India’s digital payment system (UPI) is growing rapidly, but it is also attracting cybercriminals who are finding new ways to steal money. A report from cybersecurity firm CloudSEK had originally claimed that fraudsters are using advanced tools to bypass security protections in UPI apps and carry out unauthorised transactions. The National Payments Corporation of India (NPCI), which runs the UPI network, however, assures that the platform has multiple security layers.
After reports of the ‘Digital Lutera’ controversy broke out, the NPCI released a media statement, clarifying its stand on the matter. “NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure,” stated the NPCI.
“NPCI continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users,” it added.
Fraudsters claimed to use new toolkit
The report, which has now been removed from the CloudSEK blogpost page, stated that cybercriminals are using a toolkit called “Digital Lutera” to bypass security features in UPI apps. This tool allegedly allows attackers to access a victim’s account and make transactions from different devices without raising immediate security alerts. The researchers also stated that several groups are sharing this toolkit on messaging platforms like Telegram. These groups reportedly have hundreds of members who exchange information about fraud techniques and methods.
Once criminals gain access to a victim’s account, they can transfer large amounts of money within a short time. In some cases, the stolen money is moved across multiple accounts within 48 hours to avoid detection.
However, the NPCI has clarified that the UPI system has been designed with multiple safeguards to avoid such frauds. The corporation also states that it updates the security measures while monitoring risks by working with partner banks and other involved institutions.
How to steer clear of UPI-related scams
Most UPI-related frauds begin with a fake or malicious app, which victims get exposed to via a web link shared through SMS, messaging apps, or social media. The malicious actors ask them to download an APK file, which are often disguised as something harmless, such as a traffic challan notice, courier update, or even a wedding invitation.
After the app is installed, it secretly takes control of certain permissions on the phone. This can allow criminals to manipulate the device’s security system and gain access to your files and apps on your device. In some cases, attackers can even mirror the victim’s phone activity, making it easier for them to carry out financial transactions remotely.
Cybersecurity experts say the best protection is awareness.
– Users should avoid downloading apps from unknown links and should only install applications from official app stores.
– Checking suspicious messages carefully and not sharing sensitive banking details can also help reduce the risk of fraud.