When a man approached Maria on Facebook, the 61-year-old Brazilian widow thought she might have another chance at love. She never imagined their budding online relationship would turn into a financial nightmare.
The man, who said he lived abroad, gained her trust with promises of love and marriage. Saying he had sent a box of gifts that had been seized by Customs, he told her she needed to make a down payment to a Brazilian company to release the goods.
“If I lose my package, I will never be happy with you,” he wrote, suggesting she should borrow money from a loan shark if she did not have enough.
Maria – a pensioner whose family asked to use a pseudonym to protect her identity – ended up taking out multiple loans to make payments totalling 19 700 reais ($4 000) through Pix, an instant payment mechanism that has become ubiquitous in Brazil.
The Thomson Reuters Foundation had access to chat messages and her eventual complaint to police, which led to an investigation but no prosecutions.
Maria’s case reflects a surge in fraud incidents in Brazil linked to the explosive growth of digital payments in recent years.
Almost one in three Brazilians have been victims of financial scams and frauds, a 2022 survey by Brazil’s banking association found, up from roughly one in five a year earlier. Many of these are committed through online channels.
Reports of social engineering attacks, which include phishing scams, reached a record high in 2021, the first year after Pix was introduced in November 2020, research by Serasa Experian, a Brazilian credit bureau, showed.
Such financial scams were estimated to have caused losses of 2.5 billion reais last year – about 70% of which stemmed from operations using Pix, a low-cost, instant payment system for mobile phones launched by the country’s central bank.
Concerned about the trend, the central bank has introduced a series of security measures aimed at reducing the risk of phishing scams and fraud using the platform, said Carlos Brandt, head of Pix Management and Operations at the Central Bank of Brazil.
“Pix has an extremely robust security framework,” he told the Thomson Reuters Foundation. “Of course, we care and promote a maximum-security environment.”
Much of the problem is simply due to the speed with which digital payments have taken off, with many people unfamiliar with the possible new risks they entail, experts said.
“It’s easy for (fraudsters) to create a compelling story that people could fall for if they’re not used to interacting online, like the elderly,” said Gustavo Monteiro, managing director at cybersecurity firm Allow Me.
“Every Brazilian, now, has a bank in their pockets. These gangs know this,” he added.
Leap in digital payments
With bank branches shuttered due to lockdown curbs, millions of Brazilians turned to online banking for the first time during the COVID-19 pandemic, echoing a worldwide trend.
According to a report by McKinsey, the number of global non-cash retail payments rose on average 13% per year between 2018 and 2021. In emerging markets like Brazil, non-cash payments rose twice as fast during the same period.
Brazilians quickly embraced Pix and nearly 140 million have used it – equivalent to almost two-thirds of the population. Central bank data shows it has overtaken credit and debit cards or regular bank transfers as a means of payment.
From barber’s shops to restaurants to coconut sellers and peddlers on the beaches of Rio de Janeiro, Pix’s grey and green logo has become part of daily life in Brazil.
But as Pix’s use grew monthly, cases of blackmail, scams and even kidnapping involving the app also rose. Brazilian media have dubbed the criminals behind such offences as “Pix Gangs.”
“Frauds and scams have always existed, but Pix is so fast… and harder to trace. Once it’s done, it’s done,” said Rafael Schiozer, a finance professor at the Fundacao Getulio Vargas, a higher education institution.
Safety measures
The scams can sometimes be difficult to spot.
One day in February, Marcella Centofanti, a journalist from Sao Paulo, got a phone call from someone purporting to be a bank employee who said hackers had compromised her account.
He was particularly precise in describing her account details and transactions, leading her to think it was true. Eventually she became suspicious when the man asked her to do a Pix transaction and she hung up.
“I felt so vulnerable … I felt that my finances were completely exposed,” said Centofanti, who reported the incident to her bank. “It felt like a very sophisticated scam.”
Measures put in place by the central bank to crack down on such attacks include daily transfer limits and a cap on transactions conducted during the night to reduce the risk of kidnappings.
It has also created a shared database for fake accounts, as criminals often move the money through hundreds of so-called mule accounts to avoid detection.
“We’re always inferring prevention mechanisms to avoid this type of situation as much as possible,” said Brandt, adding that so far, no hacking attempt has been made and that most fraud cases related to Pix stem from social engineering tactics.
Private sector financial companies have also been introducing safety features. Nubank, the largest digital bank in the country, lets clients establish a safe zone, such as their home or work, to do certain transactions.
That means a customer can choose reliable Wi-Fi networks to do banking, and place limits on the value of Pix transactions outside of those areas.
Some people are taking their own preventative measures.
Bruno Diniz, a managing partner at Spiralem, a fintech consultancy firm in Brazil, carries one mobile phone with him for day-to-day transactions and leaves another – linked to his main financial accounts – stowed away at home.
Despite such inconveniences, he still thinks Pix’s benefits outweigh the risks.
“These are not Pix design flaws, it’s a national security problem,” he said. “Eventually, people will adapt.”