awareness about online payment scams could make the threat landscape much worse in the year ahead.