Last month, Mumbai-based lawyer and human rights activist Flavia Agnes received a call on her mobile from an ‘executive’ telling her that her know-your-customer (KYC) is expired and he can help her to update it over phone.
The caller told the is co-founder of Majlis Legal Centre, to install an app (this gives remote access of the mobile) on her mobile and then share the code.
Once she did that the caller siphoned almost Rs80,000 from her account. In similar manner a religious leader also lost more than Rs3 lakh.
These incidents show that regardless of the corona virus (COVID19) pandemic situation, there is no respite for ordinary people from fraudsters.
Everyday there are news reports about someone being cheated under the pretext of verifying KYC details. While the banking regulator claims to have put in place measures to curb such fraud, it is not easy for those who are cheated to either recover lost money or even lodge a complaint.
Here is what happened with Sanjay Singh (name changed). He received an SMS for completing his KYC by calling on a number. "When I called, they told me to download an app and put an OTP, which I did," he says. However, after this, the fraudsters siphoned off money from his Paytm wallet and there is no trace.
In other case, Girish Apte (name changed), a senior citizen, received a call informing him about expiry of his account for want of KYC. The caller, one Manish Kumar, told Mr Apte that he can do the KYC on phone.
Mr Apte says, “He asked me to buy Paytm gift card for Re1. On his instruction, I entered my Axis Bank credit card number for making the payment of Re1. Immediately I received a message that Rs40,000 has been debited from my account and credited to Paytm wallet of some Ecosystem Private in New Delhi.”
“After almost eight months and several rounds of communication, I still have not recovered a single penny, siphoned from my account,” he says.
While one may think that such type of KYC frauds is happening with people with less knowledge of financial transactions or technology. However, in many instances, even those who have spent entire life in handling technology, are found losing money to these KYC frauds.
These KYC frauds skyrocketed with the Reserve Bank of India (RBI) mandating mobile wallet providers to complete KYC formalities for their customers. In October 2017, RBI asked these service providers to comply with full KYC within 12 months of opening account of a customer.
As per RBI rules, any person can open an e-wallet through mobile number verified with one time pin (OTP) and a self-declaration of name and unique identification number of any officially valid documents (OVDs), including passport, driving licence, permanent account number (PAN) Card, Voter's ID Card issued by the Election Commission of India, job card issued by NREGA (duly signed by an officer of the State Government), and letter issued by the Unique Identification Authority of India (UIDAI) containing details of name, address and Aadhaar number.
RBI had allowed e-wallets with minimum KYC compliance to be loaded or used with a limit of Rs10,000 in a month, with an overall cap of Rs1 lakh per year. These PPIs can be used only for shopping or payment of services but not for fund transfer to bank accounts or other e-wallet/s. These e-wallets had to become fully KYC compliant within 12 months, RBI had declared.
For fully KYC compliant e-wallets, the limit was Rs1 lakh per month and funds could be transferred to pre-registered beneficiaries.
This is where majority of e-wallet service providers grabbed the opportunity to on-board customers with a quick Aadhar based e-KYC. To make the process easy for themselves, e-wallets sent messages (SMS) to their existing customer seeking their Aadhaar number and share one-time passcode (OTP) to verify their KYC.
These directions by the RBI ended up being the dangerous loophole in the system. It allowed anyone to open an e-wallet through a mobile number that is verified with a one-time passcode (OTP) and a self-declaration of name and unique identification number of any officially valid document. Such a user was allowed to carry out transactions worth Rs10,000 every month or totalling Rs1 lakh in the next 12 months without being fully compliant with KYC. After 12 months, the user can continue to use her balance in e-wallet but cannot load new money.
Fraudsters immediately spotted this as a big opportunity to earn quick and easy money through KYC verification.
Almost everyone who uses a mobile would have received SMS for verifying KYC for a e-wallet. Majority of fraudsters prefer to use Paytm in the message. Most of these SMS are aimed to create fear of losing something in the minds of the recipient. It may be losing validity of their bank debit or credit card, or losing KYC, or certain benefits. There is always a number given in these SMS for the recipient to call and fulfil the 'required' obligations to continue to receive benefits.
But this would prove to be costly. The sweet-talking fraudster would make the caller to either share a simple OTP or click 'Yes' or ‘Ok’ on the message on their e-wallet. When you share the OTP that means the fraudster had already initiated a transaction on your account and needs the code to complete it. The moment you share the OTP, your money is gone.
In such cases, depending upon your level of 'cooperation' the fraudster will continue to rob your hard-earned money with you sharing the OTP or touching 'Yes' option again and again.
By the time, you realise that you have lost money from your account the caller would simply throw his mobile SIM in to dustbin and would be using a new number. Procuring a new SIM have become relatively easy with nobody really checking or strictly following KYC norms. In fact, some operators even issue and activate SIM cards with just an Aadhaar number.
Interestingly, few days ago, I also received similar message for Paytm KYC. I thought I would alert the mobile wallet services provider and requested them to take action against the SMS sender and number holder in the message. To my surprise, Paytm told me what we all already knew. It says, “Paytm will never call or send any SMS regarding KYC suspension, expiry, account blocking, or contests. These are sent by fraudsters to steal your money.”
In 2017, the RBI has limited customer liability for fraudulent bank transactions. The RBI circular says, “Taking into account the risks arising out of unauthorised debits to customer accounts owing to customer negligence, bank negligence, banking system frauds and third-party breaches, banks need to clearly define the rights and obligations of customers in case of unauthorised transactions in specified scenarios. The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.”
However, it had hardly made an impact on helping victims in recovering their money lost in frauds.
So how not to be a victim of such frauds?
1. Basically, nobody from your bank branch or main office or even the e-wallet card provider, have the time to call and ask for KYC information or confirmation of the same.
2. Even if you received SMS from your bank, you must always call the branch and verify if the SMS was indeed sent by them. If yes, then kindly visit the branch and submit KYC or fulfil any obligation that you may have in person or through official email ID, but only after speaking with the branch executives on official telephone number, and never on mobile number.
3. For any plastic card, like a debit or credit card, never ever disclose expiry date, card verification value (CVV) or passcode for ATMs with anyone.
4. Always remember, legitimate companies and banks never ask for personal information online/ via email or over phone
5. Do not call on the number given in these SMSes
6. Never share any personal information over phone or email
7. Do not click on any link in such SMS or emails
8. Remember, nobody is going to close your account for want of KYC
9. The process to recover money lost in such KYC and UPI pull transaction it too much hectic with almost nil recovery rate. In fact, you may have to spend more money to recover amount lost in such frauds.
10. Be careful and alert.
What to do if you are duped?
I. Immediately report the incident to the concerned authority (i.e. bank/credit card issuer/e-wallet or Police)
II. File a complaint in writing or email (for Police FIR)
III. Complaints of calls/messages in respect of fraud/forgery, can be registered on National Cyber Crime Reporting Portal https://cybercrime.gov.in