Fraud attempt: ‘He knew all my bank transactions’

story The coup attempt by a journalist from Sao Paulo went viral on social networks this Wednesday (8). Itaú received a call from a scammer pretending to be a bank teller and knew all the financial transactions he had made in the past two days.

Marcella Centofanti reported the incident in a Twitter thread. She claimed she received a call from a so-called bank employee saying her account had been invaded and blocked as a security measure, she said.

Describing the situation, the victim said she was calm and very expressive. A few minutes later, she asked Marcella to confirm her surgeries.

FRAUD WARNING. I almost fell into a pix scam today. A man called me and said he was an Itaú employee. He said my account was hacked and blocked as a security measure. Clearly and in a calm tone, she asked me to confirm my final transactions (continued)

— Marcella Centofanti (@marcellacento) February 8, 2023

“He relayed what had emerged in the last few days and got into my account. Pix I made and bought with names and values, plus fully automatic debits in cents. My balance. Everything is correct,” he said.

In the publications, the journalist wrote that the scammer instructed him to report to the police and create a new password, without sequential numbers or date of birth.

Enabling the alert

Marcella even heard from the so-called official that two iPhones in Santo André (SP) had been improperly accessed after realizing that her account had indeed been blocked.

After pauses in the call – even when that classical hold music played – the person who introduced himself as the Itaú officer asked the victim if he recognized three deposits ranging from R$9,000 to R$10,000 each. He denied accepting the transactions and from then on the situation has already moved towards a more classical coup d’etat.

“He asked me to go to the app’s clipboard to undo the transaction. He asked Santo André to make the same transfer as the iPhone thug did, with the same amount, to the same account. That way, the bank would notice the duplicate and cancel the transaction. Only then did I really start to get suspicious. Until then “It looked too round to be a coup.”

Iteration and cancels the operation. ONLY at that point I really started to get suspicious. Until then, it looked too round to be a hit. I argued that this operation made no sense. Since he already gave me the connection protocol, I said (continued)

— Marcella Centofanti (@marcellacento) February 8, 2023

After refusing to process the transactions, Marcella began noticing tension with the scammer, even threatening to tell the scammer if he did. Itaú would not have been liable for the “fraud” if he had not carried out the operation by a certain time..

After the incident, the journalist received the following confirmation from the account manager’s assistant: Itaú does not want a transfer to cancel other transfers.

Hopelessness and headache

in an interview with Technology WorldThe only damage in the whole story, Centofanti says, is emotional. The bandits couldn’t get the money because he didn’t make the transfer.

“But there is a waste of time, since I had to go to the bank, I wasted time at work, and all this is causing a lot of stress, even cold sores in my mouth. I feel very insecure. “I’m constantly checking to see if there’s anyone who gets money from their account, or if they’ve made Pix for other people,” he says.

The journalist pointed out that even the number he called looked like a service call center number.

The victim stated that she will file a criminal complaint with the police and is investigating what to do next. It was the first time he was subjected to such a coup attempt and he said he “digested the situation”.

“It is worrying that an unauthorized person has access to someone’s final account information. HE [o golpista] He gave me the exact data about my statement, even the pennies, the names of the people I did or who made me a Pix. “I’m still worried that mine won’t be hackable anytime soon,” he said.

“It is worrying that an unauthorized person has access to someone’s final account information.”

Centofanti also stated that he had complained to Itaú about the story. His response was as follows:

“We clarify that as a rule, information about bank account or other transactions is protected by bank secrecy and can only be given to the relevant account holder (or his legal representative/attorney with certain powers or to a third party with express authorization). . We declare that we have activated the authorized bodies for analysis and evaluation.”

Other reports

On Twitter, Marcella reported that she heard itaú’s manager’s assistant: Many people fell for this scam. After receiving a phone call from a bank official who allegedly had all of the victim’s transactions in hand, many people made a wire transfer supposedly to try to “cancel” a previous transfer.

In the author’s own title, it is possible to confirm several others who said they fell for this scam or who knew a victim who suffered from the same method.

