Brazilian Pix Payment Network: A Case Study in “Faster Payments, Faster Fraud”

The term “sequestro relâmpago” (“lightning kidnapping”) first appeared in Brazil in the 1990s.

“Lightning kidnapping” was coined to describe a particular kind of violent crime in which people would be nabbed off the street and coerced – often at gunpoint – to withdraw cash from a nearby ATM.

Instances of this type of crime had fallen in recent years. Then, Brazil introduced its lightning-fast Pix payment network, and cases of lightning kidnappings went up again.

So, what’s the correlation?

Fraud and crime always go hand-in-hand with new financial technologies. Any time a new payment method – checks, credit cards, digital payments, whatever – emerges, criminals find a way to exploit them.

“Bad guys are attracted to speedy payments,” financial writer J.P. Koning points out. “The faster the better. As a consequence, faster payments usually means more crime. Any increase in crime is unfortunate, but societies generally tolerate at least some of this increase because the benefits of real-time payments more than outweigh the costs.”

When the Central Bank of Brazil rolled out the Pix money transfer network in 2020, the benefits and the costs of that system quickly became clear. Brazilian consumers adopted Pix payments quickly, and criminals responded in kind.

Below, let’s explore what Pix is, how it works, and how companies doing business in Brazil can protect themselves against Pix fraud.

What Is Pix in Brazil?

Pix is a state-owned method of payment that’s available to Brazilian citizens. Its innovation is how it connects many existing means of payment (e.g. credit cards and interbank transfers) and then significantly upgrades the user experience.

If you have a Pix account, you can transfer money to other people or businesses without knowing their account details. A phone number or a QR code is sufficient. Payments are settled in real time, and the network operates 24-7 to connect banks, fintechs, financial institutions, businesses and individual consumers.

The speed, ease and low transaction costs (about 0.22 percent) have already made Pix the go-to payment method for many Brazilians. Within six months of Pix’s launch, its adoption rate had already exceeded that of bank cards and credit cards domestically.

“In a nation where citizens had long struggled with traditional banks’ slow – and costly – digital payments systems, the instantaneous Pix technology was hailed as a game changer,” Financial Times’s Brazil bureau chief Bryan Harris reported in September 2021.

“Almost 100m Brazilians have adopted the platform for paying bills and transferring cash.”

How does Pix work in Brazil?

Pix operates similarly to domestic payment networks in other countries, such as Zelle in the United States or Bizum in Spain. However, there are certain limitations and user behaviors that are unique to Pix.

To use Pix, you must register an address key. This is your account’s unique identifier.

The address key can then be associated with a phone number or an email address. This allows Pix to integrate with communication apps like Whatsapp, where it’s possible for Brazilians to send each other money via the Pix network.

Any financial institution or fintech in Brazil has the option of offering Pix payments to its users. In fact, financial institutions with 500,000 or more users are obligated to do so.

How Criminals Scam Pix Users

Back to the kidnappings for a moment. Brazilian officials reported a 40-percent increase in the number of lightning kidnappings during the first half of 2021, the Financial Times says.

The crime has a new twist with Pix. Now, criminals abduct the victim and force them to make a Pix transfer. 

Lightning kidnappings aren’t the only crimes Pix users face, however. Other scams include the following:

• Authorized push payment fraud. This is when fraudsters gain a victim’s trust by pretending to be a friend, a loved one, a business or some kind of official and convince the victim to Pix them money.
• Fake supplier scams. This is when criminals create accounts with digital banks under the names of fake companies. Usually, the fake company name is a misspelling of a known company (e.g. “Gooogle”). The scammers then reach out to other businesses and ask that the accounts payable team update payment information to the scammers’ Pix account.
• Session capture. This is when a fraudster sends a file to a victim that, when opened, unleashes a virus on the victim’s computer that monitors their activity. When the victim goes to their bank’s website, the file captures the banking credentials and relays that information to the sender of the file.
• Whatsapp cloning. This is when fraudsters clone a victim’s Whatsapp account, which is remarkably easy to do. From there, the fraudster can then start messaging the victim’s contacts and ask them for Pix transfers.

How Has the Brazilian Government Responded?

The Brazilian central bank has reiterated that “all Pix operations are traceable,” and therefore money stolen via theft, coercion or scam can be tracked down – at least in theory, if the institutions involved want to take that responsibility.

Further, the central bank has introduced mechanisms for throttling transfers. In August 2021, it announced several measures, which included a limit on the value of transfers made between 8 p.m. and 6 a.m., when most kidnappings occur, and a feature that allows individual users to limit transfer amounts.

Crime continued its surge, however, and in December 2021 a bill was proposed by the São Paulo Legislative Assembly to curb all Pix activity “until the Brazilian Central Bank introduces mechanisms to ensure consumer safety,” Angelica Mari at ZDNet reported at the time. 

Tips for Protecting Your Business When Using Pix

Pix activity has not been curbed, however, and adoption continues to grow. It therefore behooves businesses with operations or customers in Brazil to get familiar with Pix payments, and understand how to stay safe when using the system.

Certain best practices are universal and not unique to Pix:

• Don’t share personal data on social media. Scammers can use that data in social engineering operations.
• Don’t write down passwords or record them somewhere on a device (e.g. phone, laptop).
• If a request for payment seems a little off, investigate. Call the person making the request to make sure their account hasn’t been taken over. Check business names and account information to make sure you aren’t about to pay an invoice to a fake company.
• Ensure your employees know how to recognize common scams.
• Work with financial institutions that invest in robust fraud-prevention tools. Our list of providers can be helpful in cross-checking a financial institution’s ability to combat fraud.

Further, there are some Pix-specific best practices to adopt:

• Only use your Pix key on your bank’s website or app.
• If you have multiple Pix keys (you can have up to five), connect them to a single account.
• Don’t register a key or a transaction over a phone call.

Finally, keep in mind that Pix is only a two-year-old network. Fraud detection and fraud prevention will evolve alongside the network itself to make it safer. At the same time, more and more Brazilians will adopt Pix, and its popularity could help facilitate a new boom in South American e-commerce. 

If businesses take the proper proactive fraud mitigation actions, there are plenty of reasons to be optimistic.