EXCLUSIVE: Cyber and financial fraud in the Brazilian arena

Rio in Brazil at sunset

Share this content

Facebook
Twitter
LinkedIn
Pablo Colombres, CPP, Managing Partner at GIF International explores the threat of social engineering in financial fraud campaigns within Brazil.

In this article we will cover some aspects that make the Brazilian market unique in combating fraud. The use of social engineering and the huge growth of the financial system, combined with advanced technologies, have helped criminals become very effective in the country.

According to the global cybersecurity firm, Kaspersky, Brazil sees the highest rate of users targeted for data theft in cyber-attacks. Distributed denial-of-service (DDoS) campaigns, ransomware and several types of phishing are the main challenges cyber professionals must face. Of these, phishing is the most common tool used by criminals and there are also several other techniques currently employed for social engineering.

Social engineering

Social engineering seems to have become a trending topic, but what makes it so threatening? It refers to the art of tricking someone into sharing sensitive information by making the target believe they are dealing with a trusted source. This technique is designed to attack human vulnerabilities and is useful for manipulating a user’s behavior.

In most cases, attackers try to exploit the user’s lack of knowledge on a specific topic to deceive the victim. That is why the most vulnerable population groups are the elderly and people who are not used to technology. Those who engage in social engineering follow a particular attack cycle:

  1. Prepare by gathering open source information
  2. Infiltrate (or hook) the victim by initiating an interaction to build trust
  3. Exploit the victim by advancing on the attack
  4. Disengage (or exit) once they get what they want. Sometimes, social engineering can represent a single step in a larger attack chain

Phishing attacks

Phishing is often used by social engineers and there are several forms, the most common one being by email. This includes the use of email communications to deceive a target by making them believe it was sent by a genuine institution (for example, a bank) or someone the victim knows, with the intent to get users to reveal sensitive data such as financial information or personal credentials.

On the other hand, vishing is a type of phishing that uses voice communication to trick the victims into handing over sensitive information. The outsourcing of call centers in the banking industry is still very common in Brazil, making it difficult to differentiate between fake calls and genuine contact from the bank (or other banks offering services).

Smishing is a phishing attack that uses an SMS as a channel of communication to deceive a victim and gather information. In Brazil, SMS tokens are the most used tool for client authentication, which – although cheap – pose some associated risks. The use of SMS as a factor of authentication may take us to another great player in the Brazilian fraud arena, which is called SIM swap.

During a SIM swap, a criminal convinces a telephone operator to port someone’s phone number over to their new SIM card. After getting access to the line (SMS, contacts, imagens, apps, etc.), the fraudster gains control of the target’s information, for example, by receiving an SMS token on the new device. The combination of social engineering and SIM swap is highly dangerous and it can lead to huge financial losses.

Finally, there is another modern form of phishing called Whatsing, which refers to the use of instant messaging (IM) as a channel of communication to mislead a victim and gain access to confidential information. The use of IM is very popular within Brazil and is used even as a replacement of SMS, emails and calls, including personal and professional communication.

Another fraud related to IM is the account takeover (where control is gained over an IM user and chats), that will help the criminal to engage with the target’s contacts and ask for information, money, bank transactions and delivery of objects in the victim’s name.

Bank transfers

When addressing Brazilian cyber and financial threats, it is important to highlight the enormous growth of the country’s financial system. A large number of digital banks, fintechs, online payments and digital wallets operate in Brazil. During the last regime, the Brazilian Government implemented the use of PIX, a system created by the Brazilian Central Bank and which serves as a successful case study to other emerging markets. With PIX, transfers and payments are allowed from one e-wallet to another in real-time, 24/7, day in day out.

According to the Brazilian Central Bank, almost eight of every ten bank transactions are digital. In 2022, more than 16 billion Brazilian reais were transferred in PIX transactions and more than 800 financial entities which are officially registered were involved. Of those 16 billion reais, it is believed that almost two billion are related to fraud activities.

There are several ways of using PIX for fraud activities. Unfortunately, other forms of crime have gained relevance during the past years such as ‘random kidnapping’ which became very common. This consists of kidnapping a target, isolating the victim and with the use of violence, forcing them to access the mobile banking apps and making several online bank transactions to a list of fraud accounts.

In some cases, they also coerce the victims to apply for a loan, request money from their family or even open new bank accounts to get more money. The Sao Paulo Police Anti Kidnaping Unit received more than 115 criminal reports of random kidnapping during 2022, which is a significant increase from the past few years.

Furthermore, bank account rental has become popular for criminals. Organized crime groups will ask people to open new bank accounts with their valid ID and to move money within several accounts, paying some money to the owner of the account who lets them use their credentials. The private sector and public policies have been reinforced to focus on this problem and the Brazilian Central Bank has planned to implement some recommendations to actively combat this type of crime.

Strategies to tackle financial fraud

There are several approaches that can help in the fight against cyber and financial fraud:

  1. Investments from the private sector
  2. Increase in private resources acting as law enforcement liaisons within companies
  3. Creation of public-private partnerships
  4. An update of criminal legislation to prosecute advanced fraud schemes
  5. Training of all actors in the banking ecosystem
  6. Awareness campaigns

A combination of unfortunate facts has helped Brazil to become a leader in cyber-attacks and financial fraud. The increased use of technology by criminal organizations, the efficiency of social engineering and the uncontrolled growth of the banking system have all shaped an environment in which fraudsters can succeed.

Technology might help to make things harder for criminals, but it must be agreed that reaching zero risk is unrealistic. Additionally, social engineering and the exploitation of human vulnerabilities means that the best solution is “awareness”.

The challenge is how to raise awareness in an effective way, but it should be a top priority and is the best countermeasure that can be adopted to fight social engineering. Companies must train employees, customers, users, partners and suppliers in social engineering tactics.

Investment in marketing awareness campaigns is critical. Everyone should have access to this information and we must spend time particularly with the elderly and non-digitized people who are the main target of social engineering techniques. Everyone should be aware and double check before sharing information, credentials or sensitive data.

The bad news is that Brazilians are being targeted constantly and sometimes they can become victims. The good news for financial fraud investigators is that we are constantly learning, updated, challenged and forced to think out of the box and as a result, have become great anti-fraud professionals.

Along with that comes the responsibility to share relevant information with others and find ways to raise everyone’s awareness to curb different forms of fraud.

This article was originally published in the May edition of Security Journal Americas. To read your FREE digital edition, click here.

Newsletter
Receive the latest breaking news straight to your inbox