How banks can keep India's e-RUPI system safe from fraud

Listen to 3 Things Banks Can Do to Secure India’s e-RUPI System (8 mins):

India’s national e-RUPI system launched back in August, marking the nation’s latest effort to build a cashless economy. One of the driving forces behind e-RUPI’s launch is to phase out the usage of paper-based vouchers and cash, which are more vulnerable to fraud. But as we’ve seen with any other system designed to offer fast access to money, fraudsters have a way of exploiting the loopholes. Here’s what India’s banks need to understand to keep the e-RUPI system safe from fraud.

What is India’s e-RUPI System? 

India’s e-RUPI system essentially provides users with a digital voucher to pay for specific purchases. Recipients receive their e-RUPI vouchers through their smartphones either as a QR code or SMS. The Modi administration tweeted e-RUPI’s benefits as: “Cashless and contactless delivery. Connects service sponsors and beneficiaries digitally. Ensures leak-proof delivery of various welfare services.”

The e-RUPI system was developed by the National Payments Corporation of India (NPCI), India’s National Health Authority, the Ministry of Health and Family Welfare, the Department of Financial Services, and 11 Indian banks. It will run on NPCI’s Unified Payment Interface (UPI) platform.  

Who Benefits from India’s e-RUPI System?

The new cashless system is designed to make it easier for India’s unbanked population to access welfare and social services. e-RUPI vouchers are currently only available to pay for medicine, such as COVID-19 vaccines. Recent data suggests 190 million adults in India do not have a bank account. 

This stunning figure means India ranks only behind China for the world’s largest unbanked population. However, according to a different study, more than half of the Indian population has access to smartphones. By offering digital vouchers with a smartphone-based delivery, the government is clearly hoping to make social services more accessible to those who are outside the Indian banking system. After all, it makes sense to reach people where they are – namely, through their smartphones.

A Breakdown of e-RUPI’s Biggest Fraud Risks

Like any new payment method, the e-RUPI system will inevitably find itself a target of fraudsters. Even if the system issues digital vouchers for purpose-specific transactions (in this case, medical treatments), fraudsters have a history of finding innovative ways to exploit the system. 

Because the digital payment system is designed for medical treatments, targeting elderly users will be many fraudsters’ first move. Elderly users are more likely to need the kinds of medical treatments the e-RUPI digital vouchers are intended to cover. However, elderly users might not be tech-savvy and therefore more vulnerable to fraudsters’ scams than their younger counterparts. 

When it comes to e-RUPI, expect to see a rise in account takeover (ATO) fraud. Using social engineering, fraudsters pretend to be government officials. From there, they take advantage of the lack of understanding around e-RUPI and coerce their victims into giving them access to their vouchers. If an elderly citizen is desperate to get treatment, they’ll fall for the fraudsters’ ruse, allowing the fraudster to use the e-RUPI themselves or possibly sell it to someone else at an inflated price.

Some fraud might also happen through collusion with inside parties. One recipient who doesn’t need a procedure might sell their voucher to another party. In another scenario, a hospital staff member could accept the voucher for a medical procedure that the hospital doesn’t really offer – and then cash out the profit for themselves. This type of scheme requires careful collusion and a willingness to commit insider fraud.

3 Tips for Banks to Keep e-RUPI Secure

The e-RUPI system has the support of 11 banks. This means banks will have to play a role to keep the system secure. This effort will be crucial, especially if the system ever expands to new use cases like retail, eCommerce, municipal payments, utilities, or other options. Here’s what banks can do to keep the e-RUPI system safe from fraud.

1. Educate customers

Teaching customers how to protect themselves from fraud is the first and most important step banks can take. Banks should understand the types of fraud scams that are most likely to target users. This awareness campaign should teach customers about how the e-RUPI system is designed to work and warn them not to share their personal information with strangers. This educational effort will go a long way in helping customers to keep their private information and their personal e-RUPI QR codes secure from bad actors.

2. Watch for good device hygiene

Since e-RUPI vouchers are delivered via smartphone, banks should also watch the hygiene of the devices themselves. This means watching for suspicious device patterns that do not match the customer’s known behaviors. For example, if a customer who lives in Punjab is using their specific e-RUPI QR code miles away in a different geolocation like Goa, that’s a red flag that their voucher has been compromised. Banks should also look for patterns such as whether the customer’s phone number matches the one they have on record or the way they interact with their device (how they hold their phone or the way they touch their screen) is deviating from their normal usage patterns.

3. Ensure the voucher’s usage matches its intent

Customers are just one part of the equation when it comes to keeping the e-RUPI system secure. Banks should also keep a close eye on where vouchers are spent. For example, if a voucher is used to pay for x-rays or surgeries at a local hospital, banks should confirm that such services are even available at the facility. If not, then the voucher has probably been compromised or is being misused by the recipient. Or is the address where the voucher is being spent actually a medical facility? As e-RUPI vouchers are disbursed to recipients, banks must connect a wide range of data points to ensure they are being used for medical treatments – or if fraudsters are finding ways to profit from them.

India’s e-RUPI system is a significant milestone in the nation’s effort to go cashless. But like all new digital payment systems, fraudsters will work tirelessly to exploit the system. Banks must take the necessary steps to protect customers from ATO attacks and for patterns that indicate an inside job is in play. Educating customers, monitoring how smartphones are used, and looking for suspicious patterns in how the digital vouchers are used are smart ways to keep the new system secure.

The cashless era is a global phenomenon and it’s here to stay. Download the Feedzai Q3 2021 Financial Crime Report to learn more.