A new form of Pix scam targets micro and small entrepreneurs. With the increase in the use of the Central Bank’s instant payment tool to make purchases and transactions with stores, criminals have adapted to the novelty: they now open PJ accounts at several banks with purposely wrong names of big brands, and lie about transfers to hook inattentive businessmen.
False supplier scam results in losses of up to R$ 10 thousand
AllowMe, a company specializing in digital protection, has discovered through its platform intelligence division that criminals are reinventing themselves when it comes to Pix scams. The social engineering scheme that targets MPEs and MEIs is known in the market as the “false supplier scam”.
The new Pix scam, according to AllowMe, has become more and more recurrent in recent weeks. Small businesses are the main victims, and the losses for each successful attempt vary between R$10 and R$10,000.
The fake supplier scam only works from social engineering, relying on human error in paying service providers. The scammers open PJ accounts in digital banks with the names of fictitious companies. They have names similar to real companies, but they purposely miss a letter or number.
After opening an account, criminals make contact with the victim. They pretend to be suppliers of a large company, then inform that there has been a change in the payment processes via Pix and ask for a new transfer for confirmation.
“Frauders can access the list of suppliers in several ways: by leaking data on the internet, by internal information or even by entering the company’s website and seeing a stamp at the bottom of the page”, says Raquel Aquino, security analyst at AllowMe information. “There are cases in which criminals request the exact invoice amount of the contract between the companies in the contact”.
According to Aquino, the supplier scam has more chances of success when practiced on companies that do not have a strict payment procedure. Remember that the Pix confirmation shows the recipient’s name, CNPJ and bank.
Tips on how not to fall for the Pix scam for MEPs
The customer can prevent the supplier’s scam. Febraban (Brazilian Federation of Banks) recommends the user to check the recipient’s information when paying a bank slip or making the Pix.
Aquino explains that criminals can open corporate accounts at will, as the process is getting easier. It’s also not illegal to open a MEI, which works in favor of the scammers. Ranier scores:
“However, there are some features that can help stop this massive opening, such as looking at the devices (computers or smartphones) used by swindlers: there would certainly be suspicious behavior of multiple accounts being opened from a limited number of devices, or within a certain location radius.”
Febraban emphasizes that it is not safe to share passwords via messages, emails or SMS. On October 18, the association launched an anti-fraud campaign with an increase in scams on Pix.
- In addition, AllowMe itself has listed some important tips for MEPs to avoid scams:
- Do not trust unknown contacts, no matter how much they pretend to be suppliers;
- Contact the supplier on secure and commonly used numbers/emails;
- Check PIX recipient data;
- Regardless of whether the requested amount matches previously paid invoices, always consult the person responsible for administering that contract;
- If the applicant insists on payment or asks not to end the call, be suspicious;
- Please note: the PIX does not require activation transactions;
- Suppliers never change bank details/receipt over the phone without formalization;
- Do not provide personal and commercial data;
- Do not confirm confidential information between the company and the supplier (invoice amount, contracted services, etc.);
- No matter how much the applicant confirms all company data, do not carry out transactions without formalization through secure channels.