«Comunicado-BB: There are errors in your access»: this is how the SMS that criminals send to cell phone users all over Brazil begins. Their goal is to use the name of the famous bank to attract clicks. The message presents the address of a website that replicates the look of Banco do Brasil. However, it is fake and can steal the information from the internet user.
The situation has become repetitive. To clarify the main doubts and help you arm yourself against digital criminals, we spoke with the largest banks in the country – Itaú Unibanco, Bradesco, Banco do Brasil and Caixa Econômica Federal. At stake is your security – and how to protect yourself from threats that arrive via SMS.
Fake newsletter includes link to Spanish website (ending in .es) – Photo: Thássius Veloso / dnetc
WhatsApp scams: the definitive guide to not falling into trap
Banks use special numbers
Digital security experts are unanimous in recommending that the user be cautious when receiving a message supposedly attributed to a financial institution. The first step is to look at the phone number where the SMS came from. As a rule, the largest companies in the sector use technology that automates the triggering of messages. They also adopt a different format than the one used in fixed and mobile lines.
The traditional (xx) 9xxxx-xxxx gives way to leaner numbers. These are the most commonly used senders for communications by banking conglomerates:
- Itaú uses 24828, according to tests carried out in the newsroom. The company said it did not have a standard, meaning that other numbers could also be used.
- Bradesco has 2370 and 30330, among others. «We use short codes for sending SMS. They are never complete cell phone numbers, but several numbers are used «, informs the bank in a note.
- Banco do Brasil says to use 4004-0001.
- Box numbers 22492, 28112, 27182, 27104 and 10104 are in use.
Santander and Safra banks prefer not to give details as they do with automated SMS handling.
Antivirus developer ESET points out that «banks and other serious institutions generally do not request personal or financial information from their customers by email or SMS». The recommendation is in line with Banco do Brasil, which says «never ask for passwords».
The largest bank in the country, Itaú confirms that it sends messages containing the addresses of pages on the Internet. The institution recalls that every link sent to customers begins with donepra.vc/.
Fake website uses Banco do Brasil brand and asks for bank information – Photo: Reproduction / dnetc
The fake pages ask for important information, such as the account holder’s agency, account and password. In our experiment, the address supposedly assigned to Banco do Brasil reproduces the organization’s brand and brings a menu with account statement and loan, among other options. All of lies.
The Brazilian Federation of Banks (Febraban) has a list of 18 security recommendations in the digital environment. Below are the guidelines for smartphone access.
- Do not click on links received through electronic messages.
- Watch out for messages of unknown content, especially if they have files attached or unsolicited links. Attention to those who arrive via instant messaging services, chat groups, social networks or e-mail; On cell phones, give preference to using your bank’s application to make transactions, instead of the bank’s website via browser.
- On mobile, give preference to using your bank’s application to make transactions, instead of the bank’s website via browser.
- Do not install applications or open files of unknown origin. They can contain viruses and other harmful programs that are hidden from the user and allow fraudsters to act on their account, based on information captured after typing on the keyboard.
Banks invest about R $ 2 billion per year in information technology systems, according to the entity.
The simple tip of observing the sender’s number tends to kill the riddle in most cases. Other factors, such as Portuguese errors – seen in the recent coup on Bolsa Família -, also denounce criminals. Users should also note the addresses of the pages. There is a profusion of links ending in .es. The pages are thus dedicated to companies based in Spain and are not employed by the largest banks in the country.
If you want to confirm the data presented in the SMS, the most viable option is to open the bank’s official application or access the official website.
There are anti-virus for smartphones capable of detecting if the links redirect to pages with malicious files.
More security: how to remove viruses on an Android phone