Boleto Fraud in Brazil: How to Spot Fake Boletos Before You Pay

The boleto bancario is one of Brazil's most popular payment methods. Over 4 billion boletos are issued each year, making it a core part of daily financial life. But that popularity also makes it one of the most exploited payment systems by fraudsters. In 2025, Brazil's Central Bank estimated that boleto fraud accounted for over R$2.5 billion in losses.

Whether you are a Brazilian resident or doing business in Brazil, understanding boleto fraud is essential. Here is how scammers operate and how you can protect yourself.

How Boleto Fraud Works

1. Altered Barcode Boletos

The most common technique involves modifying the barcode or "linha digitavel" (typeable line) of a legitimate boleto. Scammers intercept the original boleto — often through malware on your computer — and replace the payment destination with their own bank account. The boleto looks identical to the original, but the money goes to the criminal.

2. Duplicate Boleto via Email

You receive an email that appears to come from a company you do business with — your internet provider, insurance company, or even a government agency. The email contains a boleto attachment or a link to download one. The boleto looks authentic, complete with logos and correct formatting, but the payment details route to a fraudster's account.

3. Boleto Malware (Bolware)

A specific type of malware called "bolware" targets the clipboard on your computer. When you copy the boleto's typeable line to paste into your banking app, the malware silently replaces it with the attacker's payment details. You paste what you think is the correct number, but the money goes elsewhere.

4. WhatsApp Boleto Scams

Scammers send fake boletos via WhatsApp, impersonating utility companies, landlords, or subscription services. They often create urgency by claiming the payment is overdue and service will be disconnected immediately.

5. Second-Copy Scams (Segunda Via)

Fraudsters create fake websites that imitate utility companies and banks. When you search for "segunda via [company name]" on Google, you may land on a fake site that generates a fraudulent boleto with the scammer's payment details.

Common Boleto Fraud Techniques

Technique	How It Works	Risk Level
Barcode Alteration	Malware changes barcode/linha digitavel	Very High
Email Phishing	Fake boleto sent via spoofed email	High
Bolware (Clipboard Malware)	Replaces copied payment line	Very High
WhatsApp Fake Boleto	Impersonation via messaging	High
Fake Segunda Via Sites	Fraudulent duplicate boleto websites	High
Physical Mail Intercept	Printed boleto swapped during delivery	Medium

How to Verify a Legitimate Boleto

Check the First Three Digits

Every boleto starts with a three-digit bank code. Verify that these digits match the issuing bank listed on the boleto:

• 001 — Banco do Brasil
• 033 — Santander
• 104 — Caixa Economica Federal
• 237 — Bradesco
• 341 — Itau Unibanco
• 756 — Sicoob

If the bank code does not match the stated issuer, the boleto has been tampered with.

Verify the Beneficiary (Cedente)

When you scan or type the boleto into your banking app, the app will display the beneficiary name before you confirm payment. Always check that this name matches the company you intend to pay. If it shows an individual's name (CPF) instead of a company (CNPJ), that is a major red flag.

Use DDA (Debito Direto Autorizado)

DDA is a system offered by Brazilian banks that lets you receive electronic boletos directly in your banking app. Boletos registered through DDA come directly from the issuing institution, making them much harder to forge. Ask your bank about enabling DDA for your account.

Cross-Reference the Amount

Compare the amount on the boleto with your contract, invoice, or expected payment. Scammers sometimes alter the value slightly, hoping you will not notice a small difference.

Boleto Verification Checklist

Use this checklist every time you pay a boleto:

• Bank code (first 3 digits) matches the stated bank
• Beneficiary name matches the expected company
• CNPJ/CPF of beneficiary matches official records
• Amount matches your expected payment
• Expiration date is reasonable
• You received the boleto through an official channel
• Your antivirus is up to date (to prevent bolware)
• You are not copying and pasting from an untrusted source

What to Do If You Paid a Fake Boleto

1. Contact your bank immediately — Report the fraudulent payment and request a chargeback attempt
2. File a police report (Boletim de Ocorrencia) — Do this online through your state's Delegacia Eletronica
3. Report to Procon — Brazil's consumer protection agency can assist with fraud cases
4. Notify the company being impersonated — They may have other customers being targeted
5. Scan your computer for malware — Run a full antivirus scan, especially checking for bolware

Protecting Your Business from Boleto Fraud

If you issue boletos to customers, you have a responsibility to help them verify authenticity:

• Register with DDA so customers receive boletos electronically
• Use unique identifiers that customers can verify on your official website
• Warn customers about fake boleto scams in your communications
• Monitor for fake websites using your company name with boleto generation

When sharing sensitive payment information with clients or partners, consider using LOCK.PUB to send boleto details through a password-protected, expiring link. This prevents interception through email or messaging apps and ensures only the intended recipient can access the payment information.

Technology Solutions

Keep Your Devices Clean

Bolware specifically targets your clipboard. Protect yourself by:

• Keeping your operating system and browser updated
• Using reputable antivirus software
• Avoiding downloading attachments from unknown senders
• Never installing browser extensions from untrusted sources

Use Your Bank's Official App

Always generate or verify boletos through your bank's official app rather than third-party websites. The app will show you the beneficiary details before you confirm, giving you a chance to spot fraud.

Enable Transaction Notifications

Set up push notifications for all transactions on your bank account. If a fraudulent boleto payment goes through, you will know immediately and can act faster to recover the funds.

Share Payment Details Securely

When you need to send boleto information, bank details, or payment instructions to someone, plain email and WhatsApp are the channels scammers exploit most. Instead, use LOCK.PUB to create a password-protected link that auto-expires. Share the password through a different channel — this way, even if one channel is compromised, the payment information remains safe.

Conclusion

Boleto fraud remains one of the most persistent financial threats in Brazil, but it is also one of the most preventable. By verifying the bank code, checking the beneficiary, using DDA, and keeping your devices secure, you can avoid the vast majority of boleto scams.

Always share sensitive payment information through secure, encrypted channels. Visit LOCK.PUB to create free password-protected links for sharing financial details safely.