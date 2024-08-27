Deutsche Wellei Deutsche Welle https://istoedinheiro.com.br/autor/deutsche-welle/ 08/27/2024 – 6:00

Having lived in Germany for five and a half years, architect and urban planner Rita Buoro, 52, often uses her phone and messaging apps to talk to her family in Brazil. In January, someone using Rita’s photo contacted her mother via WhatsApp, asking for help buying an apartment. The conversations lasted two weeks, and, thinking she was communicating with her daughter, the 82-year-old transferred around R$23,000.

It was a scam. The person on the other side of the screen was not Rita, but the messages gained credibility due to one detail: the number used had a German identification prefix, the DDI +49. “I was in a fragile moment, getting separated, so I was talking little to my family in Brazil. There was also the issue of the time zone, which prevented immediate communication,” says the architect and urban planner.

Attempted financial fraud via messaging apps or phone calls was the most common type of internet and property crime in Brazil last year, according to data released this month by the Brazilian Public Security Forum (FBSP). This type of fraud affected around 26% of the population and caused losses of R$25 billion to Brazilians. There were around 4,500 victims so far. However, only three out of every ten victims filed a police report.

Rita’s case, however, reveals another side to this type of practice: it is also affecting Brazilians living abroad. DW spoke to at least five people and received reports of a dozen cases in which fake numbers were created, with country codes from Germany or the United Kingdom, to deceive the relatives of expatriates. In all cases, the criminals used real photos, taken from Facebook and Instagram, to create WhatsApp accounts and start conversations with relatives in Brazil.

“We have many reports of customers falling victim to this type of scam. People have frequently sought us out for guidance. [do que fazer]”, says Brazilian lawyer working in Germany Delaine Kühn.

This type of scam became the talk of the family group of 38-year-old geographer Ricardo Paris last week. Using an old photo of him that was on social media, a number with the UK IDD (+44) contacted the geographer’s mother, uncle and two cousins. The person claimed to be having a problem with their bank account and asked for help making a transfer.

Ricardo has been living in Bochum, Germany, for about two and a half years and barely spoke to some of the relatives he contacted. That same week, his brother also had a photo used, this time with a German ID number. No one transferred any money. “It was certainly a Brazilian, with an English phone number, who knew about my degree of kinship, although I didn’t put these ties in my contact list or on social media,” says Ricardo Paris.

Between December of last year and April of this year, program manager Rafael Gonsalez, 27, had his photo used by two international numbers. The first time, a US number was created (DDI +1), while the second time, a German number was used. In both cases, the target of the request for money was his mother, who is in Brazil. The amount requested was R$6,700. “My mother started trying to get the information. I contacted them, tried to talk to them, but they blocked all of us and stopped sending messages,” he says.

How criminals act

According to cybersecurity experts, criminals can be operating anywhere in the world. They take advantage of tools available online to create fake numbers without necessarily purchasing a SIM card or registering with a carrier – or even being in the country to which the number is linked.

This practice is known as spoofing and is characterized by the use of technologies capable of altering the numerical code that identifies a landline or mobile phone, to hide an identity behind a call or message. This use does not necessarily have a criminal purpose; it can even be a digital security precaution. However, the National Telecommunications Agency (Anatel) says that the technologies have been frequently used to commit fraud and scams. The agency does not have statistics on the practice.

In app stores, there are tools available that allow you to create a disposable phone number with a foreign code, known as a burner number, for around five dollars a month. Through these tools, you can send messages or make calls without revealing your identity.

Calls are made via VoIP services, an acronym for Voice over Internet Protocol, a technology that allows voice calls to be made between computers or between computers and conventional telephones, and is used on platforms such as WhatsApp, Facebook Messenger and Skype. This technology was created to hide company extensions from customers and became more widely used during the COVID-19 pandemic, when employees were allowed to make work calls using their private cell phones.

“For an operator, it is very difficult to tell whether a spoofed call is from an employee or a criminal. Since the numbers can be generated with apps, we also have no way of collecting cases,” says Christian Fischer, a spokesman for telecommunications company Deutsche Telekom. In Germany, there is a law that obliges operators to suppress numbers if they identify misuse of the German prefix.

Anatel said it has been working in cooperation with public security and justice entities, as well as private companies, to combat and prevent fraud related to the provision of telecommunications services. The entity is testing a solution for identifying and authenticating telephone calls that is already used in the United States and Canada. For now, the tests are restricted to users selected by the providers.

