We fell for a bill, BEC or fraudulent Pix scam: what to do now
O que fazer agora
Act in the first minutes, because the chance of recovering the money drops as the funds are moved out of the destination account. Call your bank's fraud line now, declare that you were a victim of fraud and request a precautionary block of the amount and of the destination account; if it was Pix, register the MED (Special Return Mechanism) flagging the transaction as fraudulent. In parallel, stop any pending payment, preserve the original emails with full headers (do not delete or reply to anything), file a police report and engage Decripte's 24/7 Incident Response through /contato to investigate whether there was an email breach (BEC) and close the vector before the next fake charge.
SOC 24x7 e SLA de contenção de até 1 hora. A Decripte é especialista em resposta a incidentes para fintechs, crypto, apps, e-commerces e empresas de todos os tamanhos.
Sinais de alerta
- ›A known supplier's bill or bank details changed suddenly, with a request for 'urgency' in the payment.
- ›A billing email with a domain slightly different from the original (a swapped letter, .com instead of .com.br) or replying to an old legitimate thread.
- ›A request to change the receiving account, a different bank than usual or an account in an individual's name for a company payment.
- ›Forwarding rules or email mailboxes you did not create, messages marked as read that you did not open, or emails disappearing from the inbox.
- ›A supplier or customer warning that they received a strange charge 'from you' that you did not send.
- ›A login to the email from an unknown location or device, or a password-reset request you did not make.
- ›A Pix or transfer approved to a new recipient right after an email asking for secrecy or haste.
Primeiros passos — o que fazer agora
- 1
Call the bank now and request a block
Contact your bank's fraud line immediately and report that you were a victim of fraud. Request a precautionary block of the amount and of the destination account. The sooner, the greater the chance the money is still parked and can be held. Note the protocol number, the agent's name and the time.
- 2
If it was Pix, register the MED
Ask your bank to register the MED (Special Return Mechanism), flagging the transaction as fraud. The recipient's bank has up to 72 hours to analyze and may block the balance; upon confirmation and available balance, the return occurs within the Central Bank's deadlines. You have up to 80 days to register, but do it the same day: the money disappears fast.
- 3
Stop all pending payments
Immediately suspend any other bill, Pix or scheduled transfer linked to the same supplier, email or email thread. In BEC fraud it is common to have more than one fake charge in the queue.
- 4
Preserve the evidence without deleting anything
Do not delete or reply to the suspicious emails. Save the original messages with the full headers (.eml or .msg), screenshots, receipts and the bank details used. These headers reveal the real origin of the scam.
- 5
File the police report
File the report at your state's electronic police station describing the fraud, the amounts, dates and accounts involved. The report is usually required by the bank in the dispute and is the basis for any civil and criminal action.
- 6
Check whether the email was breached (BEC)
Immediately change the password of the email used in the dealings, enable MFA and review forwarding rules and hidden mailboxes. Tampered bills and bank details almost always come from a compromised email account (Account Takeover).
- 7
Alert suppliers and customers
Warn, through an alternative channel (phone, not email), the real supplier and the customers who may receive fake charges in your name. This interrupts the spread of the scam through your commercial chain.
- 8
Engage Decripte's 24/7 Incident Response
Call Decripte's team through /contato. With a 24x7 SOC and a containment SLA of up to 1 hour, we investigate the origin of the breach, identify what the attacker accessed, close the compromise vector and guide the bank dispute to maximize recovery.
O que NÃO fazer
- ✕Do not delete or reply to the scam emails: you destroy the evidence (headers) that proves the origin of the fraud and identifies the compromised account.
- ✕Do not accept new bank details nor pay the 'corrected' bill that the supposed supplier sends by email: always confirm by phone, using a number you already knew before the incident.
- ✕Do not wait for business hours to warn the bank: the balance in the destination account disappears within hours, and the hold depends on the money still being there.
- ✕Do not assume it was just 'a wrong bill': treat it as a possible email breach and investigate, or the next fake invoice arrives the following week.
- ✕Do not trust calls from someone claiming to be 'from the bank' asking for data, passwords or new Pix payments to 'reverse' it: banks do not reverse fraud by requesting a new transfer.
- ✕Do not skip the police report nor fail to assess the notification to the ANPD if there was access to third parties' personal data: the 3-business-day deadline runs from awareness that the incident affected personal data.
The first 60 minutes: financial containment
The factor that most determines whether you recover the money is time. In bill, BEC and Pix scams, the attacker quickly moves the funds to mule accounts and withdraws or redistributes them. That is why the first call has to be to the bank's fraud line, making clear that it is fraud and requesting a precautionary block of the amount and of the destination account. Note the protocol number, the agent's name and the time of each contact, because this chronology supports the dispute.
