A version of this piece originally appeared on TI INSIDE on April 1. Para ler este blog em português, clique aqui.

In January, Brazilians received their annual IPVA (vehicle tax) and IPTU (property tax) bills. The arrival of those dues brought with it a new wave of fraud — one that exploits social engineering.

The scale of the problem is already prompting a response from authorities. In Minas Gerais, authorities formed a task force, including the State Treasury, Civil Police, and Public Prosecutor's Office, to combat IPVA scams. In 2024, the State Treasury received about 4,000 reports of fraud tied to the vehicle tax. In Rio de Janeiro, officials blocked 1.4 million malicious automated attempts to access the IPVA portal in June of 2025 alone.

One of the biggest challenges is how quickly these tactics are evolving. Cybercriminals have professionalized their operations, creating near-identical replicas of government portals and using sponsored Google links to push fake websites above official ones. The problem has become so widespread that, in Paraná, authorities secured a court order forcing search engines to remove fraudulent sites and block scam ads.

This is no longer a fringe threat. It is a highly coordinated operation designed to appear legitimate at every step.

The main tactic in IPVA and IPTU scams: Fake Pix discounts

The most common tactic combines urgency and unusually steep discounts, typically through SMS or WhatsApp messages offering reductions of up to 45% for payments made via Pix, Brazil’s instant payment system.

Discounts of that magnitude simply don’t exist in the public sector. In São Paulo, a one-time, complete IPVA payment offers a 3% discount. In Paraná, it’s 6%. In Rio de Janeiro, paying IPTU in full yields about 7%. Any offer claiming to reduce a tax bill by nearly half should be treated as a clear red flag.

As part of the scheme, victims are often directed to websites that mimic government portals — such as the legitimate detran-df-ipva.com, tributos-saopaulo-gov.com.br, and iptu-sao-paulo-gov.com.br — designed to capture personal data and generate Pix QR codes for supposed tax payments. In reality, the funds are routed to mule accounts or shell companies. Once the payment is made, the money is quickly dispersed, making recovery almost impossible through traditional means.

That makes verifying the payment details critical. When paying any tax via Pix, the recipient should be clearly identified as a government entity, such as “State Government” or “State Treasury Department.” If the payment is directed to a company name (Ltda., S.A.) or an individual, it almost certainly indicates a scam.

How social engineering is bypassing security controls

What makes these scams particularly dangerous is the strategic use of social engineering, increasingly powered by generative AI. Many of these scams don't involve account takeover at all. Instead, victims initiate fully authenticated payments themselves, guided by fake call centers on WhatsApp or lured by the promise of unrealistic discounts.

Looking ahead, these fraud schemes are likely to become even more sophisticated. Criminals are already experimenting with synthetic identities, blending real and fabricated data to bypass verification systems, and using AI-generated voice deepfakes to impersonate trusted contacts during phone authentication.

For banks and financial institutions, this creates a growing challenge: how to differentiate between legitimate transactions and those made under duress or deception when credentials appear valid.

Meeting that challenge requires a new approach, and behavioral-based defenses are emerging as a key line of prevention.

When behavior exposes scam activity

Victims guided by scammers often exhibit distinct patterns that physical biometrics, such as facial recognition or fingerprint detection, fail to detect. Behavioral solutions like BioCatch's analyze thousands of subtle signals during a user session to detect these anomalies.

Common red flags include:

• Segmented typing: The user types, pauses (to listen), then resumes typing — a pattern consistent with someone entering a Pix key received over the phone.
• Mouse hesitation: Erratic cursor movements or long pauses before clicking “confirm,” suggesting hesitation or waiting for instructions.
• Phone-to-ear pattern: On mobile devices, repeated movement between viewing the screen and holding the phone to the ear may indicate an ongoing call during the transaction — a strong indication of a fake call center scam.
• Extended session times: Tasks that should take seconds stretch into minutes, with gaps of inactivity while the user waits for guidance.

Staying ahead of evolving scams

Tax season will always bring deadlines and payments, but it should not also bring avoidable losses. Financial institutions and fraud prevention technologies now play a critical role in preventing those losses.

For organizations that process high-value transactions, the stakes are higher than ever. When a taxpayer pays a fraudulent bill, the loss is immediate and the real bill still has to be paid. That makes detection and prevention not just a security issue, but a matter of financial trust and public confidence.

Addressing this threat requires more than traditional safeguards. Technology can — and should — serve as the first line of defense. Increasingly, behavioral intelligence is shifting from a competitive advantage to a necessity for fraud prevention, compliance, and brand protection.