We all get One Time Passwords (OTPs) and other confidential bank information on mobile numbers linked to our bank accounts. Banks and other financial institutions as well as e-wallet companies regularly warn customers to not share these mobile OTPs with others, not disclose personal details with anyone on the pretext of mobile KYC and to keep mobile numbers updated with banks for SMS alerts of all transactions.
The reason customers need to be on their guard constantly is because scammers keep developing new tools and techniques to dupe innocent citizens. An addition to the list is SMS spoofing. It is a technique wherein the sender’s information is altered in the SMS text. It allows one to send SMS impersonating as another identity. In simple words, a SMS spoof is one where the sender’s name and mobile number are changed to pretend someone they are not.
In our case i.e. banking, the sender ID is usually changed to make the SMS appear legitimate and genuine from a bank.
How SMS spoofing works
Fraudster will send you a SMS and ask you to forward it to a specific number from your registered bank mobile number. Once you forward the SMS, the scammer is able to link/register your mobile number with UPI on his smartphone.
He may subsequently call you to ask for account related details like debit card number, ATM card PIN, expiry date of the debit card and OTPs if needed. Obtaining these credentials allows him to create a Mobile Banking Personal Identification Number or MPIN for your account registered on his device. This MPIN will later be used to authenticate transactions from the bank account.
In some cases, the scamster may send a ‘Collect request’ to your UPI ID and ask you to approve the request. This is usually done on the pretext of offering refunds. Falling for the bait, one may end up authenticating the transaction, ending up in losing money.