Learn about the new Pix scam. See how to protect yourself from criminals.
A sophisticated financial fraud scheme using Pix, an instant payment system, has caught the attention of law enforcement agencies. In addition to traditional forms of embezzlement through robberies and cell phone thefts, citizens are now resorting to backup devices to increase security, as criminals focus on stealing and remotely withdrawing money from victims.
Last week, the Civil Police arrested five suspects belonging to a gang specialized in hacking mobile devices and, based on the information obtained, used their own devices to make illegal money transfers through Pix. According to the State Department of Criminal Investigations (Deic) of the Civil Police of São Paulo, the operation was not limited to the metropolitan region of São Paulo, but also to addresses in Caldas Novas (GO), Palmas (TO) and Brasília (DF). The action was carried out with the support of local security forces.
Phone system lock
Six arrest warrants and 11 search and seizure warrants were executed. Officer Pablo França, head of the General Investigations Division (DIG) and the Special Operations Group (GOE) of the Deic in Presidente Prudente, in Greater São Paulo, highlighted that the most surprising aspect of the project is the attraction of employees of telephone operators. “It is possible to hack passwords, but being able to block the victim’s telephone system is unprecedented,” he said.
He stressed that, despite this, the success of the coup depended on the negligence of the victims, who in one way or another made the attack possible.
How is the scam done?
The delegate explained that the gang's crimes occurred in the following stages. First, the targets were selected based on the leaked data credit history, with the aim of identifying potential profitable victims. The group then sends “spyware” to try to infiltrate people’s devices, using malicious links or files. When victims fall into this trap, the criminals gain access to their banking information. At this point, employees of the third-party operators intervene by configuring a new chip based on the data obtained from the attacked device. Each chip has a unique identifier, similar to the chassis of a car. From that point on, the victim loses the signal on their phone, but rarely suspects that they are being targeted by fraud. After all, if they contact the operator, they will receive information that the chip is working.
In other words, if the bank sends a warning message about suspicious transactions, as is often the case, the fraudster himself receives it. “This way, they overcame the security system,” concluded the police chief. Among the suspects involved in this scheme are a hacker, who was responsible for developing a program to send virtual traps to victims, and at least two outsourced employees of telecommunications companies, who agreed to copy the victim’s chip. One of them has not yet been arrested.
How to avoid being scammed?
The Brazilian Federation of Banks (Febraban) stated that in remote access scams, the fraudster often sends a link or contacts the victim pretending to be a fake bank employee.
Therefore, if customers install the requested application, criminals will have access to all data on the cell phone. According to the organization, the criminals were able to commit fraud because they found bank access passwords written in notebooks, emails, WhatsApp messages or other locations on the cell phones.
That said, some measures that may be useful to avoid being a victim in one fell swoop are:
- Do not click on links from suspicious sources, especially when related to financial institutions. According to Febraban, the bank never calls customers or sends them a link asking them to install any type of application on their cell phone.
- If any link containing this content was clicked by mistake, you should turn off your cell phone and contact the bank through official channels to find out if there is any irregularity in the account. Ideally, this contact should be made from another device.
- Never save personal passwords or confidential card numbers in mobile apps such as Notepad or WhatsApp chat. This behavior can make it easier for criminals to hack cell phones.
- Apply two-factor authentication for more sensitive applications. This behavior can mean that even a phone can be hacked.
