The victim discovers none of this until checking their account or, worse, until a bank calls
Fraudsters exploit FGTS birthday withdrawal accounts by stealing CPF and personal data, then making unauthorized withdrawals and loans that leave victims with debt. Criminals obtain data through data breaches, phishing links, and unsecured websites, then use facial recognition spoofing to open accounts in victims' names.
- Fábia Maria da Silva's account was invaded; criminals withdrew approximately 10,000 reais and took a loan in her name
- Fraudsters enrolled her in birthday withdrawal program in 2022, extracted two annual payments, then took a loan in May 2024
- Criminals obtain data through breaches, phishing links, unsecured websites, and use AI facial recognition spoofing to open accounts
- Workers who lose FGTS access to fraud and are then fired receive only the employer's 40 percent penalty, not their savings
Brazilian workers face a growing fraud scheme where criminals steal personal data to access FGTS accounts, make unauthorized withdrawals, and take loans in victims' names. Caixa says disputed transactions can be contested and refunded if legitimate.
Fábia Maria da Silva, a 46-year-old cashier operator, opened her FGTS app in September to check her account balance and found roughly 10,000 reais frozen without her authorization. When she visited a Caixa Econômica Federal branch to investigate, she learned that criminals had invaded her account, enrolled her in the birthday withdrawal program, extracted two annual payments across consecutive years, and in May 2024 taken out a loan in her name using her FGTS as collateral. She was left holding the debt.
This is not an isolated incident. The FGTS fraud scheme has accelerated since the pandemic, targeting Brazilian workers with a coordinated attack: steal personal data, drain the fund, then weaponize the victim's identity to secure loans they never requested. The mechanics are straightforward but devastating. Fraudsters obtain a worker's CPF and identifying information—sometimes from data breaches circulating online, sometimes from phishing links sent via WhatsApp or email, sometimes from unsecured websites where people casually enter their details. With those credentials, they access the FGTS app, often targeting accounts where the victim never registered an email address. The criminal resets the password, adds their own email, and begins moving money while notifications go to an inbox the victim never sees.
The birthday withdrawal program, created in 2019 by then-economy minister Paulo Guedes, makes this theft especially damaging. Once enrolled, workers lose access to the full withdrawal option available upon termination. If fired, they receive only the employer's mandatory 40 percent fine—not their own savings. Criminals exploit this by enrolling victims, then extracting annual payments. In Fábia's case, they waited two years, watching to see if she would notice. When she didn't, they escalated to a loan, using the birthday withdrawal mechanism to borrow against future payments, pocketing the advance while Fábia accumulated interest-bearing debt.
Opening accounts in victims' names requires one more layer of fraud. Criminals use stolen personal data—full name, address, parents' names—to create accounts at digital banks. They then deploy artificial intelligence to spoof facial recognition verification, using photos harvested from social media or data leaks. With a fraudulent account established and biometric validation bypassed, they can move money, receive FGTS withdrawals, and secure loans. The victim discovers none of this until checking their account or, worse, until a bank calls asking about a loan they never authorized.
Fabio Assolini, director of global research and analysis for Kaspersky in Latin America, notes that FGTS fraud proliferated during the pandemic because the fund is both popular and centralized. Caixa manages not only FGTS but also federal welfare programs like Bolsa Família, making it a natural target for criminals seeking to exploit multiple benefit streams simultaneously. The scale of data breaches compounds the problem—personal information moves freely through criminal networks, making it trivially easy for fraudsters to assemble the details needed to impersonate someone.
Protection requires vigilance on two fronts. Workers should check the Banco Central's Registrato platform monthly, entering their CPF to see if loans or accounts have been opened in their name. They should register an email address on their FGTS app so that any unauthorized activity triggers an alert before the criminal can change the password and lock them out. They should ignore unsolicited messages claiming to be from their bank and never provide personal data to callers. Caixa says disputed transactions can be contested at any branch with a CPF and ID, and that legitimate claims are refunded. In Fábia's case, the money was returned. Pan Bank, which issued the fraudulent loan, canceled the debt after being contacted. But the system depends on victims noticing quickly—and many don't until the damage is done.
Citas Notables
I went to Caixa to find out why, and the employee asked if I had taken out a loan at Banco Pan. I said no, and he told me they had taken out a loan in my name and are using my FGTS balance.— Fábia Maria da Silva
We saw many scams using various benefits during the pandemic, and the reason is also because Caixa, in addition to maintaining FGTS, maintains government programs. It is very common to find scams using FGTS and Bolsa Família.— Fabio Assolini, Kaspersky
La Conversación del Hearth Otra perspectiva de la historia
Why did it take Fábia so long to notice? She checks her account regularly.
She was looking for the right thing—whether her employer's deposits arrived. She wasn't looking for unauthorized enrollments or loans. The criminals were careful. They waited two years before escalating.
So the birthday withdrawal program itself is the vulnerability?
It's not a flaw in the program, but it becomes a weapon once someone else controls your account. The program is designed to give workers flexibility. Criminals use that flexibility against them.
How does facial recognition spoofing actually work if the person's face isn't there?
They steal a photo from social media or a data breach. AI can now animate a still image convincingly enough to fool the liveness check. The bank sees what looks like a real person confirming the transaction.
If data breaches are so common, why isn't there a harder verification step?
There is, in theory. But the more steps you add, the more friction for legitimate users. Banks balance security against convenience. Criminals exploit that balance.
What happens to someone who loses their FGTS to fraud and then gets fired?
They lose everything. No severance access, no emergency fund. Just the 40 percent penalty from the employer. And if the criminal took out a loan, they're paying interest on money they never borrowed.
Is Caixa doing anything to prevent this, or just refunding after the fact?
Mostly refunding. The real prevention has to come from workers themselves—checking Registrato monthly, registering an email, being skeptical of messages. The system assumes people are watching.