The Art of Tricking: How SocialEngineering is Fooling UPI Users and Causing Fraud Frenzy!

Research Article on Understanding Social Engineering and its impact on UPI-based frauds

Image Source: https://www.boomlive.in/

Evaldas Rimasauskas, a Lithuanian national, conducted what is believed to be the largest social engineering attack to date on two major companies, Google and Facebook. Along with his team, Rimasauskas established a fake company that purported to be a computer manufacturer working with the two tech giants. They also created bank accounts under the company’s name. The attackers then targeted specific employees of Google and Facebook with phishing emails, requesting payment for goods and services that the fake company had supposedly provided. However, the payment instructions directed the employees to deposit the money into fraudulent accounts. Between 2013 and 2015, Rimasauskas and his associates managed to swindle more than $100 million from the two companies.

To gain a better comprehension of the aforementioned occurrence, let us first endeavour to decipher precisely what social engineering entails.

Understanding Social Engineering…

Social engineering is a form of manipulation that targets human vulnerabilities to obtain confidential information, access to systems, or valuable assets. In the realm of cybercrime, social engineering attacks rely on “human hacking” to trick unsuspecting users into exposing data, spreading malware, or providing access to restricted systems. Attackers can use a variety of channels, including online, in-person, and other forms of communication, to carry out these attacks.

Scams based on social engineering exploit users by manipulating their thoughts and actions. Attackers often research their victims to identify their weaknesses and preferences. By understanding what motivates a user’s behaviour, an attacker can deceive and control their victim, ultimately achieving their goal. Common social engineering tactics include phishing emails, baiting attacks, pretexting, and quid pro quo schemes.

Hackers often target users who lack knowledge about certain threats or the full value of their personal data. Due to the rapid pace of technological advancements, many consumers and employees are unaware of risks like drive-by downloads and may not know how to best protect themselves and their information. For example, attackers may leverage user’s lack of knowledge by impersonating trusted institutions, such as banks or government agencies, to trick them into revealing personal information or clicking on malicious links.

Generally, social engineering attackers have one of two goals:

1. Sabotage: Disrupting or corrupting data to cause harm or inconvenience.
2. Theft: Obtaining valuables like information, access, or money.

How Social Engineering Makes UPI-based Frauds a Piece of Cake?

UPI or the Unified Payments Interface has gained immense popularity for its user-friendly interface. It is a platform that offers a wide range of banking services and features, all under one roof. To use UPI, one needs to create a UPI ID and generate a PIN to send and receive money, making the experience hassle-free and efficient for end-users.

However, as the saying goes, “every coin has two sides,” and the same can be said for every technological development in the internet age. With the increasing number of transactions through UPI, there has also been a significant rise in bank fraud cases due to social engineering. While UPI is a secure platform, secure transactions are dependent on smartphones and the internet, making it crucial for every user to be digitally literate. Those who lack the necessary knowledge are often tricked by fraudsters, hackers, and scamsters into divulging their financial information, enabling UPI IDs or entering UPI PIN for receiving payments.

Unfortunately, there have been numerous reports of hoaxes and tricksters who swindle consumers through online financial attacks, UPI frauds, hacking, cyber-crimes, and other financial hazards.

In other words, social engineering is taking the control of the mindset of people to exploit some emotions for obeying the instructions. Emotions can be fear, greed, curiosity, helpfulness. The attacker behaves like a legitimate or authorized person to get required credentials from the customer by the way of phishing, vishing or smishing.

Phishing is a technique in which an attacker masquerades as a reputable entity or person in email or other forms of communication. For example, a fraudsters send payment links via SMS that appear to be from legitimate banks. These fake URLs resemble the original URL, but upon clicking, users are taken to the UPI payment app on their phone where any app can be selected for an auto-debit. If permission is given, the money is immediately deducted from the UPI account, and the phone may be infected with a virus or malware that can steal financial information. To prevent such scams, users should recognise and ignore or delete such messages. Other types of scams that follow a similar pattern include:

1. Unauthentic Link — Users may not realize that receiving money through the UPI app doesn’t always require scanning a QR code or entering their UPI pin. Hackers take advantage of this by sending fake links that appear to offer a money request option. When clicked, these links ask for the user’s UPI pin or QR code, which can expose their financial information to hackers and allow them to drain the user’s bank account. It’s crucial for users to be cautious of unauthenticated links and avoid clicking on them to safeguard their financial information.
2. Remote Monitoring — If a user downloads an unverified app such as Pegasus or a trojan bundled with another app, it can lead to a privacy breach and data leak. Third-party apps like these can collect personal information from the phone and gain access to UPI app information, resulting in UPI fraud. Upon downloading, these malicious apps ask for various access to information. It is the user’s responsibility to check each app and verify the access being allowed after downloading.
3. Fake Calls — Fraudsters often contact customers, pretending to be bank employees, and ask for sensitive information such as UPI pins, OTPs, or request the download of a third-party app for verification. This can lead to unauthorized access to the customer’s personal and account information. It is crucial for customers to be cautious and ignore such inquiries unless they are from authentic sources.
4. Malware — Malware is a frequently occurring cybercrime that can be accidentally downloaded through phishing email attachments or unsafe websites. The purpose of malware is to extract and replicate data from the affected device. To avoid this, users should look for secure icons that are typically associated with genuine emails and websites.
5. Deceptive UPI handles — Misleading UPI profiles can be a tool used by scammers to trick individuals, particularly through social media platforms. Such profiles can bear names that closely resemble genuine ones, potentially leading people to mistake them for legitimate entities. Caution should be exercised when sharing personal details on such sites, as even screenshots of UPI handles can be exploited for fraudulent purposes. To avoid potential risks, it is advisable to refrain from making these details available in the public sphere.
6. Money Mule — The term “Money Mule” refers to a type of fraudulent activity that involves transferring illegally acquired funds to an intermediary account for safekeeping. This scheme is typically orchestrated by organized groups of scammers who obtain personal data from victims and use it to move money into the designated account. The intermediary account acts as a repository for the illicitly obtained funds, making it one of many “money mules” that hold funds obtained through this scheme from multiple victims.
7. SIM cloning — It is a recently developed technique that has gained widespread usage since the advent of OTP requirements by banks. By cloning a victim’s SIM card, a fraudster can gain access to a range of personal information, including the UPI PIN, which they may even modify. To reset the PIN, the scammer may need to obtain the victim’s banking credentials and identification proof.

If you have knowledge of any other UPI fraud types, please feel free to inform us by leaving a comment in the box below or by sending an email to vasaayush@gmail.com.