Brazil’s "new PIX instant payment scam" goes viral and worries Internet users; find out more
A new type of bank fraud has Internet users throughout Brazil worried following a report by a journalist who almost fell victim to the PIX scam. She decided to issue a public warning right after it happened, which went viral on social media.
The “new PIX scam”, step by step
The first step entails calling the victim and pretending to be an employee from the bank where they have an account. The caller then warns of "suspicious" transactions having been identified, usually around the two-thousand-dollar mark, and that, for security reasons, the account has been blocked.
To gain the victim's trust, the scammer then begins describing other real transactions on the bank statement, including the recipient and amount for PIX instant payment transfers the account holder actually performed. Now, in theory, this information could surely only be in the hands of a bank clerk, right?
Finally, the fraudster asks the account holder to perform PIX instant payment transactions for the same three amounts cited for a given account, under the pretext that, by doing so, the bank's system will automatically identify a double payment and cancel all transactions.
This argument, of course, is complete nonsense. But if an unwary Internet user falls into this trap, they could end up losing a vast sum of money to cybercriminals. Moreover, it is worth remembering that PIX transactions are practically irreversible and that banks have their hands tied in cases of fraud.
Theories and more theories
So far, there haven’t been many reports about other victims of a scam attempt as elaborate as the one reported by the journalist. Still, the incident has put the entire Brazilian information security community on alert, since the big question is how the fraudsters gained access to the real bank statement for the account in question. It is precisely this factual information that gives the whole thing an air of legitimacy, leading many Internet users to trust the claims.
One possibility in this new scam campaign is that fraudsters are specifically targeting Internet users with leaked primary passwords for accessing Internet banking. It is worth remembering that most institutions work with two layers of protection: i) an alphanumeric password, which only provides access for viewing your account statement and to access menus; ii) and a PIN (usually the same one used for credit or debit cards) to actually perform transactions.
The first password could be discovered through a brute force attack or password spraying if the victim uses the same combination for other online services that have already suffered data leaks, for example. This would make it perfectly possible for scammers to gain access to a victim's account statement and then approach the person and trick them into using their PIN to perform fraudulent transactions.
Still a mystery
Of course, there are several other possibilities and theories that we cannot rule out: the use of some specific banking malware capable of extracting this information, the theft of printed bank statements tossed in ATM trash cans (thus characterizing a form of dumpster diving) or even the existence of malicious insiders within banking institutions working in partnership with cybercriminals. As to the last thesis, in a statement to the press, the bank of the journalist who reported the incident ensures it follows the best internal security practices.
In the end, it’s unclear exactly how the new scam works, and whether the reported case is isolated or not. Whatever the case, the warning is worth noting: no banking institution asks customers to make transfers via something like the PIX instant payment method "for security reasons". If you are approached and instructed to do so, hang up the phone immediately and contact your banking institution for further instructions.