How SMS spoofing fraud is targeting UPI apps in India

A recent survey from Bureau found that 55% of digital payment frauds in India are related to UPI – and that account-related attacks form the biggest type of fraud in the country today.
Banking and FinTech platforms now require different forms of security in order to prevent fraud. You may be opting for codes sent via SMS – but scammers have found a way around this too. After receiving the victim’s bank details, the fake website downloads malware onto the user’s device.
With the malware installed, the fraudster can now intercept SMS messages containing OTP (one-time password) codes, bypassing the second layer of security. From there, they can use the victim’s UPI information to easily make payments to themselves.
The fraud process goes like this:
- A bad actor sends a spoof SMS, with the sender information changed so it appears to be from a bank or other trustworthy organisation.
- The SMS contains a link which, when clicked, installs malware on the victim’s device and asks the user to fill in their UPI and banking information.
- The bad actor uses this information to try to log into the victim’s bank or payment platform, and an SMS containing a PIN code is generated.
- The malware intercepts the legitimate SMS message from the real bank, and the criminal can enter the code, pretending it was sent to their own mobile phone.
- The criminal gains control of the victim’s UPI and bank details, and steals their money.
It’s very difficult to anticipate these attacks and sufficiently educate every user to look out for malware, which is often very convincing, or even identical to real communications.
But the good news is that this sequence can be stopped – by replacing the PIN code with a stronger form of mobile security that attackers cannot steal.
How you can protect your app from fraud with SIM-based security
As long as you rely on SMS and shareable codes for security, you’re giving criminals a way in to defraud your app users and your platform. Passwords or codes could be shared with anyone – whether it’s forwarded to a criminal in error, or automatically bypassed by an SMS forwarding app.
The good news is that stronger security doesn’t have to add complexity – tru.ID enables you to add a highly secure check to your app flow to prevent this type of attack.
tru.ID works by checking that a user’s mobile number matches the SIM card of the device they’re using, with an invisible, real-time API call to the mobile network. This process can’t be faked remotely, intercepted, or phished.
With tru.ID, when a bad actor tries to log in to the victim’s bank or payment platform, a real-time check is triggered on the device they’re using, rather than an SMS message. This check will detect that the attacker doesn’t possess the victim’s mobile phone – allowing further step-up security and fraud detection to proceed.
By using tru.ID, banks can eliminate the need for PIN codes sent by mobile-originated SMS – providing a secure solution that is resistant to SMS spoofing fraud.
In line with guidelines from the RBI, this device-based MFA method is a stronger alternative to SMS OTPs, and it can be added seamlessly to your existing app.
How to get started
tru.ID’s technology is quick and easy to deploy and available for all mobile operating systems.
Learn more at tru.ID or book your free 30-minute demo today to see it in action, and discuss how tru.ID can deliver frictionless mobile security to help you detect and prevent fraud.