New scam uses Pix QR Code in fake ticket

A new type of scam involving Pix was identified earlier this year by the security software company Kaspersky. For the first time, according to the company, criminals are using the QR Code of the electronic payment system.

Despite the unprecedented use of cell phone code scanning technology in this type of scam, the way to deceive consumers is old. Scammers copy the visual identity of service providers and send fake consumer accounts or membership proposals by email.

By scanning the code and confirming the payment, the scam is complete. The speed of operation and the sophistication employed by criminals make it considerably difficult for the payer to realize they have fallen into a trap, says Fabio Assolini, senior security analyst at Kaspersky.

Registering electronic addresses that are very similar to those used by service providers and including false consumer information on false invoices, such as name, address and CPF –probably obtained through illegal data leaks–, are among the main strategies of fraudsters.

“Technically, it is very difficult for the user to identify whether the email and invoice are fake,” says Assolini.

In the case of false consumer bills –sent to individuals and companies–, even details such as phrases that offer discounts for payments via QR Code are included in the simulation. This type of offer is, in fact, practiced by companies to encourage payment via Pix, as the system reduces costs with bank fees.

In the false charge scheme, as with real accounts, Pix is ​​one of the alternatives. The document also contains barcode and its corresponding numbering.

The instantaneity of Pix gives the criminal the advantage of having the victim’s money in hand before he realizes that he has been tricked and informs the service provider or the bank. “Whoever practices this crime knows that, at some point, their account will be blocked”, says Assolini.

Another fraud strategy identified by Kaspersky offers victims a promotional subscription to an internet streaming platform for movies and series. In this case, the only way to gain access to the alleged promotion is to pay via the Pix QR Code.

Despite the expertise of criminals, it is not impossible to escape these new scams.

According to the Kaspersky expert, there is one piece of information that fraudsters find it more difficult to imitate: the name of the account holder receiving the payment.

Receiver data appears on the screen after the user scans the code. In case of fraud, the account holder will have a name other than the company name. Often, the forger will even indicate the account of an individual.

“The person has to be careful when making the payment, if in doubt, he should not complete the operation, and contact the company that provides the service”, he advises.

According to the guidelines of the BC (Central Bank), it is up to the payment service provider to analyze the case of fraud and the eventual reimbursement, as is the case today in bank fraud.

The BC also informs that there are mechanisms that increase the chance of reimbursement. These are the Pix precautionary block and the MED (Special Return Mechanism).

In the case of MED, upon being notified of the fraud, the financial institutions in which the victim and the fraudster have accounts may open a notification to block the funds.

Once the notice is given, both institutions must analyze the case and, if there is a fraud situation, the funds will be returned, according to the BC.