This Content Is Only For Subscribers
To unlock this content, subscribe to INTERLIRA Reports.
In the past weeks, media outlets and social network users have started to report a new Pix scam that has been happening very often. The attack is likely dependent on internal sources that collect information from the victim or other not yet verified tactic to obtain the bank data. Once with the necessary information, criminals begin the final phase that uses social engineering.
The Method
The criminal calls the victim passing himself as of an Itaú employee. He informs the bank client that his/her account has been hacked and tells that for security the account had been blocked. To gain trust, the scammer gives very detailed information about the client’s bank statement and about all the transactions done in the last few days.
When the victim access the app, it can be confirmed that the account was really blocked. Then, the scammer proceeds to tell that deposits of large amounts were found, sometimes R$ 10,000. Since, the victim does not recognize any of these deposits, the alleged bank employee proposes a solution. The same amount must be transferred back to the account of origin. According to him, only then, the bank would verify the duplicity and cancel the operation.
The Bank
The bank informed media sources that it does not know how the criminals obtain sensitive details of their clients’ bank accounts. At the same time, the victim’s do not know how their data was leaked. The fact that the scammers have precise information about the bank statements make experts believe bank employees were involved.
Brazilian Federation of Banks (Febraban) Recomendation
Febraban clarifies that this is a social engineering scam, which uses techniques to trick the individual into providing confidential information, such as passwords and card numbers, in addition to carrying out financial transactions for the scammer.
Social Engineering
Most people have many personal information available in digital world. When navigating the virtual universe, citizens give up their privacy, expose data, photos tastes, experiences, location, and political opinions. Such information are valuable assets for the criminals. But criminals can go beyond what is obviously there. They can collect more data through observation and deduction.
For instance, some care must be taken before publishing an image. There are reports of people who had data reproduced by criminals who, after appropriating their identity, and asked relatives for money using WhatsApp, which is a very common scam. All sensitive information on the internet can be used by cybercriminals. Commemorative dates are commonly used as passwords on social networks or banks.
Recommendations
- Keep devices updated with the latest app version
- Watch out for social engineering attempts. This tactic is often applied to gain access to a resource, account, profile or device. This is the case with the new Pix scam and Prilex hackers attacking credit card machines.
- Be suspicious of enticing, unsolicited phone, text, or pop-up offers. Go to the offer site and see if it is advertised there
- Continually monitor your accounts for unauthorized activity
- Do not provide data that is not necessary for a purchase, such as CPF or ID number