Investigating crimes is not easy

There is no compiled data available in Brazil or Germany that attests to the number of financial scams involving phone numbers with fake IDDs. This is partly because most victims do not file a formal complaint, but also because of the inherent difficulty in identifying the origin and location of the criminals.

A survey conducted by the State Criminal Investigation Office of North Rhine-Westphalia, Germany, where Ricardo and Rita live, shows that between January 2023 and August 19 of this year, seven Brazilians reported having been victims of this type of scam. In Germany, this type of crime is classified as fraud, with a penalty of up to five years in prison or a fine.

In Brazil, these cases are considered fraud, for which the penalty ranges from four to eight years in prison. DW contacted the civil police and state public security departments, but only the Tocantins department responded saying it had already registered incidents using international numbers.

Filing a police report is important, say police authorities in both countries, even though it can be difficult to track down the criminals. The use of phones with foreign identification codes gives these crimes a transnational character, as the victims and criminals may be in different countries, which requires coordination between investigators.

“We try to locate the originating providers, but this takes time and much of this data disappears within about two weeks,” explains Daniela Dässel, spokeswoman for the State Office of Criminal Investigation for North Rhine-Westphalia in Germany.

According to prosecutor Janaína Cristina de Almeida, from the Public Prosecutor’s Office of the Federal District and Territories (MPDFT), the difficulty does not diminish if the action is commanded from national territory. “Even so, the investigation depends on judicial measures such as breaking banking and data secrecy. Furthermore, this investigation will often be interstate, considering that the scammer will rarely live in the same place as the victim, which makes police work difficult,” she states.

When the conversation progresses and data such as the PIX code is provided, it is easier to find the origin of the scam. In the case of Rita Buoro, the number used to speak to her family was in Germany, but the contact was all in Portuguese and the PIX account was linked to a Brazilian. With the person’s CPF and name mentioned in the messages exchanged using the fake number, for example, DW reached a person who runs a freight company registered at an address in Complexo da Maré, in Rio de Janeiro. Rita tried to report the case in Germany and even sent screenshots to the police, but the case did not go forward.

With the bank account details sent to Rafael Gonzalez’s mother, DW found links to a person who, according to the Transparency Portal, is from Rio de Janeiro.

Data exposure and leaks favor scams

Regardless of the technologies available, it is the collection of information that the victim himself makes available in the digital environment that will give credibility to the messages. “They [os criminosos] They use human gaps to search for private information, such as links between people, workplaces, addresses, preferences and tastes”, explains Martina Lopez, computer security researcher at ESET Latin America.

Lopez points out that it is possible to discover passwords using data such as birth or marriage dates, and friendship or family ties can be discovered through photos. Participating in social media groups about Brazilians living abroad is also a tip for scammers.

Lawyer Juliana Makalima, 32, who lives in Germany, suspects that it was through a Facebook group that they obtained the information they used to try to scam her mother, who lives in Brazil. “They used my Instagram photo, created a number here in Germany, and even took screenshots of my stories to make the conversation more credible,” she says. The family managed to communicate with each other before the scam was carried out.

In addition to voluntarily published information, cybercriminals also take advantage of leaks from databases of private companies or the government. According to the Center for Prevention, Treatment and Response to Government Cyber ​​Incidents (CTIR Gov), in 2024 the Brazilian government registered 3.7 thousand incidents related to data leaks. This was the main type of cyber incident registered by the agency in the year.

A Cybernews survey in January showed that data from 223 million Brazilians, including deceased individuals, was leaked, including their full names, date of birth, gender and Individual Taxpayer Registry (CPF) number. A similar mega leak had already occurred in 2021. In April, the Central Bank revealed that more than 3,000 PIX keys belonging to Banco do Estado do Pará SA (Banpará) customers had been exposed.

The Central Bank has recorded at least 13 incidents involving PIX data since 2021, eight of which have occurred this year alone. “These fragments of information are enough for criminals to identify and approach other people associated with the victim without having to interact with them directly,” says Martina Lopez.

In Brazil, the General Data Protection Law (LGPD) states that agents processing personal data must adopt technical and administrative security measures to protect this information from unauthorized access. This includes financial institutions and social media platforms. “There is also a need for constant updating of regulatory frameworks on the subject, which must require banks to make this constant effort to ensure security, as well as define their responsibilities and obligations,” says Leonardo Carvalho, a researcher at FBSP.