How Fraudsters Exploit the Surge in Digital Payments and Online Banking

India’s progress in developing a cutting-edge digital payments system and its widespread adoption of online banking over the past decade have positioned the country as a global leader in technology-driven financial inclusion.

However, the rapid growth has exposed gaps in law enforcement’s ability to address payment fraud. The popularity of these payment systems has increasingly drawn fraudsters, identity thieves and various other cybercriminals, presenting significant challenges in safeguarding the country’s digital payment systems.

India’s Unified Payments Interface (UPI) is an instant real-time payment system to facilitate interbank transactions through mobile phones. According to the Reserve Bank of India’s (RBI) latest annual report, the value of UPI transactions climbed 137% in the past two years, to INR200 trillion (USD199 billion).

But digital payment fraud in India has skyrocketed fivefold, surging to INR14.57 billion in the fiscal year ending March 2024, the RBI said.

Experts highlight cybersecurity as a critical challenge for the country’s digital payment infrastructure. The rise in digital payment fraud can be attributed to factors including limited awareness and vulnerabilities within that infrastructure.

Indian media have highlighted a fraud that has left authorities rattled. In Hyderabad, an elderly woman and her daughters endured a harrowing 17-day digital house arrest, losing INR55 million to cybercriminals impersonating Central Bureau of Investigation (CBI) officers.

The ordeal began on 13 November 2024, when 67-year-old Bharti Bai Agarwal received a call falsely accusing her Aadhaar-linked phone of involvement in money laundering. The fraudsters, identifying themselves as CBI officers Saurabh Sharma and Ajay Gupta, manipulated her into connecting via Skype, holding the family virtually captive. The Telangana Cyber Security Bureau (TGCSB) has registered a first information report (FIR) and launched an investigation.

“The vast increase in UPI transactions has led to a steep increase in digital payment fraud due to the exploitation of new payment and authentication technologies such as QR codes, virtual identification, and one-time passwords (OTPs),” says Anu Tiwari, a Mumbai-based partner at Cyril Amarchand Mangaldas. Tiwari works in the CAM finance regulatory practice area and advises banks, finance and fintech companies.

“Scams such as authorised push payment fraud, where a consumer is misled into making an illegitimate payment to a criminal, have become an easily accessible avenue for fraudsters who can take advantage of underlying payment infrastructure and technologies such as QR codes to impersonate merchants or bank personnel.”

According to Tiwari, the past decade’s rapid technological advancements and proliferation of social media have significantly expanded the scope for social and financial fraud. Consumers’ online presence grows as they increasingly engage with digital platforms, creating more opportunities for fraudsters to exploit vulnerabilities.

Social media profiles are often filled with personal information. They become rich targets for identity theft and phishing scams. Fraudsters leverage advanced techniques, including fake profiles, malicious links and social engineering, to deceive unsuspecting users.

Meanwhile, regulators and consumers struggle to keep pace with the cybercriminals. Tiwari says this underscores an urgent need for enhanced digital literacy and stringent cybersecurity measures.

However, the issue of digital payment fraud is more deeply rooted, says Delhi-based Shilpa Mankar Ahluwalia, a partner in Shardul Amarchand Mangaldas’s banking and finance practice.

“[In] the initial phases of digital payments growth, India did not have comprehensive data protection legislation,” says Ahluwalia. “The Digital Personal Data Protection Act was enacted only in 2023, and is still not effective. This prompted the RBI and other financial services regulators to enact their own set of rules on data security and protection applicable to licensed entities. However, much of the customer acquisition and product innovation in the payment ecosystem has been driven by non-licensed fintech and technology platforms.”

Ahluwalia says the RBI has, in some cases, required banks and non-banking financial companies to exercise supervisory controls over platforms they partner to ensure adequate fraud control and data security for the end-to-end customer journey.

“While the RBI has found mechanisms to ensure consumer data is safe, a comprehensive data pRotection law that applies to all entities would have been more efficient,” she says.

Digital payments encompass electronic transactions through platforms such as mobile wallets, online banking and the UPI. These systems enable users to transfer funds instantly, using smartphones or computers, and offer unparalleled convenience and speed.

The country’s digital payment landscape underwent significant changes in recent years, propelled by two major events: the national demonetisation exercise in 2016; and the covid-19 pandemic.

Consequently, platforms such as Paytm, Google Pay and PhonePe witnessed rapid growth as consumers gravitated toward safer and more efficient digital solutions. The pandemic acted as a catalyst to this process, accelerating the adoption of contactless payment options amid the need for social distance.

Businesses quickly embraced online payment methods, and the convenience and security of mobile transactions empowered consumers to shop and pay bills effortlessly. This rapid evolution firmly established India as a digital-first economy.

“[But] hasty adoption of rapidly evolving technologies [by businesses and consumers] without adequate financial and technological education [also led to a] rise in digital payment frauds,” says Tiwari.

He says banks’ understanding of the long-term implications is often outpaced by a rush to implement cutting-edge solutions like blockchain and digital payment platforms. This has led to vulnerabilities in cybersecurity, data breaches and system inefficiencies.

Similarly, consumers can struggle to adapt to these technologies due to insufficient education on their use, benefits and risks. This knowledge gap can bring mismanagement of personal finances, susceptibility to fraud, and a lack of trust in the financial system.

“The rapid digitisation of social media and business is providing diversified entry points for sophisticated fraudsters implementing identity and data theft methods to acquire sensitive information,” says Tiwari.

AI: Ease or strain?

Experts say sophisticated artificial intelligence (AI) tools have also made it easier for bad actors. AI tools help them create fake websites and platforms that outwardly look legitimate, making it harder for consumers to differentiate fake from real.

