China-based scammers are using a combination of fake loan apps and India’s real-time mobile payment system, Unified Payments Interface (UPI), to separate victims from their cash, according to a report by threat intel firm CloudSEK.
“UPI service providers currently operate without coverage under the Prevention of Money Laundering Act (PMLA),” explained [PDF] CloudSEK researchers, letting the scammers’ exploit the platforms with relative ease.
Posing as providers of loan apps, and sometimes impersonating existing entities, the scammers lure victims with promises of easy repayments for quick money in exchange for a fee worth between 5 and 10 percent of the loan. To receive the loan, victims are asked to share personal information, including bank details and their phone numbers and even to upload their national identity cards known as Aadhaar and tax related Permanent Account Number (PAN) cards.
Once the fee is paid, the loan never materializes and the fee is laundered through mules out of India to China.
Chinese payment gateways ensure the authorities cannot pursue the scammers.
Mules who have legitimate existing bank accounts in small banks – those without too much investigative structure – are paid a 1 to 2 percent cut of the transaction in exchange for their service. The mules change their phone numbers with their bank, thus giving the scammers control over the account and the ability to launder the money.
Recruitment is done through Telegram, with aspirational advertisements or text messages.
The investigation uncovered 55 of these apps in use on Android and 22 Chinese gateways. Over the course of almost two months, scammers were able to launder Rs 37 lakhs, the equivalent of $44,000, in just one of the 55 apps through a collection of over 10,000 mules. In that scam, over 30,000 Aadhar cards and bank accounts were breached.
Experts have categorized UPI as playing a significant role in promoting digital payments and financial inclusion in India. It is widely popular and accepted across a wide swath of banks, merchants and service providers. Last month, more than 10.5 billion transactions were made using UPI. And in February, India linked up its UPI system with Singapore’s similar PayNow platform for real time cross-border payments.
“Banks and the National Payments Corporation of India (NPCI) must collaborate to implement additional security measures. One key initiative could involve verifying that any new mobile number added to an account matches the account holder’s name, thwarting scammers from gaining control by altering phone numbers,” advised CloudSEK.
The intel firm also suggested UPI service providers implement additional security measures that safeguard users from fraud.
The suggestion could prove helpful for a nation that wishes to export its systems. This month, India signed MoUs with the Caribbean nation of Trinidad and Tobago and Papua New Guianea (PNG) to share its India Stack governance tools. PNG is considering adopting the Aadhar system. France has also signed MoUs with India for digital cooperation and information exchange. ®