Fraud Alert: Social Media Outreach for Customer Support can get you Scammed

MediaNama, February 06, 2023

January 11, 2023 was a disappointing day for Danish Khan. A call meant to resolve his minor complaint with Paytm turned into a hellish conversation with a scammer who stole all his Paytm balance. Relaying the entire incident to MediaNama, the digital marketing executive expressed he was unsure what was worse – that he lost his money to a scammer or that he still doesn’t know how to contact Paytm customer care.

A scam as old as time

For days, Danish had been trying to confirm an online payment that had failed to show up in his Paytm transaction history. Although his bank assured him the transaction was carried out properly, Khan still wanted to speak to the payment platform’s customer care – a human rather a machine. However, he soon realised that speaking to a Paytm employee was easier said than done.

So, what did he do? What any person with social media access does nowadays: he took to Twitter to voice his grievance. Khan tagged both the verified company Twitter account and its customer care and asked for help. Finally, one account bearing Paytm’s logo and name replied the following to his tweet:

Readers should note that in the above picture that while the account had the Paytm logo as its profile picture, the username had nothing to do with the company. It is generally advised not to respond to such accounts with dubious usernames. Khan told MediaNama that he too generally kept away from such accounts but in his eagerness to speak to someone he missed the red flags.

Instead, he called the number and willingly shared his OTP details with the person on the other end. The result? Khan realised the person had changed his Paytm code and in due course deducted all of the ₹4,000- ₹5,000 balance he had in his account.

“The [alleged] customer care person told me the issue was being resolved. He deducted the money in small ₹1,000 transactions and threatened me of time constraints when I complained,” Khan said.

After taking all of Khan’s money, the scammer hung up only to call back later claiming to be with the Paytm manager. This alleged manager then asked Khan to open a post-paid account but Khan refused. Later, Khan noticed that the account had sent similar messages to multiple customer complaints on Twitter.

The plague of online scams: Khan found little solace in the fact that there were many like him who lost money due to similar scams. While looking at “How To” YouTube videos for getting his money back, Khan noticed many people claiming to have lost anywhere between ₹8,000 and ₹26,000. In fact, conversations with experts show that such customer care scams have been on the rise especially since in post-Covid-19 times and not just in Paytm’s name.

Even Khan’s second cry of help on Twitter attracted more such online criminals.

Should companies be held responsible?

Nowadays, Khan is coordinating with the local Cyber Cell department trying to get his money back. While Khan blamed himself for sharing the OTPs, he criticised the payments platform for failing to provide proper customer care support. Khan had tried to contact Paytm again after the scam but as per procedure he had to “collect the transaction token” to contact customer support. Moreover, he said the company’s policy also states that “Paytm is not responsible” in case of such scams.

“My question is only this: does Paytm have absolutely no responsibility if its customers are being duped like this?” asked Khan.

Paytm does NOT ask for OTP: When asked for a comment, Paytm in a statement to MediaNama said, “We wanted to share that Paytm never asks for an OTP from the consumer. In order to report a scam or fraud incident, basic authentication is required before a grievance can be registered. Customers may opt for either an OTP-based authentication or a passcode, previously set by the user, before speaking to our customer care agent to register their complaint.”

Further, the company also talked about the Paytm Payment Protect, a group insurance plan that safeguards its users against cyber frauds. Users can secure themselves against fraud transactions of minimum ₹10,000. It is unclear whether someone who has gone through the same experience as Khan can avail this insurance.

MediaNama questions that Paytm did not respond to:

  • What is Paytm’s typical approach in case a customer is a victim of scamming?
  • How does one voice grievances to Paytm to get a person instead of an AI?
  • Does Paytm offer any help to a customer scammed in such a manner?

Countering online scams: A riddle for entities and regulators alike

According to Amol Kulkarni, Director (Research) at Consumer Unity and Trust Society (CUTS International), complaints and concerns about such fake customer care numbers have increased in recent times. It’s not only limited to social media but even searches on Google can unearth a lot of fake numbers posing as customer support, said Kulkarni. These imposters then warned customers of account deactivation or in Khan’s case of time constraints to take their money or information. Kulkarni called them “social engineering frauds” or phishing.

In line with Khan’s questioning on company responsibility, Kulkarni argued that all companies stand to benefit by spending resources to inform consumers about official channels of communication. Similarly, companies should raise awareness and be alert themselves of malicious and fake accounts.

“We [CUTS International] think a company’s credibility is at stake [if they don’t take responsibility] because one bad experience for consumers will or is likely to shift them to other service providers,” he said.

Companies and platforms must work together: Kulkarni agreed that the problem of fake accounts on social media or any similar platform is a “whac-a-mole issue.” A company may take down one fraudulent account only to have more popping up somewhere else. To counter this, he called for a collective responsibility of companies AND civil society organisations, consumer organizations, consumers themselves and regulators to watch out for and ward off fraudulent accounts.

He suggested that regulators and other entities should take a step forward not only to monitor customer complaints but also monitor fake accounts with proper principles and standard guidelines. Kulkarni appears to have a point.

On December 12, 2022, Twitter took down all the inactive and unused Twitter accounts/ Twitter bots from its platform, as per an India Today report. Although Twitter users seemed unsure about the move’s impact, it proved that the platform too is tired of this bot issue. Elon Musk, Twitter CEO, himself had tweeted on December 11, 2022 that “the bots would be in for a surprise.”

