The next phase of fraud prevention in India’s fintech ecosystem

Let's discuss the kind of fraud that has gone unaddressed in public conversations for far too long. 

A customer's bank account gets wiped out, and they didn't do anything wrong. They didn't click a sketchy link, they didn't share an OTP, and they didn't get smooth-talked by a fake customer care rep. Their phone just made the transfers in the background while they were asleep or busy. By the time they check their balance, the money has bounced through five transit accounts and disappeared.

This isn't some rare edge case anymore. It is quickly becoming the dominant fraud pattern in Indian digital payments.

We rightly celebrate our payments infrastructure. Processing over 16 billion UPI transactions a month is incredible. But the flip side is getting ugly. In 2025 alone, Indians lost over Rs 22,495 crore to cybercrime across 28.15 lakh reported cases. Just looking at UPI, we saw over 12.64 lakh incidents in FY25. And honestly, knowing how many victims just write off the loss without ever filing a police complaint, those numbers are definitely just the baseline.

The fraud we can't see

The biggest shift isn't the sheer volume of fraud but how invisible the attacks have become.

It usually starts with a totally normal-looking notification about a traffic challan or a delivery update. The user clicks it, and a sideloaded APK installs in the blink of an eye. Suddenly, there's an invisible overlay sitting right on top of their banking app, silently recording their keystrokes. Or a remote access trojan just hangs out in the background until the user puts the phone down, at which point it wakes up and fires the transaction.

Researchers are now seeing organised groups in India distributing plug-and-play toolkits built specifically for this. They run coordinated scripts and constantly share notes on what gets flagged by banks and what slips through. One network recently tracked by researchers pushed through Rs 25-30 lakh in just 48 hours. NPCI has definitely stepped up by putting out advisories and enforcing mandatory security frameworks for payment apps, but the bad guys are adapting incredibly fast.

They know our systems better than we do

One of the hardest pills to swallow is that the fraudsters usually know our platforms' security controls better than the engineering teams who built them.

They poke around our apps constantly. They map out exactly what triggers a friction point and what doesn't, and they share that intel across borders. Home Ministry data shows that over half the cyber fraud hitting India in 2025 was run by highly organized, well-resourced syndicates out of Southeast Asia.

Doing a VAPT (Vulnerability Assessment and Penetration Testing) twice a year just doesn't cut it anymore. A compliance audit only tells you if you were secure last Tuesday. The attackers are running their own unofficial penetration tests on us every single hour. If your defenses are static, you are basically a sitting duck.

Security as a posture instead of a project

What this means is that a control architecture built today might be completely obsolete in 18 months. Security can't be a quarterly project; it has to be a permanent operating posture.

You have to treat prevention and detection as equally critical. Stopping the fraud is obviously the goal, but catching it instantly when it inevitably slips through is what saves the balance sheet. This requires actual internal discipline. You need ethical hackers actively trying to break your own systems, not just running checklists. If you haven't reviewed a specific security rule in a year, an attacker is most likely already exploiting it.

Obviously, there is a very real business tension here. Crank the security too high, and the friction frustrates legitimate users into leaving. Keep it too loose, and you bleed money. Gone are the days when it used to be just a tech or security problem, calibrating this balance and constantly adjusting it as the threat evolves is a core business strategy now. At the scale Indian fintech operates, growth and security aren't mutually exclusive. They have to be engineered together.

We have built a digital infrastructure the whole world envies. But keeping the public's trust in that system means we have to be as relentless as the people trying to break it. The attackers aren't taking weekends off, and neither can we.

Aby George Eapen, Director – Risk, Navi