Criminals are inventing new ways to steal money using the Pix, instant payment system of central bank. This time the tool is used as bait in a blow via SMS. According to a report by cybersecurity firm Kaspersky, the new scam is an evolution of another tactic used a few years ago: the fake email bill.
Launched in November 2020, Pix was a quick success among Brazilians, and its popularity has been drawing the attention of malicious people. The new form of scam adapts to the new form of payment and takes advantage of its dynamism to deceive those who are less aware or have little familiarity with technology.
Scams promise discount on card and cell phone bills
According to Kaspersky experts, the messages reach the victim via SMS and promise a discount on payment of cell phone or credit card bills using Pix. In one of the examples released by the security company, the false message stated that the consumer could have a rebate of R$ 35.90 on the account — then informed the Pix key to transfer the money.
Another action was the announcement of a union between card brands to offer discounts of up to 40% on the bill — when accessing a fake website, the victim is asked to enter CPF, original bill amount, brand and the last four numbers of the card.
Finally, a new false value for the invoice is generated, and a Pix key is informed for transfer. In this case, in addition to losing money, the person also ends up handing out personal data on a platter to criminals.
Use of short-code makes it difficult to identify the scam
Security analyst Fabio Assolini draws attention to another factor that facilitates the circulation of this type of scam: the use of short numbers (short-codes), generally used by companies, to send fake SMS.
“The so-called ‘short-codes’ are channels that should be used exclusively by operators and large companies to communicate with customers, as they have greater credibility and are generally used for sending tokens or confirmation codes. But it is indisputable that they are being abused to apply scams online.”
Kaspersky claims that it has blocked more than 22 million phishing attempts since Pix’s debut. According to the company, 81% of fraudulent messages use the names of financial institutions. Between May and August 2021, more than 2,400 phishing URLs that mentioned the term “Pix” were blocked.
“In recent months, we’ve identified scams exploiting SMS, such as class zero messaging and the use of unicode codes to bypass operators’ filters. With the use of social engineering to deceive victims and receive payments via PIX, which payback is very difficult to do, the scam is completed successfully. In this context, it is very important that people know that scams exist, that they understand how to protect themselves and that they have a security solution for their cell phones”.
Fabio Assolini, Kaspersky
The Pix scam engine exploits the same weakness as other online scams: the user’s lack of attention (or knowledge). In the case of transfer via Pix, by entering the key in the bank’s app to make the payment, you can confirm the data about the recipient — be suspicious when you notice discrepant information in these identification fields, and question any suspicious data.
To avoid this type of problem, it is important to be aware and not believe in all the promotions that arrive via SMS, WhatsApp or any other communication channel. Always check official channels of the company behind the supposed offer to see if it’s real, no matter how convincing the appearance is.
As we have warned several times here on Techblog, be careful before sharing your personal or banking details with anyone over the internet — avoid sending account information or credit card number via messenger, email or social media. Also be suspicious whenever a website asks for this information and, when making an online purchase, make sure the store is secure.