Google launched Google Pay as Google Tez in India back in September 2017, building up heavily on the government's Unified Payments Interface (UPI) platform for mobile-based banking transactions. Despite being late to the market, Google Tez gained 7.5 Million users in the country within five weeks of its launch. The service was eventually renamed to Google Pay last year, and the service has continued growing in popularity because of its ease of use. However, the ease of use of this app has also given scammers some interesting methods to scam people of their money, because of which Google has now introduced features like notifications and SMS alerts to further reduce scams.
One of the highlight features of the UPI platform is the ability to not only send money, but also to send "collect" requests to receive payments. This functionality has been widely abused through different payment services such as Google Pay, PhonePe and the others. Speaking from personal anecdote, scammers have figured out a modus operandi where the initial promise made to a stranger on the other end is to pay them money, but through clever confusion, the scammers send a collect request instead of a pay request, which the user then inadvertently approves because of bad UX design on the payment service.
For example, suppose a person (seller) wants to sell their phone, and for doing so, they post a listing on a selling platform. The seller then receives an offer from an interested stranger (buyer), and a meetup for handing over the phone is arranged. Right before the meetup, the buyer frantically calls the seller, and insists on paying through a UPI-based app, using creative excuses. The buyer further insists on transferring the money right then, and asks the seller to accept the request so as to receive the money in his app-based wallet. The seller accepts the request while staying on the call. But, instead of receiving money, the seller ends up transferring his own money to the buyer (scammer) because the scammer had not sent a pay request, but a collect request. The elements of surprise, haste and confusion, along with poor UI decisions such as not differentiating enough between a pay request and a collect request to allow a user to differentiate easily between the two, allows the scammer to successfully scam oblivious targets. This is not merely a theoretical scam, but actual reports for the same have been widely reported.
Google has recognized the nuisance of these scams, and has consequently put in place several measures that should make these, and other frauds in general, harder to orchestrate. The Google Pay app utilizes Google's SafetyNet authentication platform which prevents it from being run on devices that have a higher risk of being compromised. The app uses a PIN entry screen to limit unauthorized access. It also prevents "known bad actors" from recreating their accounts on the app. If a user receives a collect request from someone suspicious or not in their contacts, the app displays a prominent "stranger" warning.
In order to make collect requests even more prominent, Google has now introduced new notifications as well as SMS alerts to clarify the direction of flow of money. This notification and SMS will highlight the fact that approving the request will deduct money from the user's bank account.
The very ability to send collect requests and have them accepted in such a simple manner appears to be a flaw in the platform. The liabilities that arise from this type of request appears to be substantially greater than the practical use of such a request. We hope that this design flaw is rectified in the future.
Source: Google