As many as 68 fake Unified Payments Interface (UPI) IDs in the name of the PM CARE fund to fight coronavirus have been detected, according to cybersecurity researchers. The fake IDs are active and have been created under both banking and non-banking entities.
The creation of the Prime Ministers Citizen Assistance and Relief in Emergency Situations (PMCARES) fund was announced on March 28, with the intention of providing assistance and emergency relief funds where the public can contribute to help the government fight against the COVID-19 pandemic. The original UPI ID to make payments to the fund is pmcares@sbi.
However, barely three days after the account was created, security researchers with Cyber Peace Foundation were alerted by victims of the fraud about the existence of fake UPI accounts. These accounts appeared similar to the original PMCAREs.
Parasar Sikdar, a cybersecurity researcher with Cyber Peace Foundation who worked on tracking down the 68 accounts said, “These UPI accounts have been created by fraudsters. They are just changing the wording. The original ID is pmcares@sbi but these fraudsters have made variations of the prefix, and made it pmcare@sbi or created IDs with names like pmoindia@sbi or pmindia@sbi. Any fraudster with an intention to cheat can create such IDs easily,” says Parasar, “We are only doing this for research,” he adds.
The UPI, as its name suggests, is a payment interface system that allows peer-to-peer bank transfers using mobile applications. There are as many as 48 banks who are payment service providers (PSPs) for UPI, apart from 33 non-banking players who also provide the service.
TNM reached out to National Payments Corporation of India (NPIC), who oversees UPI service, alerting them on the 68 or more fake UPI accounts allegedly defrauding the public of funds meant for the PMCARES. NPCI acknowledged the issue and is yet to respond to queries.
The 68 fake IDs detected were under Catholic Syrian Bank, Yes Bank, State Bank of India, HDFC Bank, ICICI Bank, Airtel Payments Bank, DBS Bank, Axis Bank, Andhra Bank, Canara Bank and Central bank. Whenever fraudulent accounts are detected over UPI, the NPIC usually instructs banks to blacklist the UPI ID.
Srikanth L, from Cashless Consumer, a consumer collective focussed on digital payments tells TNM, “This is another manifestation of the classing phishing scam. Here it is possible to get the fraudsters tracked and blacklisted and this can be done at the NPIC level itself.” However, the researcher adds that to prevent further phishing over the UPI platform, the NPIC should consider framing rules for the banking and non-banking issuers of UPI IDs to not generate IDs that are suspicious.
In Google Pay, for instance, the app automatically generates the UPI ID for the suffixes @okaxis
@okhdfcbank, @okicici, @oksbi with the email ID of the person as the prefix. “So when someone uses an email ID with ‘pmcare’ and creates a UPI ID, the app automatically generates a UPI ID that would have the prefix of ‘pmcare.’ The changes have to be made at the algorithm level. The NPIC has to form rules and implement them across the issuers,” he adds.