In Kerala, the bank accounts of at least three customers were wiped clean wherein the sum that was lost totaled around ₹12 lakh.
All the three victims used a United Payments Interface (UPI) smartphone application for “account to account” electronic cash transfer and this element of commonality account for the roots of the fraud.
Referenced from the statements ISP, chief, Kerala Police Cyberdome, Manoj Abraham gave to The Hindu; the fraud was “ingenious”. The fraudsters have attacked the accounts in an elaborate and technically advanced manner.
The hijackers, in order to execute the fraud, downloaded the UPI application on their smartphones and then configured the phishing messages to appear to be coming from the bank.
Once the application was successfully installed, the con men advanced towards the activation of the UPI app on their mobile via the account details and phone numbers of the victims.
Then the “hijacked app” was exploited to smoothly extract the money out of the accounts of the victims who were oblivious to the attack.
However, the pattern they resorted to while deciding their potential targets remains to be in question.
The hijackers manipulated their targets just enough to acquire their bank IDs, OTPs, card numbers, and passwords.
According to the police, the con men moved the money from the owners’ accounts to some of their own accounts based in rural Jharkhand.
The mobile numbers that were used to carry out the fraud had been traced by The Cyberdome.
“We have their numbers, not their real-world identity. Officers in Jharkhand are on their scent,” an investigator commented.
Investigators noted that some payment applications which smoothens the process of account to account transfer didn’t always alert customers of the digital transactions.
Reserve Bank of India (RBI) has been approached via a written complaint by the police and UPI services are urged to strengthen the security, they were requested to use more anti-fraud protections like two-way passcode authentication.