Highlight

• Cybercriminals are utilizing the latest OTP bypass techniques to deduct money from bank accounts.
• As a victim of this new fraud technique, users are not receiving any OTPs and cybercriminals are getting massive windows to steal money.

Scam Alert! Cybercriminals can bypass OTPs now!!!

Yes, you read it right and it’s time to know more about this new cybercrime technique.

Beware of a new trick that online cybercriminals are using to steal money from people’s bank accounts.

These cybercriminals are getting clever and finding ways to take your money without you knowing.

Recently, there have been cases where hackers are targeting online bank accounts bypassing OTP mechanisms and making off with large sums of cash.

Here’s how it works –

Normally, when you transfer money online, you receive a one-time password (OTP) on your phone to confirm the transaction.

But in this new scam, victims are not getting any OTP, and their money is disappearing mysteriously.

The hackers are adding unknown beneficiaries to the victims’ online bank accounts without their knowledge.

This means someone else is given access to their account, and money is being taken out without the victims approving it.

In one case in Gujarat, India, a businessman lost nearly Rs. 1 Crore because his online bank account was hacked.

The scary part is that he didn’t even know his account had been compromised until he saw the huge loss.

The police are investigating this frightening online scam.

They’ve found that after these unknown beneficiaries are added, victims lose a lot of money—sometimes in the hundreds of thousands.

The police suspect there might be a loophole in the system that the hackers are exploiting to add beneficiaries without the usual OTP verification.

It’s important to be aware of this new kind of crime and take steps to protect yourself.

Even though the criminals aren’t directly interacting with victims or hacking smartphones, they’re finding ways to steal money from online bank accounts.

Keep an eye on your bank statements, and if you notice anything suspicious, report it to the authorities.

Stay informed and take precautions to safeguard your money from these online scams.

Popular OTP Bypass Techniques Used by Cybercriminals

SIM Swap Attacks

Hackers commonly employ the SIM swap technique to bypass OTPs.

In this method, they persuade mobile service providers to transfer a victim’s phone number to a SIM card they control.

This grants them access to the victim’s OTPs, effectively sidestepping the intended security measure.

Man-in-the-Middle (MITM) Attacks

In MITM attacks, hackers intercept communication between users and service providers, enabling them to acquire the OTP.

This can be achieved through various methods, such as compromising public Wi-Fi networks, DNS spoofing, or infecting devices with malware.

Once the OTP is intercepted, hackers can gain unauthorized access to sensitive information.

Phishing Attacks

Phishing attacks remain a popular method for stealing OTPs.

Hackers create convincing replicas of legitimate websites or applications, tricking users into providing their credentials and OTPs.

These phishing attempts are often distributed via emails, text messages, or even social media platforms, taking advantage of users’ trust in familiar communication channels.

How to Protect Your Bank Account from Hackers?

• If you use online banking, make sure you regularly monitor your bank statements and transactions for any suspicious activity.
• You should also enable transaction alerts and notifications on your mobile phone. This will ensure you receive immediate updates on any activity in your account.
• It is important that you use strong, unique passwords for your online banking accounts and update them regularly.
• Online banking users must enable two-factor authentication (2FA) whenever possible/ This adds an extra layer of security to the online banking login process.
• Users should also avoid accessing their bank accounts on public or unsecured Wi-Fi networks to prevent potential interception of their sensitive information.
• Always be cautious of phishing attempts, and as a rule, never click on links or provide personal information in response to unsolicited emails or messages claiming to be from your bank.
• Keep your devices, including smartphones and computers, updated with the latest security patches and antivirus software.
• Regularly review and update the security settings on your online banking accounts to ensure maximum protection.
• Consider using a secure and reputable virtual private network (VPN) when accessing your bank accounts from public places.
• Educate yourself about the latest security threats and best practices to stay informed and proactive in safeguarding your bank account.

FAQs

Q1. Can fraudsters take money from accounts without OTP?

Answer. Now, as per the latest reports, the fraudsters have discovered yet another way that is even more dangerous.

A recent incident that happened with a person will make you understand that scammers don’t even need an OTP. In this new method, your UPI, which is linked to your bank account, is targeted.

Q2. What is OTP in online banking?

Answer. OTP, One Time Password, are that four to six-digit code that pops up on your screen every time you use your Debit or Credit Card for an online transaction or a NetBanking transaction.

Q3. How to find my OTP code?

Answer. To get an OTP code, you need to enter your phone number or email address when prompted by the service you are trying to access.

The service will then generate a code and send it to the user’s device. Depending on the service, the code may be sent via SMS, email, or even an in-app notification.

Q4. What is SIM swap fraud?

SIM switch fraud happens when fraudsters use your phone number to access a victim’s accounts by exploiting a flaw in two-factor authentication and verification.

For SIM switching, fraudsters contact the SIM provider of your mobile phone and convince them to activate a SIM card that belongs to them.

Once the fraud SIM is activated, the scammers have control over the victim’s phone number and they can receive control calls or texts on.

Q5. How fraudsters can trap you?

1. Phishing scams

Fraudsters can send you unauthorised payment links via SMS. These fake bank URLs will look almost identical to the original URL.

If in a hurry you click on that link, it will direct you to the UPI payment app installed on your phone and will ask you to select any of the apps for auto-debit. Once, you give permission, the amount will get debited from the UPI app instantly.

Rajesh Mirjankar, MD & CEO, Infrasoft Technologies, a Mumbai-based fintech firm said, “Do not click on links in any SMS, especially those from unknown agencies. It could be an attempt to skim money from your account via UPI app. Also remember, the name is not everything on the Internet. For example, www.my.banker.com is not the same as www.mybanker.com. Make a note of the official website and official email ID of your banker, stockbroker, etc., directly from their representatives or official website.”

