SMS spoofing targeting UPI apps: How to stop payment fraud in your app

We are all used to receiving SMS messages with security codes and banking information – but a rising threat to Indian consumers is exploiting this process. Fraudsters use SMS spoofing scams to compromise a victim’s UPI (Unified Payments Interface) information and steal their money.

‍

SMS spoofing is a scam in which criminals alter their sender information (name and mobile phone number) in order to make an SMS message seem legitimate. Bad actors commonly pretend to be from a bank or financial institution, and these account-related attacks are on the rise.

‍

In India, fraudsters are using this technique to get access to victims’ UPI-linked mobile phone number, and link it to their own mobile phone. Criminals can also use it to exploit mobile apps that rely on UPI – and even if your platform complies with new device binding regulations, your users could be at risk if you’re sending codes via SMS.

‍

This blog will explain what SMS spoofing is, how criminals are using it to defraud banking customers – even with MFA measures in place – and how you can solve it by replacing the key vulnerability in the attack process.

‍

How does SMS spoofing work?

SMS spoofing works by exploiting a vulnerability in the way that SMS messages are sent and received. When a text message is sent, the sender's phone number is not actually attached to the message – instead, the message is sent to a central server, which then forwards it to the recipient's mobile phone.

‍

This means that it is possible for someone to send a text message appearing to be ‘from’ any phone number, even if they do not own that number. This functionality is intended for marketing and customer service purposes, but can be misused. (Learn more about the vulnerabilities of SMS for security.)

‍

There are a number of ways that SMS spoofing can be used to commit fraud. One common method is to send a message that appears to be from a legitimate company, such as a bank or a credit card company. The message may contain a link that, if clicked, will take the recipient to a malicious website designed to steal personal information, such as login credentials or credit card numbers.

‍

Increasingly, fraudsters are targeting Indian consumers by misleading them into sharing their UPI information – with alarming consequences.

How SMS spoofing fraud is targeting UPI apps in India

*Fraudsters lure victims with a fake SMS, then spring the trap with malware on their device. Photo by* *Carla Quario* on Unsplash

A recent survey from Bureau found that 55% of digital payment frauds in India are related to UPI – and that account-related attacks form the biggest type of fraud in the country today.

‍

Banking and FinTech platforms now require different forms of security in order to prevent fraud. You may be opting for codes sent via SMS – but scammers have found a way around this too. After receiving the victim’s bank details, the fake website downloads malware onto the user’s device.

‍

With the malware installed, the fraudster can now intercept SMS messages containing OTP (one-time password) codes, bypassing the second layer of security. From there, they can use the victim’s UPI information to easily make payments to themselves.

‍

The fraud process goes like this:

‍

A bad actor sends a spoof SMS, with the sender information changed so it appears to be from a bank or other trustworthy organisation.
The SMS contains a link which, when clicked, installs malware on the victim’s device and asks the user to fill in their UPI and banking information.
The bad actor uses this information to try to log into the victim’s bank or payment platform, and an SMS containing a PIN code is generated.
The malware intercepts the legitimate SMS message from the real bank, and the criminal can enter the code, pretending it was sent to their own mobile phone.
The criminal gains control of the victim’s UPI and bank details, and steals their money.

It’s very difficult to anticipate these attacks and sufficiently educate every user to look out for malware, which is often very convincing, or even identical to real communications.

‍

But the good news is that this sequence can be stopped – by replacing the PIN code with a stronger form of mobile security that attackers cannot steal.

‍

How you can protect your app from fraud with SIM-based security

As long as you rely on SMS and shareable codes for security, you’re giving criminals a way in to defraud your app users and your platform. Passwords or codes could be shared with anyone – whether it’s forwarded to a criminal in error, or automatically bypassed by an SMS forwarding app.

‍

The good news is that stronger security doesn’t have to add complexity – tru.ID enables you to add a highly secure check to your app flow to prevent this type of attack.

‍

tru.ID works by checking that a user’s mobile number matches the SIM card of the device they’re using, with an invisible, real-time API call to the mobile network. This process can’t be faked remotely, intercepted, or phished.

‍

With tru.ID, when a bad actor tries to log in to the victim’s bank or payment platform, a real-time check is triggered on the device they’re using, rather than an SMS message. This check will detect that the attacker doesn’t possess the victim’s mobile phone – allowing further step-up security and fraud detection to proceed.

‍

By using tru.ID, banks can eliminate the need for PIN codes sent by mobile-originated SMS – providing a secure solution that is resistant to SMS spoofing fraud.

‍

In line with guidelines from the RBI, this device-based MFA method is a stronger alternative to SMS OTPs, and it can be added seamlessly to your existing app.

‍

How to get started

tru.ID’s technology is quick and easy to deploy and available for all mobile operating systems.

‍

Learn more at tru.ID or book your free 30-minute demo today to see it in action, and discuss how tru.ID can deliver frictionless mobile security to help you detect and prevent fraud.