Ever since its launch in 2016, the Unified Payments Interface (UPI), has played a major role in the growth of digital payments in the country. India has nearly 26 Crore unique UPI users currently and this increase in the volume of digital payments is paralleled with a rise in the cases of cybercrime in the country. 37.5% of UPI transactions in 2021 where through Google Pay and that the money came up to Rs 2.74 Lakh Crore.
In this backdrop, several social media users are warning their connections of a ‘new scam’ involving digital payment platforms, specifically Google Pay.
“Be alert, Now a new funda fraud has started, someone deliberately sends money to your account or Google Pay and calls you and tells you that this money has gone to your account by mistake, you should send it back to my number. If you send money back to them, your account gets hacked and your account is hacked. So don’t return any money received online. They should be told to come and take them in person. Take note. This fraud has started now be careful thanks. (sic)” the viral post reads.
The special mention of Google Pay in the post has drawn a lot of attention and left several users worried. Notably, Google Pay was the second most popular UPI in India during the financial year 2022.
Newschecker also received several requests on our WhatsApp tipline (+91- 9999499044 ) requesting it to be fact checked, prompting us to check the authenticity of the viral claim.
To check if there has been any comments from Google Pay platform in the recent days over the viral claim, Newschecker checked the social media handle and the official website.
In the support section by Google Pay, we found a write-up titled “Avoid payment transfer scams”, under which we found reference to the said scam under a drop down option called “Money received scam”.
“If money is sent to you by someone who isn’t a close friend or family member, do not send the money back directly. Instead, contact us. If someone you know and trust accidentally sends you money, you can choose to send the money back directly,” the page informed.
“Scammers may use stolen forms of payment to send money to unsuspecting people, and then request that an equal sum of money be sent back. If you receive money from a form of payment that was stolen by a scammer, that money could be removed from your account. Do not send the money back. If you send your own money back, the stolen funds you received can also be removed from your account. If that happens, you’ll end up with less money in your account than you had before you received the scam payment,” it further said.
But this was different from the claim that the sender’s “account gets hacked.”
We further reached out to experts in the field who informed us of the various ways in which a user could be duped using the ‘money received scam’.
Speaking to Newschecker, Cyber security expert Jiten Jain said, “Either there is a social engineering element involved, where a person is tricked into making a false payment or sometimes a user is tricked into downloading a malicious app where his mobile phone screen is taken over, OTPs are collected and suspicious, unauthorised transactions are done.”
Jain also said, “And in such cases (where the account is hacked on repaying) there is always a compromise, either the user is tricked into paying, or a malicious QR code is sent. This is not a security flaw of Google but a flaw in user cyber hygiene.”
Talking about precautions that can be taken to avoid such frauds, Jain said, “If anyone sends you money like this, the best way to repay it is to ask them to come physically, show their ID, sign and collect their money back.”
“In case of any such fraud, people should immediately call 1930,” he added.
Newschecker also reached out to information security consultant Tarun Wig who explained that fraudsters may transfer money to a person’s account (via Google Pay), and ask the receiver to repay the sum on another number. The catch here is that the user will not be able to locate the number on any digital payment platform. Following this, the ‘fraudster’ will send a QR code, and ask the victim to scan and repay money through it. “These are crafted QR codes, so once you can scan it, the entire amount available in your Paytm (or any digital payment account) is automatically transferred to his (fraudsters) account,” said Wig.
The second way that the account may be hacked is when the hacker insists on an account-to-account transfer. In this scenario, the hacker will try to gain access to the person (victim’s) account through social engineering, Wig said. “Once they have the person’s (victim’s) account number, the person (victim) will get calls and they (hackers) will ask for OTPs… basically social engineering. Once a person shares the OTP, they (hackers) log in to his account and do the transaction,” he elaborated.
“Google pay and all these applications… the only vulnerability they had in the recent past was that money could be transferred without unlocking the phone which has now been resolved… Now you have to have authentication before you transfer the money,” Wig said.
Answering whether hacking is still possible, Wig clarified, “hacking is possible through social engineering and not through a vulnerability in the application.”
The response of both the cyber security experts indicated that the scam involved additional interaction by the hacker with the user and repaying the money via Google Pay alone should not put a person’s account at risk.
The Source Of The Warning
We noticed most of the social media users had attributed the viral warning message to ‘Cyber Police Pulwama’. Following this, we looked up the official Facebook page for Cyber Police Pulwama and did find the same post. The post has since been deleted.
Newschecker reached out to the Pulwama Cyber Police on the matter, who informed us that their Facebook post, warning users against the new scam, was not limited to Google Pay. “It can be any online money transfer facility, not particularly Google Pay. The source (from where the hacker would transfer money) can be any,” we were informed, indicating that other users of other payment platforms could also fall for the same modus operandi.
What is social engineering?
Notably, software company Impreva defines social engineering as “the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.”
The MHA has also issued a list of guidelines on avoiding social engineering attacks, which can be seen here.
What is digital hygiene?
According to digitalguardian.com, “Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. These practices are often part of a routine to ensure the safety of identity and other details that could be stolen or corrupted.”
In terms of the digital payments, a good practice would be:
- Avoid sending money back and raise it with Google Pay using their contact us section.
- Never reveal OTPs to any sender who claims to have sent you money by mistake
- Never download any apps through which a sender may request you to make payment
- Never Scan any QR codes that any sender shares with you
- Never transfer your money to anyone through your bank account/reveal your bank account details to anyone
The claim that hackers can hack your account if you send back the money that ‘accidentally’ came to your account via Google Pay account lacks context. The viral post does not clearly specify that the victim’s account is hacked only when an element of social engineering is involved.
Result: Missing context
Google Pay Website
Conversation With Mr Jiten Jain On November 12, 2022
Conversation With Mr Tarun Wig On November 12, 2022
Conversation With Cyber Police Pulwama’s Representative On November 12, 2022
(With inputs from Prasad Prabhu)
If you would like us to fact-check a claim, give feedback, or lodge a complaint, WhatsApp us at 9999499044 or email us at [email protected]. You can also visit the Contact Us page and fill out the form.