With ‘human error’ and AI, online scams in Brazil show risks are a click away
Image by Raissa Moreira created with Canva, used with permission.
In 2024, some well-known journalists and TV hosts of major Brazilian broadcasters appeared in social media videos with diverse messages. Some stated that individuals who had suffered data breaches by government systems were entitled to receive up to 7,000 reales (around 1,300 US dollars) in compensation. Others said that the same amount could be paid to those who had forgotten money in the bank without knowing. The two stories mentioned a program called “Resgata Brasil” (Retrieve or Recuperate Brazil in English).
The news were too good to be true. The impostors used artificial intelligence to create videos with manipulated images and voices of well-known people, called deepfakes, which encouraged people to provide their personal data by clicking a link. The Brazilian government does not have such a program. The Lupa Agency, which specializes in verification, said, “It is a case of phishing that aims to rob users of their personal data.”
Sandra Annenberg is a journalist whose image was used in these scams. She posted a video on her social media with a verified profile to report what happened. “They have adulterated a post of mine that I made for [the show] Globo Repórter, and with bad use of artificial intelligence, they added another text with a voice resembling mine. My credibility is being used, one that I have built over more than 30 years in television journalism, for their scams,” she said.
In Brazil, problems related to digital security have become a pressing concern. In an article published at the end of July, Ronaldo Lemos, a lawyer and columnist of the newspaper Folha de S. Paulo, said that every eight seconds, a Brazilian falls victim to this type of attack.
“WhatsApp scams, card cloning, fake links, social engineering, and data breaches have become part of the fate of being Brazilian. Even the Brazilian Payments System was recently the victim of a giant attack. A matter that, strangely by the way, disappeared from the news,” he wrote.
The attacks involving phishing and artificial intelligence are among the most common, not only within the country, according to a report by Gen Digital, a global software company. In South America, the report indicated an increase in threats in Brazil and Argentina.
Data from the DataSenado, from the Brazilian Federal Senate, points out that almost a quarter of Brazilians older than 16 were affected by these digital scams in 12 months between 2023 and 2024, in cases such as card cloning, internet fraud, or vulnerability in bank accounts.
The investigation also says that there is no clear profile of the victims of this crime. “The people who say they have lost money with this crime distribute similarly in proportion to the socioeconomic characteristics of the Brazilian population,” says the text.
Engineering of a scam
The success of the Resgata Brasil scam relied on a data breach caused by human error — that is to say, when the users themselves give their information to the perpetrators. It is one of the most common types of data breaches, explains Fabíola Maurice, a specialist in cybersecurity for the Guardian Project.
According to her, this type of error can also be seen when users accidentally give their private information to the wrong recipient or post it publicly without realizing. In the case of Resgata Brasil, the perpetrators exploited the trust that victims had in individuals featured in videos and on websites designed to mimic official sites, which used the federal government’s logo to further deceive people.
On YouTube, the channel Detetive Digital posted a video warning about the scam, which has more than 77,000 views. Comments from users include: “I just fell for the scam,” “I almost fell for it,” and “Thank you for the warning.”
Scams in Brazil
Brazil ranks seventh in the world in terms of countries with data breaches of user data. This analysis comes from Surfshark, a global cybersecurity and digital privacy company. In Brazil, there were 24 times more data breaches in 2024 compared to the previous year.
The newspaper, Valor Econômico, cites another report published by the website Itforum, which shows that the country leads in the “leaks of cookies, with seven billion records of Brazilian users found in the dark web.” As Maurice warns, once a person’s data is leaked online, it will be accessible to impostors forever.
“The most important thing is whenever you are connected to the internet, you must pay attention and question your activities, who you are giving data to, and how secure your passwords are,” she says.
In January 2024, through the Brazil Against Fake program, which addresses fake news related to the federal government, the Office of Social Communication issued an alert against scams that use websites and government policies. A channel was opened for reporting.
Through an email with Global Voices, the Authority for the Protection of Personal Data (ANPD) informed that it is working to promote the security of personal data through rules and guidelines, and to audit and apply the General Law of Protection of Personal Data (LGPD).
To guarantee major protection of personal data and avoid harm to its owners, the ANPD says that it will supervise through reports, petitions of owners, and investigations of incidents reported through the media. There are also conferences to clarify the obligations of the regulator regarding the security of information and collaboration with entities to educate and inform agents on the responsibilities of managing personal data.
Anyone who believes their rights have been violated can present a denunciation to the ANPD in the form of a report or a petition.
“Reports related to security incidents received and analyzed by ANPD are intrinsically related to the privacy of personal data, considering that only when there is an incident of compromised personal data should it be reported to the ANPD,” says the federal entity.
Until August 11, the ANPD’s incident panel had registered 250 cases of reports.
Tips for protection
To mitigate the risk of scams, Maurice offers security tips that can and should be adopted by anyone who uses social media or navigates the internet.
-
- Use strong passwords: repeated passwords or obvious ones like sequences such as “1,2,3” can facilitate account invasions. Opting for passwords with 12 characters that combine lowercase and uppercase letters, as well as special characters, makes it harder for a criminal to act and increases the time by thousands of years for an algorithm to decipher the password.
- Avoid repeating passwords: in case of a data breach, other accounts that were not compromised remain more protected.
- Use a password manager: this allows users to save their information in a protected file. Even if someone accesses the device, it cannot access the data completely without deciphering the master password.
- Activate two-step verification or multi-factor authentication: as the name suggests, two-step verification allows for multiple verification of the user’s identity. If there is a suspicious movement, a warning email will be sent, and the access will demand to be verified.
- Verify that the URL begins with “HTTPS”: secure navigation appears with an “s” at the end of the address bar of the entered website. If it is not there, it is best not to trust.
- Observe whether the name of the website is correct: websites that simulate official pages generally have a name missing a letter, some words or numbers that feel strange in the context.
- Search whether the information is actually truthful: it is fundamental to suspect anything that is very appealing to the eye. You must analyze carefully offers with very low prices, ads promising to pay large amounts, or even gifts.
