Why Are WhatsApp Users So Easy To Scam?

Another day, another security alert. This time, it’s alleged that you can email WhatsApp with a phone number claiming the device has been stolen/lost and WhatsApp will deactivate the account. This can be from ANY email and ANY phone number.

Though the platform appears to be taking steps to address this flaw since it gained public attention, it’s an open invite for misuse.

Scammers are constantly and relentlessly targeting WhatsApp. With over 2 billion active users relying on WhatsApp for both personal and professional reasons, often sharing sensitive information on the basis of its end-to-end encryption, it’s an attractive target for criminals. It’s estimated that scammers using text messaging apps like WhatsApp sent 66 billion spam texts in 2022. These can be anything from “Friend in need” messages to messages impersonating two-factor authentication.

So why are WhatsApp users so easy to scam and what steps should you be taking to keep yourself safe?

The Vulnerability Of WhatsApp

As a messenger app - and the world’s most popular one at that - WhatsApp is fertile ground for impersonation scams. The infamous ‘hi Mum/ Dad’ scam, where criminals pose as a friend or relative of their victim and ask them to send money, cost UK victims £1.7 million across platforms, between the beginning of 2022 and mid-June 2023. WhatsApp is the preferred channel of attack for impersonation: TSB impersonation fraud data found that scam activity on Meta platforms led to 86% of cases reported to the bank in 2022, with WhatsApp representing two-thirds of those incidents.

And as generative AI grows in sophistication and popularity, there’s a fear these losses will climb. AI is already being used to mimic loved ones’ voices in order to extract money.

This isn’t the only impersonation scam hitting WhatsApp users. Another version involves criminals gaining the account of one of your contacts and messaging you purportedly as them. They’ll simultaneously be trying to log into your own WhatsApp account with your number, which means you’ll be sent a 6-digit code from WhatsApp. The scammer will then ask you to send that code, claiming it’s theirs and sent to you by accident, and gain control of your account.

Variations on this passcode scam include calling a victim and claiming to be a member of a shared group, often aided by false profile pictures and display names, and asking for the passcode under the guise that it’s a code for a group video call. However, the code is a registration code to allow your WhatsApp account to be ported over to another device. Users in India also recently suffered a flurry of group-based scams around World Yoga Day. Criminals would invite users to join yoga classes and send a link that, upon clicking, requests a 6-digit OTP (one time password) code, so victims unknowingly pass over a code that unlocks their account.  

Eight Tips To Protect Yourself

WhatsApp are attempting to shore up security: they’ve introduced a new ‘Silence Unknown Callers’ option and created a Privacy Checkup tool to take users step-by-step through its security features. But, unfortunately, it still falls to users to be aware of popular scams and take steps to protect themselves. Here are seven top tips to stay safe on WhatsApp.

1. Keep your WhatsApp updated:   Keeping apps like WhatsApp updated are about more than enjoying the latest user features. There’ll be important security updates included to patch discovered vulnerabilities so you should install any updates as soon as they are released.

2. NEVER share your OTP code:   As seen above, once you share your OTP code with someone, it’s game over. An OTP code verifies your identity and is the key to unlocking your WhatsApp account. Never share it with anyone.

3. Choose a strong password.. :   Your password is a crucial line of defence in protecting your account and so it needs to be a strong one. Make sure it’s at least 8 characters in length and includes upper and lowercase letters, numbers and symbols.

4. …and then enable two-factor authentication:   Don’t let perceived ease undermine your security. Enable two-factor authentication on your WhatsApp account: you’ll be asked to create a unique PIN that you’ll additionally need to enter to log into your account. This makes it much harder for criminals to hack your WhatsApp.


5. Verify information for yourself:    It’s good to be suspicious on WhatsApp. Be wary of messages asking you to provide personal information and if you receive an ‘emergency’ message from a supposed friend or relative asking you for money, make sure you verify this by calling them via a different channel.
Don’t let criminals panic you into sending money or sensitive information without thinking it through first.

6. Be wary of links:   Phishing links are a common scamming tactic but they’re popular because they’re very easy to fall for. Be cautious about clicking links. Don’t know the person sending you a link? Leave it alone. It’s also important to make sure you’re only installing apps from official app stores. 

7. Stay alert for the latest attacks:   Just like WhatsApp’s security team, scammers will be continuously updating their tactics so make sure you’re keeping abreast of the latest types of attacks. News outlets will report on new scams and it’s crucial to read past the headlines.

8. Keep work chats off WhatsApp:   It’s tempting to use WhatsApp to help conduct business - it’s quick, easy and so many people already have it. But using messaging apps as shadow IT (tech used without the IT department’s approval or oversight) opens up an organisation to huge risk. Not only is there the possibility of human error in accidentally sending confidential, sensitive information to anyone in your contacts, it’s a goldmine for any criminal who gains access to your account.

The large, personal role WhatsApp plays in people’s lives and its power to connect anyone in the world makes the platform invaluable to scammers. Protect yourself from falling victim by following security best practice thinking very carefully about the messages you receive.

François Rodriguez is Chief Commercial Officer at RealTyme

Image: Eyestix Studio

You Might Also Read:

Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Empower Your DaaS Programs
Navigating User Experience, Performance & Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The Networking People (TNP)

The Networking People (TNP)

TNP supplies independent advice allowing large organisations to design, build and operate their own networks independently of the established telecoms companies.

Security Innovation

Security Innovation

Security Innovation is a leader in software security assessments and application security training to top organizations worldwide.

CERT.BY

CERT.BY

The National Computer Emergency Response Team of the Republic of Belarus.

Entrust

Entrust

Entrust is a global leader in digital security, identities, payments, and data protection.

ID Quantique (IDQ)

ID Quantique (IDQ)

ID Quantique is a world leader in quantum-safe crypto solutions, designed to protect data for the long-term future.

FinlayJames

FinlayJames

FinlayJames supports cyber security companies to meet the increasing demand and pressure on them by finding top talent within the industry for their sales, marketing and technical teams.

ColorTokens

ColorTokens

ColorTokens Xtended ZeroTrust Platform protects from the inside out with unified visibility, micro-segmentation, zero-trust network access, cloud workload and endpoint protection.

Pivot Technology School

Pivot Technology School

Pivot Tech offers Data Analytics, Software Development and Cyber Security training in boot camp style cohorts.

Communicate Technology

Communicate Technology

Communicate Technology are IT, telecoms and cyber-security specialists, keeping over 500 businesses and 50,000 users connected and secure across the UK.

East Midlands Cyber Resilience Centre (EMCRC)

East Midlands Cyber Resilience Centre (EMCRC)

The East Midlands Cyber Resilience Centre is set up to support and help protect businesses across the region against cyber crime.

Across Verticals

Across Verticals

Across Verticals is a boutique cyber security consulting firm that specializes in holistic, deeply technical and end to end cyber security advisory services based on industry best practices.

Sourcepass

Sourcepass

Sourcepass is an IT consulting company that focuses on providing expert IT services, cloud computing solutions, cybersecurity services, website, and application development.

Abertay cyberQuarter

Abertay cyberQuarter

The Abertay cyberQuarter is a cybersecurity research and development centre housed within Abertay University.

Trustifi

Trustifi

Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

Department of Homeland Security (DHS)

Department of Homeland Security (DHS)

The Department of Homeland Security has a vital mission: to secure the nation from the many threats we face. Our duties are wide-ranging, but our goal is clear - keeping America safe.

Karate Labs

Karate Labs

Karate is an open-source unified test automation platform combining API testing, API performance testing, API mocks & UI testing.