It is not uncommon for fraudsters to develop innovative tactics to deceive their targets, with one of the latest scams being the called merging scam in which the scammers attempt to gain unauthorized access to the victim's accounts to defraud them. In many cases, the victims suffer substantial financial losses due to this scheme.
There has been a warning issued by the Indian authorities in regards to a new scam that involves individuals being manipulated into merging their calls by scammers, who then subsequently reveal One-Time Passwords (OTPs) unknowingly. Using this deceptive tactic, fraudsters can gain access to victims' financial accounts, which will enable them to carry out fraudulent activities.
NPCI's Unified Payments Interface (UPI), an initiative that was developed by the National Payments Corporation of India (NPCI), has expressed concern about this emerging threat. As a precautionary measure, UPI cautioned users on its X account of the risks involved in call merging scams and stressed that call merging scams pose a serious threat to users.
As part of the advisory, individuals were advised to remain vigilant, stating, Fraudsters are using call merging tactics to deceive users into giving out OTPs. As part of its role to oversee the Unified Payments Interface (UPI), NPCI has expressed significant concerns about the growing cyber fraud epidemic.
The goal of social engineering scammers is to deceive unsuspecting victims into disclosing their sensitive banking credentials to take control of the situation.
In most cases, the scam begins with the fraudster contacting the target, falsely claiming to have obtained their phone number through a mutual acquaintance.
The fraudster will then try to convince the target to combine the call with a similar call from a different number.
It is true that in this second call, the victim is being connected to an official OTP verification call from their bank. Therefore, the victim does not know they are being deceived, and unwittingly allows someone to access their banking details.
It uses social engineering techniques to manipulate individuals to unknowingly divulge their One-Time Password (OTP), an important security feature used for financial transactions, through their manipulation techniques.
It is quite common for victims to receive a phone call from a trusted source offering lucrative opportunities or a message from one of their trusted contacts recommending what seems a beneficial scheme to them.
A significant security risk can be posed by engaging with such communications without due diligence as a result of the growing prevalence of such fraud activities. As a result, financial institutions and regulatory agencies are cautioning individuals to remain vigilant when receiving unexpected phone calls and to refrain from sharing OTPs or merging calls without verifying the identity of the callers before doing so.
It has become increasingly common for these frauds to occur, and so the Unified Payments Interface (UPI) has issued an urgent advisory that warns users about the dangers of call merging scams. To avoid being victimized by such deceptive tactics, individuals need to be vigilant and take strict security measures to protect their financial information.
There is a deceptive technique known as the Call Merging Scam, which is used by fraudsters to trick people into divulging sensitive information such as One-Time Passwords (OTPs), unknowingly. In this manner, scammers can gain unauthorized access to victims' bank accounts and other secured platforms by exploiting this technique to commit financial fraud on the victims.
Modus Operandi of the Scam
It is quite common for fraudsters to make deceptive telephone calls, falsely stating that they have obtained the recipient's phone number from an acquaintance or source that is reliable.
There are many scams out there that involve victims being persuaded to merge calls with another individual. This is often accomplished by presenting another individual as a friend or a bank representative, depending on the scam.
There is an automatic OTP verification call that they will be connected to without their knowledge. The automated call will direct them to a bank site that activates a mobile OTP verification system for verification.
As a scammer, the victim is deceitfully manipulated into believing that sharing the OTP for their financial accounts to be accessed is necessary because sharing it is required for authentication.
Preventive Measures to Safeguard Against Fraud
To avoid the merging of calls between unknown callers, decline the request right away. Be careful about authenticating the identity of a caller: Whenever users receive an email from someone who claims to represent a financial institution, they should contact the bank directly through their official customer support phone number. Recognize Fraudulent Requests: Banks never ask customers for an OTP over the phone.
A request of this nature should be viewed as an indication of a potential fraud and reported promptly. Ift an unsolicited OTP or suspected fraudulent activity occurs, individuals should notify their bank immediately and call 1930 (the national cybercrime helpline), so the incident can be investigated further.
Considering the increasing number of scams like these, it has become imperative that one remains vigilant and adopts strict security practices as a precautionary measure to avoid financial loss. Many viral videos and discussions on social media emphasize a single aspect of fraudulent transactions — receiving an OTP via a merged call as opposed to a text message.
Despite this, they often overlook the important point: an OTP is not sufficient for authorization of a transaction by itself. A fraudster needs to obtain essential banking details such as a card number, a card verification value, or a UPI Personal Identification Number (PIN) before he or she can use an OTP as a final step in committing an unauthorized transaction.
To mitigate such risks, the Reserve Bank of India (RBI) has implemented strict security protocols to minimize them.
To complete electronic transactions, financial institutions and payment service providers must implement multi-factor authentication (MFA) as of 2021 so that user authentication can be verified by more than one factor. This level of protection is achieved by implementing multiple authentication measures in combination with a combination of vital characteristics, including OTP verification, mobile device authentication, biometric identification, and hardware security tokens, which together provide a high level of security against unauthorized access.
Digital transactions are typically protected by multiple layers of security, each requiring a combination of authentication factors to ensure their integrity. There are three types of authentication: manual, which includes everything the user possesses, such as their credentials, card numbers, and UPI IDs; known, such as their password, CVV, or PIN; and dynamic, such as their OTP, biometric authentication, or device authentication.
To achieve the highest level of security, all three levels are necessary for most online banking and card transactions. However, a UPI transaction with a value up to a lakh does not require an OTP and can be authorized with only a UPI ID and PIN, without the need for an OTP. As a result of this multi-layered approach, financial fraud risks are greatly reduced and the security of digital payments is greatly strengthened.
