On March 29, the DCP Cyber Crime, Delhi’s official Twitter account alerted citizens about a fake UPI (Unified Payments Interface) ID of the PM CARES Fund, pmcare@sbi – the correct UPI ID to donate for coronavirus victims is pmcares@sbi. The Delhi police took suo motu cognisance of the fraud, registered an offence of cheating under sections 419 and 420 of IPC, and blocked this and a number of other similar accounts. The number of persons cheated and amount defrauded can only be known when the investigation is over.
- UPI is a real-time payment system developed by National Payments Corporation of India for inter-bank transactions. The interface is regulated by the Reserve Bank of India and instantly transfers funds between two bank accounts on a mobile platform. The NPCI keeps record of all the accounts and transactions.
- It is very easy to create an account using the UPI platform. One just needs an ID that could be even one’s mobile number or name, and a four-digit PIN. The offence highlighted by the DCP, in fact, has nothing to do with the security of UPI as such. It is phishing, in which the offender creates a similar-looking ID to deceive users.
- Within the limits set by each bank, any amount can be exchanged instantly using such apps, and the defrauded amount could be huge. Second, the imposter can immediately withdraw the amount and flee, as there is no caveat on withdrawal. Also, if the bank has not done the Know Your Customer (KYC) process thoroughly, nabbing the culprit may become difficult.
- It is important to verify the destination UPI ID from authentic sources before making any transaction. If a mobile phone with a UPI-enabled app is stolen, it must be blocked and the bank intimated before it could be misused. Banks also must adhere to the KYC guidelines issued by the RBI, so that the address of each customer is checked physically.