The adoption of biometrics has exploded in Brazil in recent years 82% of Brazilians already use some biometric technology for authentication, driven by convenience and the search for more security in digital services. Whether in access to banks via facial recognition or the use of fingerprint to authorize payments, biometrics has become the “novo CPF” in terms of personal identification, making processes faster and more intuitive.
However, a growing wave of fraud has exposed the limits of this solution: only in January 2025, 1.24 million fraud attempts were registered in Brazil, an increase of 41.6% compared to the previous year 10.4% equivalent to a coup attempt every 2.2 seconds. A large part of these attacks target digital authentication systems. Serasa Experian data show that in 2024 fraud attempts against banks and cards grew 10.4% compared to 2023, representing 53.4% of all fraud registered in the year.
If they had not been avoided, these frauds could have caused an estimated loss in R$ 51.6 billion. This increase reflects a change of scenery: scammers are evolving their tactics faster than ever. According to a Serasa survey, half of Brazilians (50.7%) were victims of digital fraud in 2024, a jump of 9 percentage points compared to the previous year, and 54.2% of these victims suffered direct financial loss.
Another analysis points to an increase of 45% in digital crimes in 2024 in the country, with half of the victims being effectively deceived by the scams.Faced with these numbers, the security community asks: if biometrics promised to protect users and institutions, why do fraudsters seem to always be one step ahead?
Scams dribble facial and digital recognition
Part of the answer lies in the creativity with which digital gangs circumvent biometric mechanisms.In recent months, emblematic cases have emerged. In Santa Catarina, a fraudulent group has injured at least 50 people by clandestinely obtaining facial biometrics data from customers (a telecommunications employee simulated phone line sales to capture selfies and customer documents, then using this data to open bank accounts and borrow on behalf of victims.
In Minas Gerais, criminals went further: pretending to be couriers to collect fingerprints and photos of residents, with the express objective of circumventing the security of banks. That is, scammers not only attack the technology itself, but also exploit social engineering 'by inducing people to hand over their own biometric data without realizing it. Experts warn that even systems considered robust can be fooled.
The problem is that the popularization of biometrics has created a false sense of security: users assume that, because it is biometric, authentication is infallible.
In institutions with less stringent barriers, scammers succeed using relatively simple means, such as photos or molds to mimic physical characteristics.The so-called “hilicone finger slap, for example, has become known: criminals glue transparent films to electronic box fingerprint readers to steal the customer's print and then create a fake silicone finger with that finger, performing looting and improper transfers. Banks claim to already employ countermeasures (sensors capable of detecting heat, pulse and other characteristics of a living finger, rendering artificial molds useless.
Still, isolated cases of this scam show that no biometric barrier is totally safe from attempts to circumvent. Another worrying vector is the use of social engineering devices to obtain selfies or facial exams from customers themselves. The Brazilian Federation of Banks (Febraban) sounded the alarm for a new type of fraud in which scammers request “selfies confirmation from victims under false pretenses. For example, pretending to be bank or INSS employees, they ask for a face photo “ to update a” register or release an inexistent customer benefit (actually, use this selfie to pass by facial systems in facial verification.
A simple oversight like taking a photo at the request of an alleged deliveryman or health care agent can provide criminals with a biometric” “ key to access other people's accounts.
Deepfakes and AI: the new frontier of scams
If deceiving people is already a widely used strategy, the most advanced criminals are also deceiving machines. Here enter the threats of deepfake 2023 to 2025 advanced manipulation of voice and image by artificial intelligence & other digital counterfeiting techniques.
Last May, for example, the Federal Police triggered the operation “Face Off” after identifying a scheme that defrauded about 3 thousand accounts of the portal Gov.br using false facial biometrics.The criminal group applied highly sophisticated techniques to impersonate legitimate users on the platform gov.br, which concentrates access to thousands of digital public services.
Investigators revealed that the scammers used a combination of manipulated videos, AI-altered images and even hyper-realistic 3D masks to trick the facial recognition engine.In other words, they simulated the facial features of third parties including deceased people 'to assume identities and access financial benefits linked to those accounts.With artificial eye blinking, smiling or turning their heads synchronized perfectly, they even managed to circumvent the functionality of liveness detection, which was developed exactly to detect if there is a real person in front of the camera.
The result was improper access to amounts that should be redeemed only by the real beneficiaries, in addition to the illicit approval of loans payable in the My INSS app using these false identities. This case has forcefully exposed that yes, it is possible to circumvent facial biometrics (even in large and theoretically safe systems 'When you have the right tools.
In October 2024, the Federal District Civil Police conducted the “DeGenerative AI” operation, disarticulating a gang that specializes in hacking digital bank accounts through artificial intelligence apps.The criminals carried out more than 550 attempts to hack customer bank accounts, using leaked personal data and deepfake techniques to reproduce the image of account holders and thus validate procedures for opening new accounts on behalf of victims and enabling mobile devices as if they were their own.
The group is estimated to have managed to move around R$ 110 million in personal and legal accounts, laundering money from various sources, before most fraud was barred by internal bank audits.
Beyond biometrics
For the Brazilian banking sector, the escalation of these high-tech scams ignites a warning signal. Banks have invested heavily in the last decade to migrate customers to secure digital channels, adopting facial and digital biometrics as barriers against fraud.
However, the recent wave of scams suggests that relying solely on biometrics may not be enough. Scammers exploit human flaws and technological loopholes to impersonate consumers, and this demands that security be thought of at multiple levels and authentication factors, no longer a single “magical” factor.
In this complex scenario, experts converge on a recommendation: adopt multifactor authentication and multilayer security approaches. This means combining different technologies and verification methods, so that if one factor fails or is compromised, others prevent fraud. The biometrics itself remains an important part (after all, when well implemented with life verification (liveness) and encryption, it greatly hinders opportunistic attacks.
However, it must act together with other controls: passwords or PINs for single use sent to the mobile phone, analysis of user behavior 'SO-called behavioral biometrics, which identifies typing patterns, device use and may sound the alarm when you notice a customer “agando different from normal” & intelligent transaction monitoring.
AI tools are also being used in favor of banks, identifying subtle deepfake signals in videos or voices - for example, analyzing audio frequencies to detect synthetic voices or looking for visual distortions in selfies.
In the end, the message that remains for bank managers and information security professionals is clear: there is no silver bullet. Biometrics brought a higher level of security compared to traditional passwords SO much so that scams migrated largely to deceive people, no longer breaking algorithms.
However, fraudsters are exploiting every breach, whether human or technological, to thwart biometric systems. The proper response involves cutting-edge technology in constant updating and proactive monitoring.Only those who can evolve their defenses at the same speed as new scams arise will be able to fully protect their customers in the age of malicious artificial intelligence.
By Sylvio Sobreira Vieira, CEO & Head Consulting at SVX Consultoria.
