Table of Contents
Digital payments in India have seen explosive growth over the past decade. From buying groceries to paying utility bills, what once required a wallet and a trip to the store can now be done with a few taps on a phone. Over this period, annual digital transactions grew to more than 18,000 crore—an over 80-fold increase between FY 2013–14 and FY 2023–24.
But as adoption has soared, so has fraud.
In just the last year, fraud losses linked to digital payments reached ₹1,457 crore, and UPI fraud cases nearly doubled to 13.4 lakh, according to the Reserve Bank of India. They aren’t just isolated incidents. They’re happening every day—quietly, quickly, and often without warning.
For businesses and payment platforms, reacting after the fact is no longer enough. Fraud needs to be stopped in real time, ideally before a transaction is even completed.
Fraud prevention, at its core, should be approached across three essential layers — each playing a distinct role in reducing risks:
- User awareness helps individuals recognise and avoid scams.
- Real-time prevention to detect and stop fraud as it’s happening.
- Post-incident response to report cases and attempt recovery when needed.
While awareness is essential, it isn’t always enough. Post-incident responses are often too late—the money is gone, and the damage is done. That’s why the most meaningful impact comes from prevention that happens in real time.
That’s where RiskShield comes in—our real-time fraud prevention system, built to detect and stop threats as they happen, at scale.
In Part 1 of this series, we unpacked the tactics, tools, and fraudster archetypes shaping today’s threat landscape. In this second part, we take you inside RiskShield, and show how we’re turning defence into offence.
The Engine Powering RiskShield
RiskShield is a real-time transaction screening system that leverages both rule-based and machine learning-based approaches.
At Cashfree Payments, every transaction is evaluated by RiskShield, which calculates a risk score. Based on this score, the transaction is processed, blocked, or flagged for review by our merchants.
It is built with the following considerations in mind:
- Highly scalable solution to handle the peak demand of up to 12,000 transaction screenings per second
- A system that can screen transactions in real-time as they occur, detect and prevent fraud before the transaction is completed
- Flexible and customisable to handle the different fraud scenarios
We have developed an in-house rule engine designed to execute complex rules efficiently. Unlike off-the-shelf rule engines, it gives us complete flexibility to fine-tune it to handle evolving fraud patterns.
This rule engine supports complex aggregations involving multiple markers from device data intelligence, geolocations, and other metadata. Our ML model, which runs alongside the rule engine, helps us identify anomalies in transaction behaviour.
Different Signals Used in RiskShield
Known Fraudsters Dataset
We maintain a curated list of known fraudsters identified through various channels, including regulators. Some entities in the dataset are email, phone, IP address, UPI handle, bank account number, card, etc. We have also extended this capability to our merchants, where merchants can maintain their lists. All the transactions are screened against Cashfree’s curated master list and a merchant-specific list.
Phone and Email Intelligence
With our phone and email intelligence system, we identify whether a customer’s phone number or email is temporary or disposable, has been used for spamming and assess attributes like its age and reliability.
Device Intelligence
With our in-house device intelligence system, we extract only essential device properties, ensuring user privacy while providing sufficient data for preventing fraud. This information is then leveraged to calculate the device score effectively.
GeoLocation and IP details
With GeoLocation and IP data, we identify countries, cities, and other locations and allow our merchants to block specific countries, regions, or any particular type of proxy with high fraud rates.
Anomaly Detection Using Machine Learning
Our Machine learning models use advanced anomaly detection algorithms to accurately predict the probability of a transaction being fraudulent and provide human-readable reasons for its explainability. Our models work on multiple signals across different categories, like transaction volume, frequency, user properties, device properties, etc,. and post-processing checks to ensure minimal false positives. Our models use feedback to autotune the features and thresholds.
Smart Rules Using an Aggregation System
A real-time aggregation system helps with supporting complex rules, including the velocity checks that run during the transaction screening. Examples:
- If a transaction originates from a single payment instrument and is associated with more than X distinct mobile numbers or devices within a Y time interval, then block further transactions.
- If the aggregated transaction value associated with a single UPI handle or phone number surpasses the threshold of Rs X within a Y time interval, then block further transactions.
These rules are dynamically selected based on the merchant’s line of business and transaction size. We leveraged Apache Flink, an open-source streaming and aggregation framework, along with Kafka event streaming to build the aggregation system.
Uncovering Fraudulent Associations with GraphDB
Traditional relational databases struggle to handle complex relationships between entities, making them less effective in detecting fraud patterns across vast networks. Therefore, we leverage the Graph database, which excels in uncovering intricate links between users, transactions, devices, and payment instruments. It allows us to discover any transitive relationship with any already-proven risky entity. Examples:
- A cohort of users attempting to exploit the system, interconnected directly or indirectly through various identifiers such as phone number, email, IP address, device, or payment instruments like cards and UPI handles.
- A merchant attempting to exploit a competitor’s system.
Examples of Fraud and How RiskShield Prevents These
UPI Collect Request Scam
In this scam, fraudsters pose as legitimate users, claiming to process a refund. They trick users into approving a ‘Collect Request’ by convincing them that a refund has been initiated and instructing them to enter their UPI PIN in their UPI app to receive the refund. While increasing fraud awareness prevents many attempts from succeeding, some individuals still fall for this scam, enter their PIN, and unknowingly become victims of fraudulent activities.
Our RiskShield analyses these transaction requests and flags them based on multiple signals mentioned below.
- The same device or user is attempting payments by sending Collect Requests to multiple UPI handles. Our aggregation system dynamically tracks and aggregates the distinct UPI handle count and flags suspicious transactions.
- As awareness increases, many Collect Request attempts fail, making a high number of failed attempts another key signal.
- Fraudsters often use disposable or temporary phone numbers and email addresses. Our phone and email intelligence enhances risk detection by identifying such patterns.
Chargeback Fraud
In this type of fraud, a user makes the purchase and receives the product or service, and then deliberately raises a chargeback in order to receive the refund of the transaction amount.
Some of the signals that help us flag such transactions:
- User or its attributes like device, IP, Phone, Payment details, etc., being directly or indirectly associated with past chargebacks or disputes, which is derived from our GraphDB
- Users found engaging in repeated fraudulent activities are added to the fraudster dataset maintained by Cashfree
Promotion or Discount Abuse
Companies often run campaigns offering one-time discounts to new customers. This can be abused by creating fake accounts to avail the offer multiple times. To prevent such misuse, our device intelligence system identifies accounts linked to the same device and flags these transactions accordingly.
Conclusion
Everything we build at Cashfree Payments starts with a simple goal: to remove friction and eliminate pain points for our merchants. Every transaction they process carries more than just value; it carries trust.
Whether you’re running flash sales, handling high volumes, or scaling into new markets, RiskShield works behind the scenes to keep fraud out and trust intact.
And because no two businesses are the same, we’ve made it flexible, so every merchant can tailor their fraud prevention without compromising on experience or speed.
We’ve built a system that doesn’t just react—it anticipates. It adapts. And most importantly, it puts control in the hands of the businesses we serve. RiskShield is our way of saying, We’ve got your back.
Stay tuned for more blogs in this series!
