Newspapers tend to give wide publicity to celebrities who lose money to cyber fraud. But there is a problem when the media projects financially illiterate celebrities as innocent victims, when they do not have the savvy to exercise basic caution before parting with information to scam callers. There is a distinction between a cyber fraud, where the bank’s systems are breached and accounts or credit cards are scammed, and ones where a user passes on information including one-time passwords.
A report in the Mumbai Mirror
says how Bollywood singer and 'Indian Idol 10' contestant, Avanti Patel lost Rs1.70 lakh in multiple transactions. It turns out that she had not only shared details of her own debit card, but also that of her sister (whose account was also debited) and compounded the foolishness by forwarding the one-time passcode (OTP) SMS to the caller. She ended up losing Rs1.70 lakh in multiple transactions from her and her sister's bank account. She had filed a complaint with the police.
A police officer privy to the investigation told the newspaper, “The fraudster created and used a fake unified payment service (UPI) account to carry out the fraudulent transactions, which may have allowed him to access the account. There is a possibility of data leaks, as the victim had only shared the cards’ expiry date; most of the information was already with the fraudster.” More about the UPI later.
But this is not the sole example. Every day there are stories in the newspapers about people sharing their personal information, including bank account number, card number, card verification value (CVV) and even the OTP that they had received on their mobile number registered with the bank.
The main reason for this is lack of financial literacy or discipline. Almost 99% of people will respond to a caller who claims to be calling from a bank or even Reserve Bank of India (RBI)! This is irrespective of whether they even have any account in that bank or not.
Sharing of OTPs is particularly irresponsible, because almost every bank sends the OTP with a message warning not to share it with third parties. The Mumbai police and all banks, especially private banks, routinely issue tutorials and warnings to people about cyber fraud and against sharing personal information.
The number of bank frauds, especially, telecaller and cyber frauds are increasing at an alarming rate. According to RBI, cyber frauds constituted almost one-third of total frauds in the banking sector during FY17-18. What is more shocking is that more and more celebrities and highly educated customers are getting duped very easily by the conmen posing as bank executives. One of the reasons is because these people believe that they are influential, nobody would defraud them or, even if someone does, they can catch hold of the fraudster easily.
Last year in May, the Delhi Police cyber cell busted a Jharkhand-based gang that cheated many persons across the country by obtaining their ATM card details and OTPs. Describing the gang's modus operandi, the Delhi Police said, "One of the gang members would call up the victims and pose as official from RBI and seek their bank ATM card details. After obtaining the information, the gang would transfer the victim's money into e-wallets or virtual accounts and routed the money into other e-wallets. Finally, they would transfer the money to some bank accounts and pay utility bills.” That such fraudsters are thriving is due to negligence and financial illiteracy of users—this may be excused for less literate persons, but not when educated persons and celebrities are equally negligent.
According to the RBI report during FY17-18, the number of reported cyber fraud cases almost doubled to 2,059 cases from 1,372 cases in the previous year. At the same time, the amount involved in the fraud jumped three times to Rs109.6 crore from Rs42.3 crore reported in FY16-17.
One of the most common methods used by these fraudsters is telling the respondent that her debit or credit card or bank account would be de-activated if she does not do what the caller tells her to do. As we all know, re-activating a debit or credit card or even a bank account a quite an uphill task resulting in people sharing all information with the caller.
Coming back to UPI, it is found that fraudsters use this to siphon money from customer's account quite easily. The reason for this is that under UPI, money cannot be transferred by using a virtual payment address, mobile number or even an Aadhaar number. In addition, it can be done from any UPI client app, not necessarily from a bank.
Earlier in July 2018, the National Payments Corp of India (NPCI), which developed and promotes UPI and Bharat interface for money application (BHIM), had asked banks to discontinue Aadhaar-based payments through the UPI and immediate payment system (IMPS) channels. Pay to Aadhaar is an additional functionality in UPI and IMPS where the payer can transfer funds to the beneficiary using an Aadhaar number.
"Aadhaar number is a sensitive information and the revised framework about its usage in the payment landscape is still evolving. With this background, we proposed removal of ‘Pay to Aadhaar’ functionality in both UPI and IMPS before the steering committee (meeting held on 5 July 2018). The proposal of removing the Aadhaar number functionality was approved by the steering committee,” NPCI had said in a circular issued on 17 July 2018.
RBI’s action came two days after a unique #TweetMorcha, which appealed to the prime minister Narendra Modi with the hashtag #BankSeBachao. This was preceded by a persistent campaign including an online petition that garnered lakhs of signatures, several complaints from customers, letters and memorandums. As on 4 January 2019, there are 324,691 people who have signed the petition, “Governor: RBI-Finance Ministry: Stop Banks Fleecing Depositors”.
Making banks responsible to prove liability of the customer in such cases, in the circular, RBI says, in case of contributory fraud or negligence or deficiency from the bank, the customer will have zero liability irrespective of whether or not she reports the unauthorised transaction. In case of third-party breach, where there is no liability on bank or the customer, and the customer reports it to the bank within three days, then also she is entitled to zero liability, says RBI.
"Taking into account the risks arising out of unauthorised debits to customer accounts owing to customer negligence, bank negligence, banking system frauds and third-party breaches, banks need to clearly define the rights and obligations of customers in case of unauthorised transactions in specified scenarios. The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank," it added.
In addition, banks are asked to credit the amount involved in the unauthorised electronic banking transaction to the customer's account within 10 days from reporting by the customer.
RBI has also asked banks to put in place a mechanism to handle communication related with electronic banking and to resolve customer grievances within the stipulated time.
You may also want to read...