As Merchant Transactions Go Online, Payment Firms Grapple With Rising Fraud Risk
The silhouette of a person is seen typing on a laptop computer. (Photographer: Daniel Acker/Bloomberg)

As Merchant Transactions Go Online, Payment Firms Grapple With Rising Fraud Risk

As businesses go online, peer-to-merchant transactions are growing steadily for most digital payment companies in India. But the risk of fraud is also higher than payments made to peers, prompting firms to look for ways to weed out bogus merchants and pre-empt frauds.

Payments via the unified payment interface have surged in 2020 amid the Covid-19 pandemic. While a large chunk of these payments is still peer-to-peer, the share of P2M payments has also risen. The value of P2M transactions nearly tripled over the past six months to Rs 61,046 crore in November, according to data from NPCI.

It’s the latter category that is more susceptible to frauds.

“The chances of a customer knowing the other party in a peer-to-peer transaction are higher, compared to P2M where you generally do not know your seller fully well, increasing the chances of fraud in such cases,” said Akshay Garkel, partner at advisory firm Grant Thornton India LLP.

Anuj Bhansali, who heads the trust and safety division at payments platform PhonePe, said a lot of fake merchants tie-up with large aggregator platforms, which leads customers to believe that they are genuine. “As UPI is an interoperable system, the challenge we face regularly is with blocking payments initiated using other payment platforms or e-commerce websites. In such cases, we have no visibility if the merchant is genuine or not.”

PhonePe claims to have the highest P2M transactions among digital payment companies in India. In November, the company said it had a 40% market share in by P2M transaction volume and value, and nearly 1.5 crore merchants registered on its payment application.

While individual company data on P2M transactions were not available publicly, Paytm comes a close second if wallet-based transactions are included, according to an industry source who did not wish to be named, followed by BharatPe that claimed to be number third in November.

While Paytm and BharatPe declined to comment, Google Pay and Mobikwik did not respond to BloombergQuint’s query on checks and balances put in place to curb fraudulent P2M transactions.

Common Frauds

While there are many ways how frauds happen in the course of P2M transactions, here are some of the most common examples of such scams that users must watch out for.

Sending Collect Calls: This is a common type of fraud prevalent in the P2M segment. A customer is sent a ‘collect payment’ call using a similar virtual payment address as theirs. The customer ends up approving it thinking the payment request is for them.

In other cases, a genuine merchant or a customer trying to sell goods on a website may be contacted by a fraudster, who would agree to buy their good/s at an attractive price and would then send a ‘collect call’, asking the user to click on the link to authorise the payment. Once the customer clicks on that link, the money gets deducted from their account, instead of them receiving the money.

Fake Seller Websites: Cybercriminals could create websites that are an exact replica of genuine e-commerce websites, with attractive pricing to lure customers. An example of that could be a website link for buying a popular smartphone at half its original price. The customer is lured by the pricing and clicks on a link or scans a QR code in the website to make the payment. Once the payment is made, the mobile phone is not delivered to the customer and the link stops working in a day or two.

Requesting To Share Screen: A fake merchant would trick a customer into sharing their screen using a remote desktop software tool under the garb of assisting them with the payment and get access to their passwords and UPI PIN in the process.

Grievance Redressal: A customer would post their virtual payment address or VPA and contact number on a social media website to claim that a fraud has happened with them. A fraudster would then call them masquerading as a grievance redressal officer from the merchant’s side, and ask them to click on a link (usually a collect payment link for their own VPA) to initiate a refund, and would end up wiping the customer’s account.

Using a popular cause: A cybercriminal could use a popular cause, such as ‘Vaccine For Covid-19’, with a fake social service website and false phone numbers, to lure customers into donating for the said cause.

How Payment Websites Are Dealing With P2M Frauds

“There is no doubt that P2M is a growing focus area for payment service providers who are competing to grab a higher market share of such payments,” said Deepak Abbot, a former senior executive at Paytm and founder of fintech firm indiagold.

“For P2M transactions, most cybercrime attacks are social engineering hacks and consumer awareness is the key to preventing such frauds. However, payment companies are increasingly focusing on strengthening their cybersecurity software to detect and in some cases, even pre-empt such phishing attacks,” he added.

Social engineering attacks take advantage of human instincts by tricking victims into revealing confidential information, such as credit card details, passwords, etc.

Bhansali of PhonePe said the company’s fraud analysis team works several options to curb frauds. These include real-time evaluation of a merchant based on transaction behaviour, monitoring any sudden change in transaction sizes, and reviewing details of merchant accounts transacting with them.

“If the transaction decline rate of a merchant is high, say around 70%, we would tag them as high-risk and monitor their activities and try to assess the reasons for a high failure rate. Based on the account review process, the company takes a call on blocking the account if it is found to be fake,” said Bhansali.

Other ways of detecting suspicious activities include running checks on display names of merchants. “If we find that a lot of customers are using similar VPAs, say ‘Oladriver123’, the system alerts us and we run a check on why so many merchants are using a single brand name,” he added. The same checks would be run for popular campaigns slogans such as ‘vaccine relief fund’.

While most payment companies follow regular know-your-customer norms for registering new merchants, registering small businesses with average transactions of below Rs 15,000 a month, street vendors, or those working out of their homes or are completely online, is still a challenge as such merchants may not have all the necessary documents, said Abbot. “That is where most frauds happen, and payment companies struggle to curb them as they do not have enough details of such merchants.”

Kunal Pande, partner at KPMG in India suggests that there could be added layers of authentication. As an example, for transactions that are not typically associated with a customer’s profile based on their historical data, could be asked to be re-confirmed by them or the payment can be parked within an escrow account until the product/ service receipt is confirmed by the customer, he suggested.

According to guidelines released by the RBI for payment aggregators and payment gateways, last updated in November 2020, besides a background check of the merchants, non-bank payment aggregator platforms and non-bank entities (where wallets are used as a payment instrument) must remit the amount deducted from the customer’s account to an escrow account maintaining bank on the day or one day from the date of debit from the customer’s account.

“This RBI direction could prove extremely useful for further curbing fraudulent transactions, as the time window allowed for remittance to the merchant accounts could be used for verifying if the merchant accounts are genuine and also take actions, in case complaints are raised by customers,” said Pande.

Payment companies, said Garkel, also need to put in robust systems for improving business intelligence and pickup suspicious behaviour through a unified platform, for example, if someone reports a fraudulent mobile number on one app then the intelligence should be shared on the other apps as well.

“Presently, payment service providers are relying mainly on pure analytics to curb frauds, but as more use cases emerge, they must mature the cognitive intelligence within their systems to track, alert and take automatic calls if anything suspicious is observed,” he said.

However, payment companies must rely on adequate data to make decisions on black-listing certain merchants. “There could be false positives if the data being relied upon is not adequate and the system may end up blocking genuine merchants, which could lead to brand reputation issues,” cautioned Garkel.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.