含羞草社区

India’s progress in developing a cutting-edge digital payments system and its widespread adoption of online banking over the past decade have positioned the country as a global leader in technology-driven financial inclusion.

However, the rapid growth has exposed gaps in law enforcement’s ability to address payment fraud. The popularity of these payment systems has increasingly drawn fraudsters, identity thieves and various other cybercriminals, presenting significant challenges in safeguarding the country’s digital payment systems.

India’s Unified Payments Interface (UPI) is an instant real-time payment system to facilitate interbank transactions through mobile phones. According to the Reserve Bank of 含羞草社区 (RBI) latest annual report, the value of UPI transactions climbed 137% in the past two years, to INR200 trillion (USD199 billion).

But digital payment fraud in India has skyrocketed fivefold, surging to INR14.57 billion in the fiscal year ending March 2024, the RBI said.

Experts highlight cybersecurity as a critical challenge for the country’s digital payment infrastructure. The rise in digital payment fraud can be attributed to factors including limited awareness and vulnerabilities within that infrastructure.

Indian media have highlighted a fraud that has left authorities rattled. In Hyderabad, an elderly woman and her daughters endured a harrowing 17-day digital house arrest, losing INR55 million to cybercriminals impersonating Central Bureau of Investigation (CBI) officers.

The ordeal began on 13 November 2024, when 67-year-old Bharti Bai Agarwal received a call falsely accusing her Aadhaar-linked phone of involvement in money laundering. The fraudsters, identifying themselves as CBI officers Saurabh Sharma and Ajay Gupta, manipulated her into connecting via Skype, holding the family virtually captive. The Telangana Cyber Security Bureau (TGCSB) has registered a first information report (FIR) and launched an investigation.

“The vast increase in UPI transactions has led to a steep increase in digital payment fraud due to the exploitation of new payment and authentication technologies such as QR codes, virtual identification, and one-time passwords (OTPs),” says Anu Tiwari, a Mumbai-based partner at Cyril Amarchand Mangaldas. Tiwari works in the CAM finance regulatory practice area and advises banks, finance and fintech companies.

“Scams such as authorised push payment fraud, where a consumer is misled into making an illegitimate payment to a criminal, have become an easily accessible avenue for fraudsters who can take advantage of underlying payment infrastructure and technologies such as QR codes to impersonate merchants or bank personnel.”

According to Tiwari, the past decade’s rapid technological advancements and proliferation of social media have significantly expanded the scope for social and financial fraud. Consumers’ online presence grows as they increasingly engage with digital platforms, creating more opportunities for fraudsters to exploit vulnerabilities.

Social media profiles are often filled with personal information. They become rich targets for identity theft and phishing scams. Fraudsters leverage advanced techniques, including fake profiles, malicious links and social engineering, to deceive unsuspecting users.

Meanwhile, regulators and consumers struggle to keep pace with the cybercriminals. Tiwari says this underscores an urgent need for enhanced digital literacy and stringent cybersecurity measures.

However, the issue of digital payment fraud is more deeply rooted, says Delhi-based Shilpa Mankar Ahluwalia, a partner in Shardul Amarchand Mangaldas’s banking and finance practice.

“[In] the initial phases of digital payments growth, India did not have comprehensive data protection legislation,” says Ahluwalia. “The Digital Personal Data Protection Act was enacted only in 2023, and is still not effective. This prompted the RBI and other financial services regulators to enact their own set of rules on data security and protection applicable to licensed entities. However, much of the customer acquisition and product innovation in the payment ecosystem has been driven by non-licensed fintech and technology platforms.”

Ahluwalia says the RBI has, in some cases, required banks and non-banking financial companies to exercise supervisory controls over platforms they partner to ensure adequate fraud control and data security for the end-to-end customer journey.

“While the RBI has found mechanisms to ensure consumer data is safe, a comprehensive data pRotection law that applies to all entities would have been more efficient,” she says.

Digital payments encompass electronic transactions through platforms such as mobile wallets, online banking and the UPI. These systems enable users to transfer funds instantly, using smartphones or computers, and offer unparalleled convenience and speed.

The country’s digital payment landscape underwent significant changes in recent years, propelled by two major events: the national demonetisation exercise in 2016; and the covid-19 pandemic.

Consequently, platforms such as Paytm, Google Pay and PhonePe witnessed rapid growth as consumers gravitated toward safer and more efficient digital solutions. The pandemic acted as a catalyst to this process, accelerating the adoption of contactless payment options amid the need for social distance.

Businesses quickly embraced online payment methods, and the convenience and security of mobile transactions empowered consumers to shop and pay bills effortlessly. This rapid evolution firmly established India as a digital-first economy.

“[But] hasty adoption of rapidly evolving technologies [by businesses and consumers] without adequate financial and technological education [also led to a] rise in digital payment frauds,” says Tiwari.

He says banks’ understanding of the long-term implications is often outpaced by a rush to implement cutting-edge solutions like blockchain and digital payment platforms. This has led to vulnerabilities in cybersecurity, data breaches and system inefficiencies.

Similarly, consumers can struggle to adapt to these technologies due to insufficient education on their use, benefits and risks. This knowledge gap can bring mismanagement of personal finances, susceptibility to fraud, and a lack of trust in the financial system.

“The rapid digitisation of social media and business is providing diversified entry points for sophisticated fraudsters implementing identity and data theft methods to acquire sensitive information,” says Tiwari.

AI: Ease or strain?

Experts say sophisticated artificial intelligence (AI) tools have also made it easier for bad actors. AI tools help them create fake websites and platforms that outwardly look legitimate, making it harder for consumers to differentiate fake from real.

“AI possesses extraordinary potential to drive both positive and negative changes across … business and society,” says Delhi-based Nachiketa Vajpayee, partner and head of litigation at Solicitors India Law Offices.

“For fraudsters, it offers a vast arena to develop increasingly creative scams. Fraudsters leverage AI and machine learning to create deepfake videos, clone voices and deploy chatbots for blackmailing and extortion, making their schemes sound more authentic during vishing and phishing attempts.”

Another contributing factor is the difficulty of apprehending fraudsters, says Vajpayee.

He says complex digital algorithms, combined with lax policing in India, give criminals an advantage over the legal system, and embolden them to commit cybercrimes.

“The penalties for such offences are relatively light,” he says. For instance, under sections 66C and 66D of the Indian Income Tax Act, the punishment for vishing and phishing is limited to a prison term up to three years, a fine of up to INR100,000, or both. “This is an insignificant deterrent compared to the substantial amounts these individuals often collect through fraudulent activities,” he says.