My savings account (also my salary account) is at the SBI, Manikpur branch (09878). Some cybercriminals from Jamtara, Jharkhand, made 11 unauthorised UPI transactions worth ₹9999 rupees each from my SBI account on Friday, September 27, 2019.
I immediately contacted SBI, and the branch manager blocked my account, but he didn’t ask for complaint. Within an hour, I went to the nearest police outpost to register my case (file FIR). Thereafter, I went to the Cyber Cell. I provided all the details of the unauthorised UPI transactions along with my bank passbook and debit card to the cyber police (There was no need for ATM/Debit card in case of UPI transactions). They asked for a complaint addressed to the SP but didn’t register a case. They told me that my money could be refunded if it hadn’t been availed. Later, I was informed that the cybercriminals had availed the money.
The unauthorised UPI transactions were done through Paytm and IDIB (Indian Bank) platforms. Around nine transactions of ₹9999 each were made to the following Paytm UPI id: 9190xxxx81@PYTM0123456.ifsc.npci. After that, the amount was fraudulently transferred to other bank accounts. According to the details of the fraudulent transactions provided by the Paytm Cyber Cell, most of the amount was transferred to the accounts of someone named Ayesa Molla. The mobile number linked to all these account numbers was the same: 90xxxxxx81. However, some other accounts were also involved. Two unauthorised UPI transactions of ₹9999 each were also made to the following account: 65xxxx02@IDIB000K029.ifsc.npci.
Many other mobile numbers were also involved in these transactions. According to the statement of account provided by SBI, the transaction descriptions do not show all the mobile numbers involved in the unauthorised UPI transactions. I received only five SMS for a total of 12 transactions, including one reversal, from SBI.
According to the details of unauthorised UPI transactions provided by UPI Support Team, Navi Mumbai, transaction descriptions are quite different. The Remitter VPA was created by the cybercriminals on BHIM SBI Pay on their devices using their mobile numbers, but the Remitter account number and mobile number were mine. About nine beneficiary mobile (account) numbers are the same (9190xxxx81), while two beneficiary mobile (account) numbers were different (65xxxx02). Nine Beneficiary VPAs were the same, while two were of a single one.
Paytm had provided incorrect information about the account holder’s name. Neither Paytm nor the banks verified the address, identity and KYC documents. The staff involved in such verification could be involved in cybercrime. The cybercriminals created a UPI id using my mobile number without my knowledge (this is the loophole) and made all the transactions from their phones. I was informed about only five of the twelve transactions from my savings account by the bank (SBI) through SMS.
At first, one of the cybercriminals contacted me from mobile number 85xxxx76 at 9:16 a.m. (duration: 31m 32s) on September 27, 2019, and told me he would refund my money (around ₹23000, which was fraudulently transferred to SBI and Allahabad Bank accounts on May 18, 2019, through Mobikwik platform). He sent an encrypted message (already forwarded from the number 62xxxx53) to be sent to another number 92xxxx42.
Later, he sent a link to be opened in my browser. I unknowingly entered the above-mentioned amount(₹23000), and the last four digits of my SBI savings account number and my UPI id in the Google Form opened through this link and submitted it to https://docs.google.com. Just as I submitted the form, unauthorised transactions started from my savings account. My Google Pay account isn’t in use since May 15, 2019, as it had been blocked due to successive transaction failures at that time. So, how did my Google Pay’s 6-digit PIN make successful unauthorised transactions on BHIM SBI Pay?
Paytm and the banks’ staff who are responsible for verification of identity, address and KYC documents should be investigated. My BHIM SBI Pay UPI id had been blocked since May 21, 2019, and my Google Pay account was not in use and had been uninstalled since May 15, 2019, after six successive transaction failures. My ICICI bank account xxxxxx13 and not SBI account number xxxxxx88 is linked to it since then. My BHIM SBI Pay account has no transaction history as my earlier transactions had failed due to unknown reasons, and my id had been blocked due to successive transaction failures.
When I reached out to SBI, they replied, “the fraud was committed perhaps by you”. After my strong reaction against this remark, @TheOfficialSBI stopped responding to me.
It seems that the SBI and Indian Bank have no cybersecurity at all, and the Paytm has no adequate cybersecurity either. They failed to secure my money. And now they are manipulating my case to avoid refunding my money or collect it from those cybercriminals. They aren’t registering the case with the police.
Paytm and SBI provided incorrect information, and I have some questions for them:
1. How was my account unblocked and a new VPA chxxxxx@boi created?
2. Is @boi the right suffix for SBI VPA?
3. Could some of the authorities of the SBI and Indian Bank involved in these unauthorised transactions, has there been any investigation regarding this?
4. Every transaction was operated in the cybercriminals’ devices, but the banks didn’t inform me about any activity. Why?
5. I got SMS for only five of the 12 transactions, including the one reversed by SBI. Why didn’t I receive SMS for seven other transactions? Not a single SMS had any link to report in case of an unauthorised transaction.
6. Did Paytm and the banks, SBI and Indian Bank verify identity, address and KYC documents of the cybercriminals involved in these unauthorised UPI transactions?
7. How did the Google Pay UPI PIN make unauthorised transactions successful through BHIM SBI Pay?
8. From which BHIM SBI Pay they made unauthorised UPI transactions?
In such cases, the concerned banks escape easily, the loopholes in their operation and security systems are responsible for making such scams successful. Whenever an unauthorised person logs in or starts transactions on their devices, the bank must prompt the account holders about the device from which someone is logging in or starting transactions. Only after confirmation by the account holder, proceedings should continue. Law enforcement officers must investigate the concerned banks and e-wallet companies like Paytm and Mobikwik. None should be spared.
These cybercriminals have victimised common men to MLAs, MPs and top celebrities. In August this year, Patiala MP Smt. Preneet Kaur was defrauded of 23 lakh rupees. The Police/cyber police have resolved these cases successfully or tried their best to solve them, but in my case, it wasn’t even registered. Why did the police take my case for granted? My case should have been registered, at least an FIR should have been filed at the nearest police outpost to unearth the cybercriminals, and to make either the banks/Paytm and other e-wallet companies or the cybercriminals to refund my hard-earned money!