When the payment was via Pix, the specific path is the MED (Special Return Mechanism), created by the Central Bank exactly for cases of fraud and operational failure. By registering the MED and flagging the transaction as fraudulent, the recipient's bank has up to 72 hours to analyze and may block the balance; once the fraud is confirmed and there is available balance, the return occurs within the deadlines set by the Central Bank. Although the MED can be registered within up to 80 days, what decides the outcome is speed: money already withdrawn does not come back. For a bill (boleto), the dispute runs through the issuing bank and the clearing; TED transfers follow the bank's return procedure. In all cases, the police report strengthens the request to hold the funds.
Why this is almost always BEC: the compromised email
BEC (Business Email Compromise) is the fraud in which the criminal gains access to a legitimate email account, watches the conversations for days or weeks and then inserts themselves into a real negotiation to divert the payment. That is why the fake bill looks so genuine: it arrives in the same thread, with the same tone and on the same schedule as the real supplier. The difference is in the details, such as new bank details and a manufactured sense of urgency.
The compromise may be on your side or on the supplier's side. That is why, besides bearing the fraud, you need to find out which mailbox was breached, what else the attacker read or exfiltrated and whether they created forwarding rules to keep spying. Handling only the bill, without closing the vector, leaves the door open for the next fake invoice. The analysis of the email headers, the access logs and the mailbox rules is what reveals the real origin and extent of the incident.
Cada minuto conta. Comece o diagnóstico gratuito agora e veja o que já vazou.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
Evidence preservation and forensic investigation
Before trying to 'clean' anything, preserve the scene. Export the emails involved in the original format (.eml or .msg) to keep the headers intact, save payment receipts, the fraudulent bank details and screenshots. The headers contain the message's real route and the server addresses that help distinguish a genuine compromised email from external spoofing. Deleting or replying destroys that trail.
Decripte's investigation starts there: we analyze headers, SPF/DKIM/DMARC authentication records, the email provider's login logs (Microsoft 365 or Google Workspace), mailbox rules and session tokens to reconstruct how and when the access occurred. With that we identify the entry point (phishing, leaked password, missing MFA), determine what the attacker accessed and produce a report that serves both the bank dispute and the legal defense and the notification to third parties, if needed.
Eradication: close the vector so it does not repeat
Recovering (or trying to recover) the money solves half the problem; the other half is ensuring it does not happen again next week. Eradication involves resetting the passwords of the affected accounts, revoking all active sessions and tokens, enabling phishing-resistant MFA, removing malicious forwarding rules and delegations and reviewing which apps have access to the mailbox. If there was a credential leak, you need to identify where else they were reused.
At the process level, BEC fraud is prevented with a simple, non-negotiable rule: every change of bank details or payment above a limit requires double validation through an alternative channel. That is, you confirm the account by phone, using an already known number, never the number that came in the email. Decripte helps design that approval flow and harden the email configuration (DMARC in reject mode, alerts for suspicious rules), so the next fraudulent email does not arrive or is blocked before the payment.
Precisa conter o incidente agora? Comece de graça e ative a resposta 24x7.
Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.
Legal obligations and communication
If the fraud involved improper access or a leak of personal data of customers, employees or third parties, there are obligations under the LGPD. Resolution CD/ANPD No. 15/2024 establishes that the incident must be reported to the ANPD within 3 business days from the controller's knowledge that the incident affected personal data; the affected data subjects must also be notified within the same deadline. Small-scale processing agents have the deadline counted double, and when there is no complete information, it is possible to make a preliminary communication and supplement it later. Documenting when you became aware is essential, because it is from that milestone that the deadline starts to run.
Even when there is no duty to notify, internal and external communication must be coordinated. Warn, through a secure channel, the suppliers and customers who may be targets of fake charges in your name, instruct the finance team not to pay anything without revalidation and record everything. This controlled transparency protects your reputation and interrupts the scam chain, which often reuses the access to target your business partners.
How Decripte works and what to do afterward
Decripte specializes in incident response, with a SOC operating 24x7 and a containment SLA of up to 1 hour. When you engage 24/7 Incident Response through /contato, you gain a team specialized in BEC and financial fraud: we contain the incident, investigate the origin, close the compromise vector, support the dispute with the bank and deliver the lessons learned to strengthen your processes. We serve companies of all sizes, from fintechs and exchanges to e-commerces and startups.
After stemming the crisis, the natural step is continuous prevention. The free Threat Management plan (Decripte Intelligence Center) monitors credential leaks, dark web exposure and your domain's reputation with no credit card and requiring no technical team, available at https://decripte.com.br/intelligence-center. As many BEC scams start with a leaked password, discovering that exposure early prevents the next incident. For those who need complete coverage, there are the paid plans of 24x7 SOC, Pentest, Vulnerability Management and Compliance (LGPD/ISO 27001).
