How PIX Became Attractive to Lightning Scams and Hijacks

São Paulo – Launched in November, PIX has emerged as an innovative form of instant, no-cost payments and bank transfers. It quickly fell in favor with the population. The ease of moving money, however, also attracted criminals and generated a wave of scams related to the system – and the Central Bank has already announced new rules.

Only in August, the metropolises recorded at least 19 reports of crimes involving the PIX in the country, ranging from cell phone cloning to lightning kidnappings with the aim of transferring large amounts from the victim’s account.

Experts assess that there is not a problem with the PIX itself, but a general issue of public safety and a lack of digital education. They see the changes proposed by the Central Bank as positive, but believe they are insufficient to curb such crimes.

Last week, the financial institution announced changes, including transfers of up to R$1,000 between 8:00 pm and 6:00 am, a minimum period of 24 hours for approval to increase the transaction limit and prior registration of accounts that may receive PIX in amounts above the limits settled down.

Oscar Zucarelli, information security manager at CertiSign and a specialist in data protection and fraud prevention, explains that the program was developed with known technology, similar to TED and DOC, which are secure methods. What is lacking, in his view, is more information for users.

“When we think about security of information, it is impossible to guarantee 100% protection. Obviously, when we start to implement some controls, they will reduce the risks, but saying that they will solve it is something else,” he said.

He adds: “One of the measures being put in place is the possibility that a transaction will be held for 30 minutes during the day, and up to 60 minutes at night. But didn’t the PIX come to be an immediate payment? So you start to decalibrate functionality and security, because these risks will exist.”

These cyber scams are classified as “social engineering,” explains Zucarelli. In these cases, the thief tries to deceive a user in good faith and makes the victim pass on information that is important for financial gain.

“These are acts that seek the fragility of people to obtain data and financial transfers. We don’t say that the lack of information security is a public security problem”, he points out.

Advantages versus Losses

Rogério Melfi, coordinator of the ABFintechs Open Banking Working Group, agrees that the PIX is not to blame for the financial crimes, because they “unfortunately have always existed with other means of payment”. In his view, the system brought many advantages, as it did not exclude any other channel, it just added.

He also says that it is necessary to educate the user for any action when using the internet. “We are going through a digitization process and, due to the pandemic, a forced digitization. Those who didn’t even use internet banking, bank applications or were considering instant payments, now needs to introduce themselves in this world”, he says.

Melfi thinks the change announced by the Central Bank is positive, but says it will be necessary to understand how it will work in practice. “The PIX is new, it’s only ten months old and it’s evolving. It is learning what the regulatory agency is doing, together with the market, seeing how it can be safer. From here in a few months, we may have an increase or a reduction in this limit, you can adjust that”, he comments.

To protect accounts from possible theft and kidnapping, he recommends using apps to leave banks in hidden folders on the cell phone, or using a separate device with financial apps and leaving it at home. If he falls into a scam, he suggests contacting the financial institution as soon as possible, in addition to registering the occurrence at a police station.

A survey by the National Confederation of Store Leaders (CNDL) and the Credit Protection Service (SPC Brasil), in partnership with Sebrae, showed that PIX is the population’s second preferred payment method, with 70%. The technology lags only slightly behind cash payments at 71%.

miscellaneous crimes

One of the most common offenses involving the system is the WhatsApp scam. Criminals clone a person’s phone number and profile picture and send a message via the messaging app to relatives and friends to ask for money for the PIX. The person transfers the amount thinking it is the known, but in fact he is transferring it to the scammer.

A case like this occurred recently in Goiás. A 24-year-old girl impersonated the sister of a Labor judge who works in Minas Gerais and requested a deposit of R$7,850 for the victim. Suspicious of the request, the magistrate contacted her sister, discovered the hoax and reported the crime to the police.

In another similar crime, scammers impersonate companies and send messages with fake payment codes or QR Codes, diverting the victim’s money to their bank account.

Lightning kidnapping, in which criminals hold the victim hostage until she transfers large sums to accounts soon deactivated, is also a concern. Only in the state of SP, between January and July, there was a 39% increase in the occurrence of these abductions in general, according to data from the Public Security Secretariat.

Gamer and digital influencer Arthur Ramos, known as “Crusher Fooxi 10” in the game Free Fire, was one of the victims. This week, police arrested two men for kidnapping and extorting a gamer in Pariquera-Açu, in the interior of São Paulo.

The boy was kidnapped on August 18 along with his girlfriend and mother-in-law, and the three were taken to the capital. On the way, the victims were forced to make transfers via PIX that totaled R$ 35,000.

In all cases, criminals often use a tactic of transferring stolen funds from account to account, to make tracking difficult by the Police.