I threw a curious look as if asking if the manager was wanting something more to be served when the bill had already been presented. To this, he meekly revealed that he shared his card PIN with the waiter so that he wouldn’t have to get up and go up to the billing counter and make the payment by punching the PIN himself. I was aghast at his admission!

It is natural to feel lazy after a heavy meal at a fancy restaurant, heavy enough to not get up from the seat and walk up to the billing counter to pay the bill. But sharing your card PIN is not just an insecure practice, it may also be in violation of the cardholders agreement that you have in place with the Bank that issued you this Card.

Remember these tips when making a payment at Find-dining Restaurants and Fastfood Chains alike

1. Never share your Card PIN
2. Ask for the waiter to bring the POS machine to your dining table and discretely enter your PIN after verifying that the amount is correct
3. If the restaurant does not have a portable POS machine, walk up to the billing counter and punch your PIN there
4. Keep an eye on the Card and never let it out of sight (some restaurant staff have known to mischievous and compromise card data in the past investigations)
5. If your Card is contactless and the bill amount is within limits, pay through contactless (that way, you won’t have to enter any PIN and no chance of eavesdropping)

Remember: Protecting your sensitive data is in your own interest and first step towards fighting cyber crimes.

This magnitude of the digital payments has naturally made it lucrative for Fraudsters too to attack unsuspecting customers and merchants alike through a variety of frauds. However, today we talk about one such fraud that is perpetrated through Fake Payment Apps which have come into existence. This is not carried out by some third party on unsuspecting customers, this is a first party fraud carried out by the customers themselves on unsuspecting Merchants.

Modus Operandi

1. Fraudsters install a Fraudulent Payment app on their phones / devices
2. After purchases at the store, at the time of making payment, they open this app and pretend to scan the QR Code
3. They would actually be typing the Name and Phone Number (read from the QR Code display and type it manually while the merchants believe the user is typing amount
4. The spoof app produces a dummy “Payment Successful screen as displayed below
5. This screen is showed to Merchant who believes that the payment is successful – especially small-time merchants who are not very technology savvy

Left: Screen on Fraudster’s phone to enter the Merchant and Payment details	Right: Screen displayed to Merchant making them believe Payment went through

Magnitude of Fraud

Since this Fraud is localized to the Merchants, the Banking System does not come to know about such frauds. The Merchants at best may contact their Acquirer Banks or Wallet Providers to find out why the payments didn’t go through. The Service Providers/Acquirers who have no clue about these payments can’t be of much help and Merchants in turn may be dissatisfied with their Acquirer Bank.

List of Fraudulent Apps

Before I provide a list of such apps, here is a word of caution. OK! make that several sentences

1. These apps may be legal but the acts perpetrated may be illegal
2. Spoofing a payment this way is a punishable offense under various sections of Indian Penal Code
3. Since these apps cannot be distributed through the usual Apple App Store or Google Play Store, they are distributed as .apk installers on Android platform, hence they are potentially unsafe
4. Such apps could install virus/malware on your phone or compromise data on your phone

Since the publishers of these apps call them as Prank Apps and distributed directly, it is possible that these apps do not come to the attention and scrutiny of Google Platform or the Police Department. It is possible that some of the links beow

• Spoof PayTM App
• Google Pay Spoof App
• Prank Payment App

How to Protect Yourself?

If you are a Merchant or often receive digital payments from different people through such apps as GooglePay, PhonePe, PayTM or AmazonPay, it is important to be vigilant and not be defrauded. Here are some simple steps you can take

1. Enable and check SMS or in-app notifications for all payments
2. If you have PayTM Account, install PayTM for Business on Phone/Device and active Sound Alerts
3. You can also buy a PayTM Soundbox and activate it. Every time there is a successful payment, an announcement happens on the sound box
4. Check the balance after each transaction. If your app is crashing for some reason (can happen at times), safeguard your interest by following additional measures mentioned below
5. At shops, ask the customer to show the confirmation once again, observe it closely for any name misspellings or number mistype (since the names and numbers are manually entered in a hurry and under pressure of committing a crime, there is a chance that the values are incorrectly typed
6. Place the QR codes at places in the shop such that when the customers scan the QR codes through phone, you can see their screen. While this is not always possible due to shop layout, try to make adjustments in the QR code placement or place mirrors at strategic places if your business supports it

While this type of fraud is very difficult to catch, the shopkeepers’ presence of mind can prevent their losses and falling pray to such spurious elements.

Now, have you come across any more such apps? Do you have a better tip or trick to prevent yourself from such frauds? Do let us know by commenting below.