Obrigações legais (Brasil)
In case of improper access or a leak of personal data, communication to the ANPD and to the affected data subjects must occur within 3 business days from the controller's awareness that the incident affected personal data (Resolution CD/ANPD No. 15/2024); the deadline is counted double for small-scale agents. For Pix fraud, register the MED with the bank as soon as possible (the recipient's bank has up to 72 hours for the analysis) and file a police report, generally required for the bank dispute and for any civil and criminal action. Informational content, it does not constitute legal advice. These rules and deadlines (ANPD/LGPD) are Brazilian.
Termos importantes
- BEC (Business Email Compromise)
- A fraud in which the criminal gains access to a legitimate email account, follows the real negotiations and inserts themselves into the conversation to divert payments, usually by swapping the bank details of a bill or Pix.
- MED (Special Return Mechanism)
- A Central Bank procedure that allows the recipient's bank to analyze and, in cases of fraud or operational failure, block and return the funds of a Pix; the recipient's bank has up to 72 hours for the analysis after the transaction is flagged as fraudulent.
- Account Takeover (ATO)
- The takeover of a legitimate account (email, bank, system) by the attacker after obtaining the credentials, usually via phishing or a leaked password, frequently the origin of a BEC fraud.
- Email header
- The message's technical metadata that record the route, the origin servers and the SPF/DKIM/DMARC authentication results; they are the main forensic evidence for distinguishing a genuine compromised email from a forged one.
- DMARC
- An email authentication standard that, combined with SPF and DKIM, allows rejecting messages that spoof your domain; in reject mode, it blocks much of the spoofing used in scams.
- Double validation through an alternative channel
- A process control that requires confirming changes of bank details or payments through a second, independent channel (a phone call to an already known number), never through the same email as the request.
Perguntas frequentes
I just paid a fake bill, is there still time to recover the money?
Maybe, and time is decisive. Call your bank's fraud line immediately, report that you were a victim of fraud and request a precautionary block of the amount and of the destination account. If the money is still parked in the scammer's account, there is a real chance of a hold and return. File the police report next to support the dispute.
How does the Pix MED work and until when can I trigger it?
The MED (Special Return Mechanism) is the Central Bank's procedure to return funds in cases of fraud or failure. You flag the transaction as fraudulent with your bank and the recipient's bank has up to 72 hours to analyze, and may block the balance; once the fraud is confirmed and there is balance, it returns the amount. Registration can be done within up to 80 days, but do it the same day, because the money may be withdrawn before the analysis.
The bill came through my usual supplier's email, how can it be a scam?
That is the classic BEC pattern. The criminal breaches the email account (the supplier's or yours), follows the real conversations and inserts themselves into the legitimate thread with swapped bank details. That is why it looks authentic. The clue is the change of receiving account and the urgency. Always confirm new bank details by phone, using a number you already knew.
Do I need to notify the ANPD if we fell for this scam?
It depends. If the incident involved improper access or a leak of personal data of customers, employees or third parties, yes. Resolution CD/ANPD No. 15/2024 requires communication to the ANPD and the affected data subjects within 3 business days from awareness that the incident affected personal data (double deadline for small-scale agents). Document the date you became aware, as that is when the deadline starts to count.
Should I delete the scam emails to 'clean up' the inbox?
No. Deleting or replying destroys the headers and the trail that prove the origin of the fraud and identify the compromised account. Export the messages in the original format (.eml or .msg), save receipts and screenshots, and preserve everything. This evidence is essential for the investigation, the bank dispute and any legal action.
How do I find out if the company's email was breached?
Check the provider's login logs (Microsoft 365 or Google Workspace) for access from unknown locations or devices, look for forwarding rules or delegations you did not create and check for unsolicited password-reset requests. Change the password, revoke sessions and enable MFA. Decripte performs that forensic analysis to confirm the entry point and the extent of the access.
What do I do so this does not happen again?
Implement mandatory double validation through an alternative channel for any change of bank details or payment above a limit, always confirming by phone using an already known number. Enable phishing-resistant MFA on all emails, configure DMARC in reject mode and monitor for credential leaks. Decripte's free Threat Management plan (https://decripte.com.br/intelligence-center) helps detect exposure before the next attack.
When should I call Decripte instead of solving it internally?
Call as soon as there is suspicion of a compromised email or a relevant financial loss, because the vector needs to be closed to avoid new fraud. Decripte's 24/7 Incident Response, with a 24x7 SOC and a containment SLA of up to 1 hour, contains the incident, investigates the origin, supports the bank dispute and delivers the remediation plan. Engage through /contato.
Incidente em andamento?
Comece agora pelo diagnóstico gratuito — e ative SOC 24/7 e resposta a incidentes nos planos pagos.
Veja em minutos o que já vazou da sua empresa. Quando precisar, a Decripte assume a contenção, a investigação forense e a recuperação do ambiente com SLA de contenção de 1 hora.