Also, by clicking on the fake URL, it may infect your phone with a virus/malware designed to steal the financial information stored on the device.

Further, Pranjal Kamra, CEO, Finology, a Raipur-based Fintech firm, said, “You should never search for the customer care number on Google. If you have an issue with your transaction, register a complaint on the platform itself or get the number from the official website. With random Google searches you might end up calling a fake call centre,” he said.

2. Remote screen mirroring tool

Not all digital payments app present on the on google play or apple app store are authentic, especially the unverified ones. Once you download an unverified app, it will take information from your phone and can have full control of the device.

Apart from this, fraudsters also conduct scams by posing as bank representatives who will ask you to download a third-party app for “verification purposes”.

Once downloaded, these apps will give them remote access to your phone.

3. Deceptive UPI handles

Just because a UPI social media page (Twitter, Facebook, etc.) has the word NPCI, BHIM or names similar to any bank or government organisation in it, does not make it authentic.

Many tricksters create such handles to make you reveal your account details through a fake UPI app.

Kamra’s advice is that one should not post their contact information on social media while trying to connect with a UPI brand. Generally, people put screenshots of message received on UPl handle. “The brand might not be able to reach your post, but a fraudster might notice it and contact you.”

4. Scams using your OTP, UPI PIN

Bala Parthasarathy, Co-founder and CEO, MoneyTap, a Bengaluru-based fintech firm said, “A recent UPI fraud is hackers sending “request money” links to the customer. Once the customer clicks on the link and authorises the transaction thinking they’ll receive money, the amount gets deducted from their account.”

Another thing to be mindful is the OTP. When you make a transaction through your chosen UPI app, you are either required to enter the one-time password (OTP) or UPI PIN.

For OTP authentication, your bank sends you an OTP through SMS on your mobile number registered with the bank. Once the OTP is verified, your transaction is processed.

Parthasarathy said, “One of the classic ways in which fraudsters try to scam people is by convincing them to share their UPI PIN and/or OTP over the phone. Once they have the details, they can authenticate UPI transactions and steal money from the customer’s account.”

Never share confidential details like UPI PIN, OTP, etc. with anyone on the phone. Also, banks never call you to ask these details.

Q6. What should you do in the case of digital fraud?

Sujay Vasudevan, Vice President, Cyber & Intelligence Solutions (C&I), Mastercard said that along with the application of best-in-class technology to prevent fraudulent transactions, the onus of keeping one’s money safe lies with both – the banking and payment entities and the individuals. “Therefore, you need to be vigilant and stay guarded against fraudsters and avoid sharing confidential details like PIN, OTP etc. to keep your money safe,” said Vasudevan.

Here are some things you can do to keep your money safe from fraudsters.

Government agencies, banks and other financial institution never ask for financial information via SMS. In the case of a UPI fraud, report it to the bank or e-wallet firm and get the wallet blocked to prevent further losses. You can even report the incident to the police or the cyber-crime cell.

You should download only those apps which are authentic and verified by Google Play Store or Apple Store.

Never ignore the spam warning you get on your phone through the digital payments app. If a user has been reported earlier, a warning would show up while you are transacting with them. UPI apps like Google Pay, PhonePe, etc., alerts the user with a warning if they are receiving a request from an unknown account.

Q7. What is UPI Fraud?

UPI fraud refers to fraudulent activities and scams that take place within the Unified Payments Interface (UPI) system in India with reference to UPI based digital transactions.

Fraudsters use various tactics to deceive individuals and exploit vulnerabilities in the UPI ecosystem.

Fraudsters often trick you into revealing their UPI PIN or personal information, enabling them to access your bank accounts and carry out fraudulent transactions.

Q8. How Do Hackers Execute UPI Fraud?

It’s been observed that fraudsters follow a pattern whilst executing these elaborate plans. As a result, we’ve managed to weave a stepwise timeline of how these plans are generally performed.

Let’s take a look at how UPI fraud occurs:

Step 1: It all starts with a random call. Fraudsters usually call targets to get their attention, as opposed to texting. They commonly disguise themselves as a bank representative, calling for a seemingly harmless issue.

Step 2: To make the call sound legit, they proceed to ask verification questions like your date of birth, name, or mobile number.

Step 3: There is always a problem. Hackers use technical difficulties in the app or website to talk to you. They usually weave false stories that convince you to forfeit your personal information to resolve the issue.

Step 4: Once the fraudster has convinced you, they ask you to download an application on your phone. Some of these apps are AnyDesk and ScreenShare, which are available on the Google Play Store.

Step 5: While downloading AnyDesk or a similar application, it asks for privacy permission, like other regular apps. But don’t be fooled; these apps can access everything on your phone.

Step 6: The fraudster will then ask you for a 9-digit OTP generated on your phone. As soon as you reveal the code, the hacker will also ask to grant permission from the phone.

Step 7: When the app acquires all permissions required, the caller starts to take complete control of your phone without your knowledge. After gaining full access to your phone, the hacker steals passwords and begins transacting with your UPI account. Thus, you become one of the many victims of UPI fraud.

Also Read: Delhi Woman Duped of Rs 6 Lakh in Online Matrimonial Scam

Also Read: 83-Year-Old Retired Government Official in Kolkata Scammed Online, Loses Rs 2.5 Lakh

Also Read: Mumbai Doctor Loses Rs 1 Lakh to Online Scam Over Rs 300 Lipstick Purchase

Also Read: Mumbai Man Cheated of Rs 90,000 in Online Loan Scam Originating from Facebook Ad

Also Read: Woman Loses Rs 80,000 to Online Scammers After Paying Rs 5 Handling Fee