Why Are WhatsApp Users So Easy To Scam?

Uploaded on 2023-09-07 in TECHNOLOGY-Key Areas-Social Media, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Another day, another security alert. This time, it’s alleged that you can email WhatsApp with a phone number claiming the device has been stolen/lost and WhatsApp will deactivate the account. This can be from ANY email and ANY phone number.

Though the platform appears to be taking steps to address this flaw since it gained public attention, it’s an open invite for misuse.

Scammers are constantly and relentlessly targeting WhatsApp. With over 2 billion active users relying on WhatsApp for both personal and professional reasons, often sharing sensitive information on the basis of its end-to-end encryption, it’s an attractive target for criminals. It’s estimated that scammers using text messaging apps like WhatsApp sent 66 billion spam texts in 2022. These can be anything from “Friend in need” messages to messages impersonating two-factor authentication.

So why are WhatsApp users so easy to scam and what steps should you be taking to keep yourself safe?

The Vulnerability Of WhatsApp

As a messenger app - and the world’s most popular one at that - WhatsApp is fertile ground for impersonation scams. The infamous ‘hi Mum/ Dad’ scam, where criminals pose as a friend or relative of their victim and ask them to send money, cost UK victims £1.7 million across platforms, between the beginning of 2022 and mid-June 2023. WhatsApp is the preferred channel of attack for impersonation: TSB impersonation fraud data found that scam activity on Meta platforms led to 86% of cases reported to the bank in 2022, with WhatsApp representing two-thirds of those incidents.

And as generative AI grows in sophistication and popularity, there’s a fear these losses will climb. AI is already being used to mimic loved ones’ voices in order to extract money.

This isn’t the only impersonation scam hitting WhatsApp users. Another version involves criminals gaining the account of one of your contacts and messaging you purportedly as them. They’ll simultaneously be trying to log into your own WhatsApp account with your number, which means you’ll be sent a 6-digit code from WhatsApp. The scammer will then ask you to send that code, claiming it’s theirs and sent to you by accident, and gain control of your account.

Variations on this passcode scam include calling a victim and claiming to be a member of a shared group, often aided by false profile pictures and display names, and asking for the passcode under the guise that it’s a code for a group video call. However, the code is a registration code to allow your WhatsApp account to be ported over to another device. Users in India also recently suffered a flurry of group-based scams around World Yoga Day. Criminals would invite users to join yoga classes and send a link that, upon clicking, requests a 6-digit OTP (one time password) code, so victims unknowingly pass over a code that unlocks their account.  

Eight Tips To Protect Yourself

WhatsApp are attempting to shore up security: they’ve introduced a new ‘Silence Unknown Callers’ option and created a Privacy Checkup tool to take users step-by-step through its security features. But, unfortunately, it still falls to users to be aware of popular scams and take steps to protect themselves. Here are seven top tips to stay safe on WhatsApp.

1. Keep your WhatsApp updated:   Keeping apps like WhatsApp updated are about more than enjoying the latest user features. There’ll be important security updates included to patch discovered vulnerabilities so you should install any updates as soon as they are released.

2. NEVER share your OTP code:   As seen above, once you share your OTP code with someone, it’s game over. An OTP code verifies your identity and is the key to unlocking your WhatsApp account. Never share it with anyone.

3. Choose a strong password.. :   Your password is a crucial line of defence in protecting your account and so it needs to be a strong one. Make sure it’s at least 8 characters in length and includes upper and lowercase letters, numbers and symbols.

4. …and then enable two-factor authentication:   Don’t let perceived ease undermine your security. Enable two-factor authentication on your WhatsApp account: you’ll be asked to create a unique PIN that you’ll additionally need to enter to log into your account. This makes it much harder for criminals to hack your WhatsApp.


5. Verify information for yourself:    It’s good to be suspicious on WhatsApp. Be wary of messages asking you to provide personal information and if you receive an ‘emergency’ message from a supposed friend or relative asking you for money, make sure you verify this by calling them via a different channel.
Don’t let criminals panic you into sending money or sensitive information without thinking it through first.

6. Be wary of links:   Phishing links are a common scamming tactic but they’re popular because they’re very easy to fall for. Be cautious about clicking links. Don’t know the person sending you a link? Leave it alone. It’s also important to make sure you’re only installing apps from official app stores. 

7. Stay alert for the latest attacks:   Just like WhatsApp’s security team, scammers will be continuously updating their tactics so make sure you’re keeping abreast of the latest types of attacks. News outlets will report on new scams and it’s crucial to read past the headlines.

8. Keep work chats off WhatsApp:   It’s tempting to use WhatsApp to help conduct business - it’s quick, easy and so many people already have it. But using messaging apps as shadow IT (tech used without the IT department’s approval or oversight) opens up an organisation to huge risk. Not only is there the possibility of human error in accidentally sending confidential, sensitive information to anyone in your contacts, it’s a goldmine for any criminal who gains access to your account.

The large, personal role WhatsApp plays in people’s lives and its power to connect anyone in the world makes the platform invaluable to scammers. Protect yourself from falling victim by following security best practice thinking very carefully about the messages you receive.

François Rodriguez is Chief Commercial Officer at RealTyme

Image: Eyestix Studio

You Might Also Read:

Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Empower Your DaaS Programs
Navigating User Experience, Performance & Security »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Rockwell Automation

Rockwell Automation

Rockwell Automation offer industrial security solutions to protect the integrity and availability of your complex automation solutions.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality Information Sharing & Analysis Center (RH-ISAC)

Retail & Hospitality ISAC operates as a central hub for sharing sector-specific cyber security information and intelligence.

IABG

IABG

IABG offer independent, product-neutral consulting as well as technical and scientific services for the use of safety-relevant systems and technologies.

Eustema

Eustema

Eustema designs and manages ICT solutions for medium and large organizations.

Redspin

Redspin

Redspin provide penetration testing, security assessments and consulting services.

Myra Security

Myra Security

Myra technology monitors, analyzes, and filters malicious internet traffic before virtual attacks can do any real harm.

Ergon Informatik

Ergon Informatik

Ergon Informatik AG is Switzerland's leading provider of customised software solutions and software products including fraud detection and the Airlock web security suite.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

Bio-Morphis

Bio-Morphis

Bio-Morphis Reflex solution is a paradigm shift in the approach to information systems security.

SkillCube

SkillCube

SkillCube is one of the pioneers in India focusing on Cyber Security Skill Development Solutions.

Kasm Technologies

Kasm Technologies

Kasm Browser Isolation - Protect your organization from malware, ransomware and phishing by using zero-trust containerized browsers.

Cyber Skyline

Cyber Skyline

Cyber Skyline is a revolutionary cloud platform to practice, develop, and measure your team's technical cybersecurity skills.

Torq

Torq

Torq's no-code automation modernizes how security & operations teams work with easy workflow building, limitless integrations and numerous pre-built templates.

Network Perception

Network Perception

Network Perception proactively and continuously assures the security of critical OT assets with intuitive network segmentation verification and visualization.

Insight Enterprises

Insight Enterprises

Insight is a leading solutions integrator, helping you navigate today’s ever-changing business environment with teams of technical experts and decades of industry experience.