Similarly, Paytm took India’s major telecom companies to court in 2020 and accused them of “not doing enough to block fraudsters” carrying out phishing activities under Paytm’s name. Of course, at the time, the problem was of SMS-based scams and not fake customer support accounts. However, the companies’ willingness to go to the Delhi High Court does indicate that the company also wants such issues resolved. A Paytm speaking to MediaNama said that the company had also established a fraud prevention action cell but why it never contacted Khan remains a mystery.

Curious to know Twitter’s take, MediaNama sent the following queries to the company:

  • What security safeguards does Twitter have against such fake customer care accounts?
  • Since Elon Musk has also complained about such bots/ scam accounts in the past, have any new safeguards been introduced since Musk took over?
  • How can a person identify an authentic customer support account on Twitter?
  • Other than the “Official” tag and the blue tick marks, is Twitter employing any measure to authenticate accounts of aggregate platforms like Paytm, Ola, Uber, Swiggy, Zomato, etc.?
  • Why aren’t accounts flagged as scam accounts or fake customer care accounts deleted or blocked by Twitter?

However, Twitter declined to answer these questions. Still, it makes sense for regulators and entities to work together to address this problem. And yet, the government has taken a completely different approach of user verification.

What is user verification?

User verification is a process by which the entity controlling an online platform can verify the identity of the person using an account by checking official documents. For example, in the Digital Personal Data Protection (DPDP) Bill, 2022, data collectors are supposed to carry out age verification for children. Similarly, the Telecom Regulatory Authority of India (TRAI) has come up with a framework to establish a caller name system for all numbers by asking people to share their KYC details.

So what’s the issue with user verification? To put it simply, there’s no guarantee that such a process will help with issues of scamming. The telecom industry welcomed the KYC verification hoping to address this exact issue. And yet, we now hear of the government using facial recognition to deal with the issue of fake SIM cards.

Kulkarni had this to say on the topic, “I think there are a few issues when it comes to customer verification. Firstly, what is it that you are verifying? Verifying is basically if a person is saying that I am Mr. X and there are documents or a number is registered in his name in terms of reducing frauds. It doesn’t show [whether] that person is or is not linked to any other company or not.”

He pointed out that mobile numbers can also be changed and deactivated after verification. As such he doubted the efficacy of such a solution.

“Secondly, I think mandatory verification is something which is a one-size-fits-all approach and there could be several genuine accounts which for several reasons would not like to verify themselves,” he said, voicing a longstanding debate on user verification.

Looking at the flipside: Company verification

On the other hand, verification of company accounts has greatly helped consumers. When Mayank Aggarwal, an independent journalist, dealt with Ola’s “cooked up charges,” he was at the very least satisfied that he was dealing with actual employees of the company.

For the better part of last year, Aggarwal and his mother were struggling to reason with Ola’s customer care support. The platform officials claimed that his mother, who has always uses cash as a mode of payment, had switched to online payments. Further, they claimed the mother had defaulted on many such transactions. After arguing with Aggarwal, the calls stopped for a while.

“Then a little while later, they [Ola officials] started sharing very funny messages saying a person will reach your [his mother’s] residential address with legal notice today, any time before 12:00 PM,” said the journalist.

The messages talked of a legal notice wherein Aggarwal’s mother will be penalised under Section 420, cheating that is a cognisable non-bailable offence. The message even threatened to contact the mother’s neighbours if they could not find her at home.

“This is funny. This is extremely funny. The kind of system that they are pursuing and this is not a civil one. I sent a proper complaint that I even shared to the company via email a couple of months ago for which I had received no reply,” said Aggarwal.

When the company did take note of Aggarwal’s complaint, he noticed a stark difference in the customer care’s behaviour. Afterwards, he noticed officials were “very good, polite and understanding. They solved the issue within days.”

However, what shocked Aggarwal the most was that some of the messages sent by Ola during this entire incident came from private numbers.

“Why was my mother’s number shared with someone else? How can somebody from their private number message my mother on WhatsApp saying all this? If the messages were officially from Ola, I can understand. But how can somebody else get those details and send such threatening messages? How dare such details can be shared with anyone and they can then send such messages?” he asked.

MediaNama’s take: Online scammers are often trained to speak in a professional manner, like customer care support. While most readers may blame Khan for not picking up on the fake Paytm account’s questionable moves, Aggarwal’s account shows that company officials too behave in a dubious manner.

At the end of the day, both Khan and Aggarwal’s mother were unsure about which message/ official to trust and which to doubt. The only difference was that the mother had the help of her son, a journalist who has more experience dealing in such confrontational settings. This shows that companies need to  make customer support more transparent and accessible for customers.

Kulkarni had said that there is a lot of potential for platforms like Twitter to be a “force for good” by helping consumers voice their complaints and have them resolved. If stakeholders also took note of this, platforms can help improve customer experience rather than simply detecting fake customer care accounts. But for this, platforms and companies must work together.

For now, Khan’s and Aggarwal’s accounts highlight that while verification may to some extent help ease customer uncertainty, what is more likely to reduce phishing scams is an easier and more direct method for people to contact companies’ customer care support.

This news item can also be viewed at: