#152: Fraud in Pix and the evolution of anti-fraud infrastructure: A system struggling to contain billions in scams
W FINTECHS NEWSLETTER #152
👀 Portuguese Version 👉 here
👉 W Fintechs is a newsletter focused on financial innovation. Every Monday, at 8:21 a.m. (Brasília time), you will receive an in-depth analysis in your email.
Become a paid subscriber and get access to all editions
This is a deep dive edition exclusive to paid subscribers. If you want to keep accessing in-depth analyses like this one, consider supporting it with a monthly contribution of BRL 25 per month (~USD 4.50). By doing so, you not only unlock full access to exclusive editions, but also help sustain the continuity of independent and profound content in the fintech space.
The Short Takes, Fintech Frames, and FinOpen editions will remain free, with occasional exceptions when some Fintech Frames editions are reserved for paid subscribers.
What will you read in this edition?
How Pix's success also fueled the rise of fraud in Brazil
What the main types of scams are and why social engineering is so effective
What MED 2.0 is, how the GRAF tracking system works, and the role of DICT
Why the institutional response is still uneven between large banks and fintechs
How social factors worsen user vulnerability
What Brazil needs to do to lead not only in payments but also in digital trust
The convenience brought by real-time payment systems is, clearly, their greatest virtue. Simplicity combined with instantaneity ensured a promising adoption curve. That was the case in India with UPI, and it has been the case with Pix in Brazil. Created by the Central Bank in 2020, Pix quickly became a public payment infrastructure that combined speed, near-zero cost, and financial inclusion. In less than three years, more than 150 million Brazilians had already used the system, radically transforming how money circulates in the country, from neighborhood shops to major online retailers.
But every public infrastructure carries a paradox. The more successful it is, the more critical it becomes. And the more critical it is, the more vulnerable it becomes to fraud. Instantaneity, which is the soul of Pix, also became its greatest weakness. In the past, scams required clicks, fake emails, or tampered invoices. Now, just a few seconds and a moment of distraction are enough for an irreversible transfer to occur.
The rise in Pix-related fraud has followed the tool's own success. In 2023, it is estimated that R$ 2.5 billion were lost to scams involving the system. Platforms like WhatsApp and Instagram became preferred channels for criminals, while social engineering became highly systematized. The most alarming statistic is that over half of the scams are executed in less than nine minutes, according to information from the Central Bank.
Efforts to fight fraud have advanced, but not enough. The Special Return Mechanism, known as MED, was one of the first attempts at a response. Over time, the system evolved into MED 2.0, which incorporated graph-based tracking and chained blocking.
In this edition, I will explore the key mechanisms behind this phenomenon. First, I will present the anatomy of the most common scams. Then, I will dive into the weaknesses and advances in anti-fraud infrastructure, from MED to DICT (the Central Bank’s system for storing and managing Pix keys, as well as enabling queries and notifications between participating institutions), highlighting how the technology created by the Central Bank to track and block money in real time works. This system, to be launched in 2026, is called GRAF. Based on directed acyclic graphs, it will be able to automatically map the financial movement trails from a root transaction. By identifying the paths along which the funds are dispersed, the graph will allow DICT to coordinate successive blocks on suspicious accounts using statistical criteria.
Next, I will discuss how fraud reveals deeper social issues and why the problem is, above all, systemic. Finally, I will outline the possible paths for Brazil not only to fight fraud, but to lead a new digital trust architecture in instant payment systems.
My aim here is to show that, although Pix is a success, there are still important factors to consider, and that every technological innovation, no matter how fascinating, also carries the cultural legacy of the country in which it was created.
Anatomy of a Pix fraud
Fraud involving Pix does not begin with a technical failure, but with a human one. It is built on fear, urgency, misplaced trust, and misinformation. Instead of exploiting system vulnerabilities, fraudsters have learned to exploit people. The vast majority of scams are based on well-executed social engineering. A link sent via WhatsApp, a phone call with a sense of urgency, a fake Instagram profile, or a conversation simulating technical support. In Pix-related fraud, the focus is not on hacking an account but on persuading a person.
These scams often involve transfers made consciously but under coercion or deception. This is what experts call authorized payment fraud. The victim presses the buttons, enters the password, and confirms the operation. The system treats it as a legitimate transaction, but behind it lies emotional manipulation, veiled threats, or false promises. It’s no surprise that crimes like express kidnappings, WhatsApp cloning, and fake invoices remain among the most common.
After the social engineering stage, a network of mule accounts comes into play. The funds are split and quickly redirected to other accounts across different institutions within minutes. Each link in the chain makes tracking more difficult and speeds up the draining of the funds. In many cases, these are front accounts belonging to individuals who rent out their personal data, often without knowing they are participating in a criminal scheme.
This, I believe, is the greatest cost of being at the forefront of financial innovation: we also become fertile ground for the sophistication of digital crime. The scale of fraud is striking. In 2023, there were over 750,000 requests submitted to the Special Return Mechanism, but the recovery rate still hovers around 15%. Meanwhile, fraudsters continue to test new methods. The asymmetry between the response time of institutions and the speed of scams remains one of the system's major bottlenecks.
Pix’s anti-fraud infrastructure
When the first reports of Pix-related fraud began to scale in 2021, the institutional response had to be swift. The system’s instantaneity, which was its greatest strength, also revealed itself to be a major challenge. With settlement occurring in seconds and no option for automatic reversal, any response to fraud had to be systemic, standardized, and coordinated among institutions. It was in this context that the Special Return Mechanism, or MED, was introduced.