Red Flags in Digital Payments: 7 Unusual Risk Indicators Your Team Might Be Missing

1. Trusted Devices Exhibiting Anomalous Behavior

One of the successful and latest strategies used by fraudsters is taking advantage of trusted devices. Many fraudsters target legitimate devices to operate and exploit the privileges of the transactions. A compromised device may continue to operate within expected locations while executing unauthorised actions in the background.

Top Risk Signs to look for

• When there are sudden usage spikes from a previously low-activity device.
• Suspicious activity like accessing new services, transactions, and initiating payments to multiple unknown users in unusual amounts.
• Unusual login timing, which does not correlate with the usual or past user pattern.

Action Point

Implement behavioural analytics that track not just device ID but usage cadence, feature access trends, and IP-location congruence, like FRM solutions.

Uncharacteristic Device Fingerprint Changes

• Explanation: Frequent or sudden shifts in device characteristics (OS version, browser type, installed software) associated with a single user account, especially for high-value transactions.
• Nuances: Consider legitimate reasons like device upgrades, but flag patterns of rapid, unexplained changes.
• Insight: Implement robust device fingerprinting and track historical patterns for individual users

2. Low-Value Transaction Flooding (Micro Frauds)

Fraudsters have adapted to monitoring systems by launching high-frequency, low-value attacks that slip past limits and thresholds.

Example

Scammers run UPI transactions of 5–20 rupees across thousands of accounts, staying below alert limits while syphoning off lakhs cumulatively.

Key Risk Signs

• Clusters of small-value transfers to unknown accounts.
• Automated transaction bursts during night hours
• Low-value Collect requests are being fulfilled unusually fast.

Action Point

Flag and investigate cumulative micro-spending behaviour instead of assessing individual transaction value in isolation.

3. Geo-Velocity Spikes and Impossible Travel Events

A user accessing their account from Mumbai at 10:02 AM and Singapore at 10:07 AM isn’t teleporting. It’s a red flag.

Fraudulent actors often use compromised credentials from geographically scattered IP addresses. Legacy systems may flag location anomalies but often miss geo-velocity logic.

Key Risk Signs

• Sessions originating from multiple cities/countries within short time spans.
• Repeat login failures from distinct IPs followed by successful access.

Action Point

Introduce real-time geo-velocity checks combined with IP reputation scoring and session fingerprinting.

4. Repeated Refund Requests or UPI ‘Collect’ Scams

The refund ecosystem is increasingly exploited through social engineering — fraudsters pose as customer service agents or claim mistaken transfers, then initiate UPI Collect requests masked as refunds.

Key Risk Signs

• Repeated refund activity from the same user within a short window.
• UPI Collect requests with vague or emotionally charged descriptions (e.g., “urgent refund” or “payment return”).
• Victims are confirming incoming requests instead of making outbound payments.

Action Point

Equip your system to evaluate Collect Requests contextually — looking at request frequency, beneficiary behaviour, and refund abuse patterns.

5. Aggressive Account Linking or Delinking Activity

When multiple payment instruments are added or removed in quick succession, it may indicate preparation for an attack or laundering attempt.

Key Risk Signs

• Several UPI IDs were linked or delinked in under an hour.
• Sudden surge in linking of new cards, wallets, or beneficiaries.
• Identity mismatch between newly linked accounts and verified user data.

Action Point

Apply velocity rules and linkage behavioural analysis to flag bulk linking within short timeframes.

6. SIM Swap Without Session Disruption

Fraudsters often perform a SIM swap to hijack a user’s mobile number, enabling OTP interception and account takeover. But if this occurs without interrupting the ongoing session, it suggests sophisticated malware or session hijacking.

Key Risk Signs

• SIM changes were reported by telecom providers, but no user logouts were observed.
• The device fingerprint is unchanged, but new mobile number usage was detected.
• OTP delivery failure or duplicate delivery triggers.

Action Point

Monitor telco integration feeds (like MNRL) and correlate with session continuity to catch invisible takeover attempts.

7. Behavioral Drift: Gradual Changes Over Time

Unlike typical fraud markers that spike suddenly, behavioural drift is the slow deviation from historical norms, often missed unless longitudinal data is analysed.

Example

A user known for bill payments and small UPI transfers suddenly initiates merchant payouts and adds foreign beneficiaries.

Key Risk Signs

• Payment amounts and frequency are subtly increasing week over week.
• Change in transaction types and preferred channels.
• Usage of new devices, locations, or time slots over several weeks.

Action Point

Leverage machine learning-based behavioural modelling to track user habits over time and identify gradual deviations.