Tangentially, in the documentary The Fog of War, Robert McNamara describes how accounting at Ford was so messed up that they had to weigh the invoices to estimate expenses. So this got me wondering if crooks don't just mail false invoices to large firms in case some pay without checking.
> So this got me wondering if crooks don't just mail false invoices to large firms in case some pay without checking.
They do
Example: a company I knew (in Canada) displayed some fake invoices for "IP/Trademark registering" in Europe, of course the payment was optional, but if you don't pay attention it gets payed
In my previous companies in Italy we received multiple times requests to renew the registration on some kind of internet company registry in Germany. Fortunately the accounting dept asked us in IT "what's this / should we pay it?" and we directly sent those letters to the trash.
Or, for that matter, debt collection agencies sending notices for expired debt, and having small-print at the bottom explaining that you are under no obligation to repay this, but if you respond and/or make a payment, they'll be able to go after you for larger amounts. (I have one on my desk. I might frame it for when I need to look at something and have a chuckle.)
One of the scams involves looking up WHOIS for thousands of domains and sending false domain renewal bank slips ("boletos"). Some will pay and never notice it's a scam.
What the article describes is a more sophisticated method using a malware though.
This has been happening in Brazil for years. They use several methods: boletos for inexistent taxes, internet domain renewals, "social contributions" and others.
They make them look very legit: one we received even mentioned real legislation that said that a certain type of contribution(very similar name to what was on the boleto) was obligatory. We had to take it to our accountant, and he instantly found the fraud.
They also have access to Brazilian whois data somehow. The official whois is protected by captcha, but they're able to obtain the whois database via some other method and then snail-mail boletos to millions of domain owners using their real personal data. It looks very convincing.
The sheer amount of such fake boletos that arrive in the mail every month indicates that this may be a successful scam after all.
That happens a lot after you incorporate a company here. The day after you fill the forms to create a company you start to receive these bills pretending to be something you have to pay. From associations, unions and similars.
The point is that in this particular case it is a "legal scam". There is nothing illegal to pay to your company be part of an association or union. So they send you a "boleto" that looks like something official, and if you don't consult your accountant, you will think you should pay. Even your company's address is open to the public when you incorporate. You pay because at least one of these boletos you actually must pay, it is a municipal fee (an inspection fee, even though the municipality will never actually inspect your office, unles there is some complaint). Also there is some mandatory payment to unions, but only when you hire an employee.
Of course these "associations and unions" don't actually do anything for you. They just exist to get money from entrepreneurs based on all the misinformation and bureaucracy that exists to open a company in Brazil.
I recall that the association / union boleto we received was meant exactly for joining a union of some sort.
And you are absolutely correct: the minute you go formal in Brazil, you become a target for all kinds of scams. I believe all data should be public in a democracy, but they should be public in a way that the person who queries it should identify somehow. That way they would know who downloaded the entire database and would have control of suspicious activity.
I admit I initially upvoted because of the alliteration. Then I read the article, which was quite interesting (even more so because I'm Brazilian). Then I wanted to upvote it because of its content, but I no longer could. Which made me sad :/
After getting a trademark in the US I got bombarded with fake Invoices from companies claiming I have to pay or I will loose the right to defend or even keep my trademark.
Shameless plug: I recently created a boleto management iOS app called Zebra (http://zebrapp.co/) If you're brazilian and are looking for a better way to handle and pay your boletos, I think it can help you.
The first comment in the article (from someone who has clearly never left his hometown or is a five year old in disguise):
"Brian, do you know why Brazilians would choose to use Boletos if they aren’t subject to chargebacks? It seems like a silly thing to do, especially when credit cards are acceptable forms of payment practically anywhere."
They say it doesn't happen to mobile, but I'm not sure what happens if you root your phone and/or install allow apk install from "untrusted" sources in the Dev Opts.
This kind of scam is old, but there are many, like local DNS redirect, keylogging / input-logging, maybe even a piracy web-browser.
I know some of them can be pretty aggressive, going as far as installing a "root kit" on the machine. At some point one of these plugins conflicted with a Windows 7 update, and caused the affected machines to crash at boot: http://gizmodo.uol.com.br/bug-windows-7-solucao-e-causa/
So many comments asking why people don't use credit cards. The easy answer, already told, is that many Brazilian people don't have bank accounts or credit card.
This is only half truth and probably not relevant to the case here, as the malware in question will only affect people accessing their bank accounts through the internet.
The "boleto" system is actually a very nice way to handle payments. The boleto mostly substitutes mailing checks: the company I owe send me the bill with a numeric code (and a corresponding bar code for convenience), and I can use this code to pay the bill at a bank, supermarket, lottery houses or, of course, directly from my bank account through the internet or ATM.
A boleto is different from a account deposit because each boleto is unique: the code identifies who that specific boleto was sent to, so payment processing is done automatically. No out-of-band bank codes or check handling involved.
Boletos are used in several contexts where a credit card is not appropriate, such as paying the credit card bill. However, it may substitute credit cards sometimes: an online commerce outlet will happily generate a boleto for you to pay instead of paying with credit card. You can then pay for you purchase without revealing personal information, having a credit card or sending checks by mail.
Actually, paper checks are very, very rare in Brazil nowadays, even in business contexts. Most retail business won't accept them anymore.
Also, when you pay a boleto, you get an timestamped authentication code proving you paid it. The company can't allege the check was incorrect, for example. The code may also carry the amount to be paid and/or expiration date, preventing payment of the wrong value of after the due date.
This is actually a very functional system that credit cards cannot completely substitute, even if everyone had a bank account or credit card.
