Trust & Safety
Signs of SMS Spoofing Fraud to watch out for
We are living in truly transformative times. Every aspect of our lives today has gone digital. Grocery and fresh food are delivered in just a matter of minutes and tasks like payments and banking are only a few clicks away. However, convenience brings with it a few risks that we need to be wary of so that we don’t fall prey to scams.
Fraudsters constantly create new methods to dupe innocent victims of their hard-earned money. The latest fraud pattern that has emerged is SMS spoofing that allows fraudsters to take over your UPI account.
What is SMS Spoofing?
When you create an account on any UPI app, it is authenticated with the help of an SMS. Post authentication, the UPI account is linked to your device. This is called device binding. Fraudsters are now attempting to take over a victim’s UPI account by using SMS forwarding apps to forward the device binding message. They do this in many ways — one common method observed lately is sending malware to your device that forwards the binding message to a virtual mobile number.
How does SMS Spoofing Fraud happen
- Fraudsters send malicious files through WhatsApp accounts created in the name of a hospital, courier, restaurant, etc. to potential victims.
- Once the victim clicks on the corrupt link, the malware is hardcoded on their device to forward SMSs to the registration number of the bank which, in case of such frauds, is a virtual mobile number.
- Then, the fraudster initiates the UPI registration process. The device binding SMS is sent to the victim, which gets forwarded by a malicious application to the bank for initiating registration.
- The fraudster then authenticates UPI registration via the virtual number, binding the UPI account of the victim to their phone.
- To carry out transactions, the fraudster uses social engineering tricks to extract the ‘MPIN’ and perform unauthorized UPI transactions.
Hence, it is very important to ensure you never click on any suspicious links in order to keep your account and money safe.
When it comes to safety, PhonePe has you covered, enabling crores of transactions on a daily basis without any transaction failures. The triple-layer security includes:
- Login Password: The first layer of security for the app is the login password.
- PhonePe app lock: To start using the PhonePe app, you need to unlock it using your fingerprint ID, face ID or number lock.
- UPI Pin: For every payment on PhonePe, whether it is Rs.1 or Rs. 1 lakh, no payment can go through without the UPI pin.
PhonePe, thus, goes above and beyond to make all payments safe and secure.
How to Avoid SMS Spoofing Scams
- Do not click on suspicious links, the malware that comes with it can take over apps on your phone.
- Never share confidential information such as credit/debit card number, card expiry date, CVV, OTP, etc., with anyone, including PhonePe officials.
- Lastly, report and block. It is best to report and block these numbers.
What you should do if a fraudster tried to initiate registration of your UPI account
In case you have been duped by a scammer on the PhonePe app, you can immediately raise the issue in the following ways:
- PhonePe Customer Care Number: You can call PhonePe customer care on 80–68727374 / 022–68727374 to raise an issue, post which the customer care agent will raise a ticket and help with your issue.
- Webform submission: You can also raise a ticket using PhonePe’s webform, https://support.phonepe.com/ and select the option “I have not initiated registration of UPI payments on PhonePe”.
- Social media: You can report fraudulent incidents via PhonePe’s social media handles:
- Grievance: To report a grievance on an existing complaint, you can login to https://grievance.phonepe.com/ and share the ticket ID previously raised.
- Cyber cell: Lastly, you can report fraud complaints at the nearest Cyber Crime cell or register a complaint online at https://www.cybercrime.gov.in/ or contact the Cyber Crime Cell helpline at 1930.
Important reminder — PhonePe never asks for confidential or personal details. Ignore all mails claiming to be from PhonePe if they are not from the phonepe.com domain. If you suspect fraud, please contact the authorities immediately.