The fake call center scam, already known for harassing individuals with persistent calls and causing significant financial damage, has entered a more sophisticated and dangerous phase. Criminals are now using social engineering to convince victims to install legitimate remote access apps on their smartphones — allowing complete control of the device. Once access is granted, scammers can bypass traditional security measures and perform unauthorized banking transactions, leaving victims vulnerable. This new tactic reflects a broader shift in cybercrime strategies, increasingly targeting mobile devices and exploiting user trust.
This Content Is Only For Subscribers
To unlock this content, subscribe to INTERLIRA Reports.
How It Works
The fraud begins with a phone call in which the scammer pretends to be a bank technician and instructs the victim to install apps such as TeamViewer, AnyDesk, or similar programs that enable remote access to the device. The criminal then asks the victim to provide the code displayed by the app, which allows remote control. If the victim complies, the scammer gains full access to the phone and can perform numerous financial transactions, draining the bank account. Neither antivirus software nor the security features of banking apps can prevent these losses once access is granted.
Increase in Cases
Cybersecurity company Kaspersky has reported a significant rise in the installation of these remote access apps by users since May 2024. What was once fewer than ten detections per month rose to over a thousand in October, with monthly detections remaining above 800 into the current year. These remote access tools are at the core of the resurgence of the “ghost hand” scam, which affects both Android and iPhone devices and can bypass existing security systems.
Biometrics
Because this scam requires some level of victim cooperation, fraudsters often attempt to persuade victims to complete biometric verifications — using their fingerprint or facial recognition — to authorize Pix transactions or loans. In some cases, they may end the call and switch to text messaging, as some banking apps restrict transactions while a call is ongoing.
Personal Data
To increase pressure, scammers often cite the victim’s personal information such as CPF, account number, and more. These details may have been obtained through data leaks or by the victim unknowingly filling out fake online forms.
New Techniques
Another tactic used by criminals is caller ID spoofing, a technique that alters the phone number displayed on the victim’s screen. This makes fake calls appear as if they are coming from the bank or even the victim’s personal account manager.
Smartphones
The surge in scams involving remote access suggests that fraudsters are shifting their focus from computers to smartphones. According to a 2024 survey by Deloitte, 75% of banking transactions in Brazil are now conducted via smartphones.
Be Suspicious
- Be cautious if someone claiming to be from your bank asks you to install any apps.
- Banks do not call customers to request app installations.
- Do not share codes from newly installed apps with anyone.
- Refuse any requests to perform biometric verification during a suspicious interaction.
- If you suspect fraud, hang up immediately and contact your bank through official channels to confirm your account status.
In the Event of Fraud
- Contact your bank as quickly as possible.
- File a police report.
- Immediately delete any remote access apps that may have been installed.
- Change all your banking and account passwords.
Analysis:
The evolution of the fake call center scam into a more technologically advanced and invasive scheme signals a critical shift in cybercrime tactics, where mobile devices have become the primary target. Criminals are leveraging remote access apps — legitimate tools used by IT professionals — to bypass security measures and exploit the trust of users. These scams rely not on malware, but on social engineering: by manipulating victims into voluntarily granting access, fraudsters bypass even the most advanced digital protections.
To combat this wave of fraud, awareness and public education are essential. A fundamental principle must be reinforced: no legitimate bank will ever call a customer asking them to install an app. In any such situation, the safest response is to hang up immediately and contact the bank through official channels — such as the number on the back of the card or the bank’s official app.
Sources: A Folha de SP.
