How can banks help fight Pix scams?
A specific type of scam involving scheduled transactions in Brazil’s instant payment system shows how institutions play a fundamental role in combating fraud.
Launched at the end of 2020, Brazil’s instant payment system, Pix, saw its adoption grow exponentially, reaching nearly 15 million companies and almost 150 million individuals (85% of Brazilian adults). Operating 24 hours a day, 7 days a week, with transactions completed in seconds and completely free-of-charge for transfers between individuals, Pix has been crucial to the greater financial inclusion of Brazilians1. But the same reasons behind the system’s success are what attract fraudsters and scammers.
Although Pix’s fraud rate is low — with an average occurrence of just 0.007% of total transactions, according to the Central Bank — the impact of scams on the population’s perception is considerable, given the system’s popularity.
In any case, the regulator has prioritized security measures at all stages of Pix’s development2. The matter is addressed by the Strategic Security Group (GE-Seg), a group bringing together the regulator and the entities representing banks and fintechs. Among the improvements to the system’s security mechanisms already launched3 are:
- Allowing users and institutions to customize transaction caps, limiting them to smaller amounts at night
- Enabling preventive blocks, that is, allowing institutions to preemptively and temporarily block funds transfers if they suspect fraud;
- Introducing the so-called Special Return Mechanism (MED, in the acronym in Portuguese), which speeds up reimbursements for victims of scams or operational failures after reporting — before MED, the refund processes were “manual,” depended on communication between users and the bank, and had no defined protocol;
- Reinforcing anti-fraud and data protection rules and mechanisms in the Transactional Account Identifier Directory.
- And starting this year, not only will the police and authorities have direct access to system data for investigations,4 but institutions will have to share information about fraud with each other.
Pix Scams Continue to Multiply: A Case Study
Despite the measures described above, Pix continues to be used by all types of scammers and criminals, even for purposes that do not result in actual fraud within the system. One of the main examples of this is the ‘Scheduled Pix Scam,’ where the scammer makes a purchase and shares the supposed proof of payment with the retailer. The receipt, however, is for a scheduled transaction, that is, a Pix transfer that will take place later on, on a certain day and time. Shortly after picking up the product, however, the scammer cancels the scheduled payment, and the payment never takes place.
Thinking about this type of scam, which mainly harms small and medium-sized businesses, I decided to investigate what kind of experience eleven leading institutions, including large banks, fintechs, and digital wallets, offer when scheduling a payment via Pix.
I’m no design/UX expert, but it’s crystal clear to me how confusing these receipts can be. I learned that Pix’s “scheduling receipt”— i.e. the document that proves that a payment has been scheduled — is often too similar to an actual “transfer receipt” — issued after the transaction has been completed – making it easier for scammers to deceive merchants (look at the examples below).
Looking at the eleven institutions tested:
Will Bank is the only one with a straightforward design (color) differentiation between scheduling and transfer receipts.
Only BTG and Itaú’s Iti have a warning saying that “this receipt is not a guarantee of payment.”
All other players (see Santander example) use the same design structure on both receipts, with differences only in the text, which can easily go unnoticed by users.
For now, there is no better way to avoid this scam than for merchants to check their bank accounts to see if the transaction took place before handing over the product. On the other hand, there is a lot of room for the regulator and the institutions to work on a better user experience for Pix’s scheduling and transfer receipts.
The Central Bank’s UX regulation — the so-called Minimum Requirements for User Experience — establishes that “if the paying user schedules the payment, the payment service provider must make the scheduling receipt available, expressly highlighting that it refers to a scheduled Pix transaction.”
But “expressly highlighting” is something subjective. I believe that the authority could improve these differentiation requirements to standardize new receipt models, establishing clearer layout differences.
I also think that the Central Bank and the institutions could create alternative models for validating Pix transactions. I know that more layers of security can get in the way of what Pix does best: instantaneity. However, I believe finding a middle ground for the good of users and the system is possible.
Wanting to know more about Pix’s idiosyncrasies and how Brazilian and international players can face cybersecurity challenges amid the rise of real-time payments? Contact us.
Keep up to date with our e-commerce, payments and crypto insights:
- Gil, Pedro. “Efeito Pix: Brasil Avança Em Ranking Mundial de Inclusão Financeira.” VEJA, October 2023. ↩︎
- Banco Central Do Brasil, 2023. “Fórum Pix debate a agenda de melhorias contínuas na segurança e divulga o cronograma definitivo do Pix Automático.” ↩︎
- Banco Central Do Brasil, 2023. “Pix Management Report – Conception and first years of operation – 2020–2022.” ↩︎
- Garcia, Nathalia. “Polícias Terão Acesso Automático a Dados Cadastrais de Usuários Do Pix Sob Investigação, Diz BC.” Folha de S.Paulo, August 23, 2023. ↩︎