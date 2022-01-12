Criminals use QR Code, which works as a barcode reader for payments, to commit fraud



A new type of scam involving Pix was identified earlier this year by an online security software company.

For the first time, according to the company, criminals are using the system’s QR Code for fraud, which works as a type of barcode reader to send payments.

In the dynamics of the scam, criminals copy the visual identity of service providers, such as telephony and streaming operators, and send fake consumer accounts or membership proposals by email, with a QR Code for payment by Pix.

By scanning the code and confirming the payment, the scam is complete. As Kaspersky senior security analyst Fabio Assolini highlighted, the speed of operation and the sophistication employed by criminals makes it considerably difficult for the payer to realize that they have fallen into a trap.

Among the resources used by criminals are electronic addresses very similar to those used by service providers, and even the inclusion in false invoices of true consumer information, such as name, address and CPF – probably obtained through illegal data leaks.

“Technically, it is very difficult for the user to identify whether the email and invoice are fake,” says Assolini.

Another fraud strategy identified by Kaspersky offers victims a promotional subscription to a movie and series streaming platform.

According to the guidelines of the Central Bank (BC), it is up to the payment service provider to analyze the case of fraud and the eventual reimbursement, as is the case today in bank fraud.

The BC also informs that there are mechanisms that increase the chance of reimbursement. These are the Pix precautionary block and the MED (Special Return Mechanism).

In the case of MED, upon being notified of the fraud, the financial institutions in which the victim and the fraudster have accounts may open a notification for the blocking of resources, for analysis of a possible return.

Consumer must check data

According to the Civil Police’s Specialized Police Department for the Repression of Cyber ​​Crimes (DRCC), there is still no record of such fraud in the state.

However, for experts, it is only a matter of time before the scams start. Eduardo Pinheiro, a specialist in digital security, stressed that extra care must be taken with emails or other types of messages with attachments for payments.

“Identifying and recognizing the source of the message is critical. When in doubt, one should seek the official channels of service providers to make sure that they were really the senders of the messages”, said Eduardo.

“Do not pay boletos or make bank transfers without knowing who the beneficiary of the transaction is”, he added.

For this, it is necessary to check, before confirming the transaction, the data referring to the holder of the destination account and, if necessary, contact official channels to confirm the information.

The director of the Espírito Santo Commerce Federation (Fecomércio-ES), José Carlos Bergamin, said that companies also suffer attempted scams involving Pix and fraudulent tickets.

“At the beginning of the year, there are always people who call themselves representatives of a group of businessmen, or an association, and charge annual fees for many addresses. As they are small value transactions, they end up going unnoticed by the control of many companies.”

UNDERSTAND – ATTENTION TO THE NAME OF THE ACCOUNT HOLDER

new hit

Criminals are using Pix’s QR Code, the Central Bank’s payment system, to apply scams with false invoices or contracting services.

how it happens

Scammers copy the visual identity of companies and create misleading elements, such as email addresses with the company name and signatures, to send collection slips.

Payment by QR Code using Pix is ​​offered, linked to some advantage, such as a discount for payment.

If the user carries out the transaction, he will transfer the funds to the scammers.

data leak

As a strategy to deceive consumers, they are even including in false invoices true consumer information, such as name, address and CPF, which can be obtained by data leaks on the internet.

how to protect yourself

According to an expert at Kaspersky, there is one piece of information that fraudsters find it more difficult to imitate: the name of the account holder receiving the payment.

In case of fraud, the account holder will have a name other than the company name. Often, the forger will even indicate the account of an individual.

In addition, experts recommend that consumers only obtain collection slips from the companies’ official channels, where the request can be made, and be wary of offers sent without request.

What does the Central Bank say?

According to the BC, the Special Return Mechanism makes it possible to return a Pix in cases where there is a well-founded suspicion of using the arrangement for fraud and in which there is an operational failure at any end of the service.

The request can be made either by the paying user or by the recipient. Resources can also be blocked on the account.

Source: Kaspersky, BC and experts