The banks can make available to the retailer a machine-readable file containing all the boletos received in the last day (using Febraban's CNAB 240 format, or the older CNAB 400 format). This allows the payment confirmation to be automated.
we have a government that listened a little to the people and didn't allowed for banks to own all money like in the US.
in the US you're forced to pay credit card fees (usually on the vendor side, so it's included in the price for everyone, even non cc users, as to not tarnish the reputation of the cc operator charging the fee). there's no way to buy online in the us without paying that.
in Brazil and other civilized counties you can use a payment number, which is like a temporary deposit account number that identify the person providing the funds. and it can't cost extra.
Having a numbering for a specific account is also possible with Brazilian boleto system, but it is common only for credit cards, which can be paid at any time and at a wide range of values.
Gas and phone codes are always bill-specific. However, if you pay a boleto like this twice, the provider will be informed and generally will give you the chargeback in the next bill. I have already used this as a trick to pay a bill when I was travelling and wouldn't get the most recent bill.
27 comments
[ 3.1 ms ] story [ 62.2 ms ] threadThey do
Example: a company I knew (in Canada) displayed some fake invoices for "IP/Trademark registering" in Europe, of course the payment was optional, but if you don't pay attention it gets payed
Or, for that matter, debt collection agencies sending notices for expired debt, and having small-print at the bottom explaining that you are under no obligation to repay this, but if you respond and/or make a payment, they'll be able to go after you for larger amounts. (I have one on my desk. I might frame it for when I need to look at something and have a chuckle.)
One of the scams involves looking up WHOIS for thousands of domains and sending false domain renewal bank slips ("boletos"). Some will pay and never notice it's a scam.
What the article describes is a more sophisticated method using a malware though.
They make them look very legit: one we received even mentioned real legislation that said that a certain type of contribution(very similar name to what was on the boleto) was obligatory. We had to take it to our accountant, and he instantly found the fraud.
They also have access to Brazilian whois data somehow. The official whois is protected by captcha, but they're able to obtain the whois database via some other method and then snail-mail boletos to millions of domain owners using their real personal data. It looks very convincing.
The sheer amount of such fake boletos that arrive in the mail every month indicates that this may be a successful scam after all.
The point is that in this particular case it is a "legal scam". There is nothing illegal to pay to your company be part of an association or union. So they send you a "boleto" that looks like something official, and if you don't consult your accountant, you will think you should pay. Even your company's address is open to the public when you incorporate. You pay because at least one of these boletos you actually must pay, it is a municipal fee (an inspection fee, even though the municipality will never actually inspect your office, unles there is some complaint). Also there is some mandatory payment to unions, but only when you hire an employee.
Of course these "associations and unions" don't actually do anything for you. They just exist to get money from entrepreneurs based on all the misinformation and bureaucracy that exists to open a company in Brazil.
And you are absolutely correct: the minute you go formal in Brazil, you become a target for all kinds of scams. I believe all data should be public in a democracy, but they should be public in a way that the person who queries it should identify somehow. That way they would know who downloaded the entire database and would have control of suspicious activity.
It seems what is needed seems out of band confirmations?
"Brian, do you know why Brazilians would choose to use Boletos if they aren’t subject to chargebacks? It seems like a silly thing to do, especially when credit cards are acceptable forms of payment practically anywhere."
sigh
And of course in Europe Credit Cards are not widespread as well and there are other popular payment options.
This kind of scam is old, but there are many, like local DNS redirect, keylogging / input-logging, maybe even a piracy web-browser.
This is only half truth and probably not relevant to the case here, as the malware in question will only affect people accessing their bank accounts through the internet.
The "boleto" system is actually a very nice way to handle payments. The boleto mostly substitutes mailing checks: the company I owe send me the bill with a numeric code (and a corresponding bar code for convenience), and I can use this code to pay the bill at a bank, supermarket, lottery houses or, of course, directly from my bank account through the internet or ATM.
A boleto is different from a account deposit because each boleto is unique: the code identifies who that specific boleto was sent to, so payment processing is done automatically. No out-of-band bank codes or check handling involved.
Boletos are used in several contexts where a credit card is not appropriate, such as paying the credit card bill. However, it may substitute credit cards sometimes: an online commerce outlet will happily generate a boleto for you to pay instead of paying with credit card. You can then pay for you purchase without revealing personal information, having a credit card or sending checks by mail.
Actually, paper checks are very, very rare in Brazil nowadays, even in business contexts. Most retail business won't accept them anymore.
Also, when you pay a boleto, you get an timestamped authentication code proving you paid it. The company can't allege the check was incorrect, for example. The code may also carry the amount to be paid and/or expiration date, preventing payment of the wrong value of after the due date.
This is actually a very functional system that credit cards cannot completely substitute, even if everyone had a bank account or credit card.
EDIT: clarity and a bit of extra info
The banks can make available to the retailer a machine-readable file containing all the boletos received in the last day (using Febraban's CNAB 240 format, or the older CNAB 400 format). This allows the payment confirmation to be automated.
we have a government that listened a little to the people and didn't allowed for banks to own all money like in the US.
in the US you're forced to pay credit card fees (usually on the vendor side, so it's included in the price for everyone, even non cc users, as to not tarnish the reputation of the cc operator charging the fee). there's no way to buy online in the us without paying that.
in Brazil and other civilized counties you can use a payment number, which is like a temporary deposit account number that identify the person providing the funds. and it can't cost extra.
https://www.paypoint.com/en-gb
http://www.payzone.co.uk/
I don't believe the numbering is unique to specific bill, but to a specific account, e.g. I'd use the same identifier each time I paid by gas bill.
Gas and phone codes are always bill-specific. However, if you pay a boleto like this twice, the provider will be informed and generally will give you the chargeback in the next bill. I have already used this as a trick to pay a bill when I was travelling and wouldn't get the most recent bill.