“AI possesses extraordinary potential to drive both positive and negative changes across … business and society,” says Delhi-based Nachiketa Vajpayee, partner and head of litigation at
SolicitorsIndia Law Offices.

“For fraudsters, it offers a vast arena to develop increasingly creative scams. Fraudsters leverage AI and machine learning to create deepfake videos, clone voices and deploy chatbots for blackmailing and extortion, making their schemes sound more authentic during vishing and phishing attempts.”

Another contributing factor is the difficulty of apprehending fraudsters, says Vajpayee.

He says complex digital algorithms, combined with lax policing in India, give criminals an advantage over the legal system, and embolden them to commit cybercrimes.

“The penalties for such offences are relatively light,” he says. For instance, under sections 66C and 66D of the Indian Income Tax Act, the punishment for vishing and phishing is limited to a prison term up to three years, a fine of up to INR100,000, or both. “This is an insignificant deterrent compared to the substantial amounts these individuals often collect through fraudulent activities,” he says.

Fraud without borders

As digital payments expand, fraudsters are increasingly exploiting cross-border transactions. This is leading to financial losses in trade or remittances with India.

“One of the big areas where digital payments can offer solutions and reduce costs is cross-border payments for trade,” says Ahluwalia.

“UPI payments are already live under several international partnerships. Cross-border payments, however, pose an increased challenge for fraud control. Digital payment rails cut across borders, involving multiple regulators and no single supervisory central bank. Also, lack of standardised know your customer [protocols] and reporting procedures make it harder to track and monitor cross-border transactions.

“Enabling safe and secure digital cross-border payments at scale will require a co-ordinated effort across multiple central banks and jurisdictions, which makes it much more complex than domestic payment transactions.”

In response, neighbouring countries have been forced to bolster their vigilance and invest in enhanced cybersecurity to effectively combat fraud, according to Tiwari.

For instance, in June 2023, the UK’s Payment Services Regulator (PSR) announced a new contingent repayment model that will require UK payment service providers to reimburse all customers who fall victim to authorised push payment (APP) fraud.

There are limited exceptions: cases where a victim ignored a warning from the payment service provider, made a payment without a reasonable basis for believing the transaction to be genuine, did not follow established procedure, or was guilty of gross negligence in the payment.

Similarly, in December 2022, the Chinese government effected its Anti-Telecom and Online Fraud Law. The law requires payment service providers to: conduct client due diligence checks; manage risks including by monitoring abnormal accounts and suspicious transactions; and take preventive measures while dealing with payments and remittances.

“India’s rapidly growing digital sector could benefit greatly from implementing such measures and ensuring that transactions, as well as cross-border transactions, maintain a consistent level of security and protection from fraud,” says Tiwari.

Vajpayee says countries like Sri Lanka, Nepal and Bhutan are collaborating with India to strengthen the security of digital payment systems, particularly those using UPI infrastructure. “Bhutan’s UPI adoption and Sri Lanka’s fintech partnerships highlight a regional effort to align payment systems with India’s robust standards,” he says. “These collaborations, alongside upgrades to local payment infrastructures, aim to curb cross-border fraud amid growing trade and remittances.”

Guardians of trust

Tackling digital payment fraud demands a unified approach, prioritising education and support systems to equip financial institutions and users to adapt to this technological evolution. Sumes Dewan, managing partner at Lex Favios in New Delhi, says legal experts can play a vital role by advising banking clients on how to guard against these threats and protect operations and customers.

“They can help companies establish robust data protection policies in compliance with the Digital Data Protection Act, 2023, and adopt stringent identity verification processes for official communications,” he says.

“For individuals, legal experts can educate clients on identifying scam tactics and encourage them to be wary of unsolicited communication, especially those that ask for sensitive information or payment.”

Dewan suggests legal experts should encourage clients to quickly report scams to local cybercrime units, the police and relevant regulatory agencies. Prompt reporting helps authorities track fraud patterns, identify perpetrators, and build databases of common scam methods to prevent future crimes.

Clients should also be guided on how to report effectively and be assured that they can do so without fear of judgement. Platforms like the National Cybercrime Reporting Portal and Chakshu, a portal for reporting suspected fraudulent communications, enable users to report cyber and telecoms-related fraud easily, often with options for anonymous submissions.

Additionally, Dewan advises his clients to save all evidence of suspicious interactions, such as messages or transaction records, as these can be critical for investigations and legal action.

Vajpayee recommends businesses and financial institutions adopt a comprehensive strategy of fraud control, employee training, management oversight, and customer education.

His advice includes establishing a dedicated fraud control unit of experts in fraud risk management. To address emerging threats, these professionals should be well-versed in the institution’s products, security protocols and fraud detection methods.

Vajpayee says regular training for fraud unit staff will ensure familiarity with governance frameworks, compliance and the latest prevention technologies, enabling proactive threat responses as well. Higher up the ladder, boards and audit committees should monitor anti-fraud programmes and enforce accountability through well-defined roles.

“By adopting these layered fraud prevention strategies, businesses can strengthen their defences against digital payment fraud, protect customer assets, and foster a secure payments environment,” says Vajpayee.

Sharpening focus

While the RBI is central to the discussion on fraud prevention, Vajpayee says the narrower issue of digital payment fraud is complex and sufficiently pervasive to merit a distinct focus, separate from broader financial fraud discussions.

“By striking a balance between promoting innovation and ensuring stability, India can navigate this digital transformation successfully, leveraging its benefits while mitigating potential downsides,” says Vajpayee.

“The RBI’s proactive approach in regulating and guiding this transformation will be crucial in shaping the future of the financial sector.”