“I almost fell over the same blow. I had to format my cell phone, go to the bank, reset passwords and cancel cards. Everything is exactly as you described, in the same details. My bank is BB in this case. According to my manager, there have been many cases like this,” one user said.

same thing just happened to me @santander_br, with the difference they want to release via ATM. I suspected a scam from the very beginning, but having access to my last moves terrified me.

– Turns Off the Last Light (@dandourado) February 8, 2023

“My grandmother fell into a similar scam, the only difference being that the bank was Brazil’s bank and they knew all her bank transaction data but they wanted to change her password on the phone keyboard, you know? In the same call.. somehow she lost more than 5000 in that call,” he said elsewhere on Twitter. a person.

“Internal blows, I almost fell for one too. Even the call number itself is masked to be the same as the card. However, after confirming my information, they said that my app was blocked and I was accessing it normally. I will record the next one,” said another young man.

How is such a hit possible?

HE Technology World I spoke with cybersecurity expert Renato Borbolla, who talked about hypotheses about how it’s possible to explain cases like this. As the situation varies from device to device, some have more layers of security than others, he listed the possibilities as follows:

• internal agents: explained that criminals apply for vacancies in companies such as telemarketing, for example, they collect information from the system and pass it on to external agents. With the data in hand, the fraud group has enough information to impersonate a bank official and contact victims of fraud or blackmail.
• phishing: Scams are quite common and work with apps that look real but are fake. So, sometimes people access services or apps like banks and eventually put their information there. When this happens, cybercriminals gain access to victims’ passwords and at least manage to gain access to financial transactions, if not to move money from there.
• malicious apps: another possibility is access to malicious applications. In this case, the apps are fake and contain malware that results in stealing personal information. This possibility was rated as less likely by the expert as both Android and iOS have good security solutions against these software.

Although the fraudster said the fraud was not necessarily caused by a leak, the expert consulted Technology World He did not completely rule out this possibility and said that such situations contribute to fraudsters.

In recent years, the number of personal data leaks has increased significantly, not just in Brazil. In addition to companies, including banks, even public institutions have suffered security issues resulting in the leaking of sensitive information from Brazilians.

“Scammers take advantage of these full-name leaks, CPF, and that sort of thing, as they need at least two pieces of data to correlate and find other things. data,” says Borbolla.

The expert points out that there are even groups in Telegram where it is possible to type in the “person’s /CPF” to bring up information about someone’s “whole life”, including the mother’s name, where they work, their salary and more.

However, how is it possible to learn about a person’s banking transactions despite all the details? “I firmly believe that a from the inside [vazador interno] which exports the data. So the company cannot detect what is leaking.”

In data control, the blow goes to the “second stage”, which is social engineering. In this case, the criminals contact the victim and use the method of persuasion. To get incomplete information to implement fraud or even asking for sums, for example, by making up stories that this is the only way to reverse a fraudulent bank transaction.

And yet, about bank fraud and other types, it’s important to remember the fake number detail. Currently, there are apps that use “makeover” on the real number of the caller.

That is, instead of showing the actual origin number, apps can show a number to the caller as if they were coming from a Call Center. All this gives more credibility to all criminal acts.

Other side

HE Technology World contacted Itaú to find out the financial institution’s stance on the case. In a note, the bank reported that it is “continually investing in technologies to strengthen systems, applications and information privacy, in addition to strict compliance with all regulatory agencies’ guidelines.”

the company said communicated to customers about fraud attempts involving fraudulent call center approaches. “In this sense, it has been clarified that customers’ calls requesting any documents, passwords, records and financial data, making chargebacks or money orders are not the practice of the institution, and therefore, customers should not write or report passwords to the sites in any way. device phone when they are not actively and spontaneously making calls”.

The bank statement also states that customers who receive suspicious calls should hang up and contact either the call center or the manager. Information is available on the institution’s website.

The report also questioned Itaú specifically about the case of journalist Marcella Centofanti, as well as news on social networks.

In these matters, the financial institution said that all reported fraud and scam reports were “internally evaluated in a rigorous and individualized manner” and that “customers have received a response with details about the relevant case.”