India is moving towards a digital economy. But with the comfort of pay at a click of a button, comes a cautionary note.
21 year old Akshay Agarwal learnt a bitter lesson when he tried to upgrade his Paytm account. He left a message on Paytm app to upgrade his account limit, as expected he received a call to verify his KYC details, but he didn’t expect what happened next.
“I messaged the Paytm department via their app itself and received a call in half hour. The person who called had all my details and credentials like my Paytm transaction details were with him. He claimed to be a Paytm agent and he knew my query, he put my call on hold and asked me that I should open my app. After 5 minute of the conversation and keeping my call on hold a transaction of Rs 46,995 took place”, said Akshay Agarwal.
The caller posing as a fake Paytm agent managed to engage Akshay for 5 minutes, in which he swindled money from his account. Investigation later revealed that the transaction was directed to Billdesk and traced to international e-commerce website of E-bay.
What followed was a harrowing experience to get his money back.
“I was very disappointed, I mailed Paytm that transaction was unauthorised. They told me that transaction is authorised and they can’t refund my amount. They closed my request and said amount can’t be refunded” said Akshay.
He then approached the economic offences wing and registered an FIR.
Cyber security experts point out possible scenarios, one of which is hackers ‘cloning’ the phone details. A hacker identifies the victim and tries to install a bug or a virus on his phone via unsuspecting messages and emails. They then try and obtain details from the victim and the account is compromised.
“You won’t realise it but the hacker will send an email asking you to upgrade your app and install a ‘zero bug’ which can track all details on your phone. Then they call you and ask you to open your app, in this case, the fake caller asked the victim to open the Paytm app and accessed all details”, said Mohit Yadav, Director, Bytecode security.
Cyber security experts claim that the bug installed on the victim’s phone helps them bypass the OTP authentication and transaction is completed within minutes, before anyone can detect their crime.
Though Akshay claims he got his One Time Password intimation and didn’t share details, Paytm has claimed they have investigated the matter.
“It is a fake call racket which is being investigated and the customer has shared his log in details without which transaction cannot happen”, said Paytm spokesperson in a statement to India Today.
But for Akshay now the fight is to get his money back. He conducted investigation at his own end to trace the hacker’s transaction to E-bay to stop the transaction. He later shared the details with Paytm, which has assured him that they are investigating the matter.