Why Are WhatsApp Users So Easy To Scam?

Another day, another security alert. This time, it’s alleged that you can email WhatsApp with a phone number claiming the device has been stolen/lost and WhatsApp will deactivate the account. This can be from ANY email and ANY phone number.

Though the platform appears to be taking steps to address this flaw since it gained public attention, it’s an open invite for misuse.

Scammers are constantly and relentlessly targeting WhatsApp. With over 2 billion active users relying on WhatsApp for both personal and professional reasons, often sharing sensitive information on the basis of its end-to-end encryption, it’s an attractive target for criminals. It’s estimated that scammers using text messaging apps like WhatsApp sent 66 billion spam texts in 2022. These can be anything from “Friend in need” messages to messages impersonating two-factor authentication.

So why are WhatsApp users so easy to scam and what steps should you be taking to keep yourself safe?

The Vulnerability Of WhatsApp

As a messenger app - and the world’s most popular one at that - WhatsApp is fertile ground for impersonation scams. The infamous ‘hi Mum/ Dad’ scam, where criminals pose as a friend or relative of their victim and ask them to send money, cost UK victims £1.7 million across platforms, between the beginning of 2022 and mid-June 2023. WhatsApp is the preferred channel of attack for impersonation: TSB impersonation fraud data found that scam activity on Meta platforms led to 86% of cases reported to the bank in 2022, with WhatsApp representing two-thirds of those incidents.

And as generative AI grows in sophistication and popularity, there’s a fear these losses will climb. AI is already being used to mimic loved ones’ voices in order to extract money.

This isn’t the only impersonation scam hitting WhatsApp users. Another version involves criminals gaining the account of one of your contacts and messaging you purportedly as them. They’ll simultaneously be trying to log into your own WhatsApp account with your number, which means you’ll be sent a 6-digit code from WhatsApp. The scammer will then ask you to send that code, claiming it’s theirs and sent to you by accident, and gain control of your account.

Variations on this passcode scam include calling a victim and claiming to be a member of a shared group, often aided by false profile pictures and display names, and asking for the passcode under the guise that it’s a code for a group video call. However, the code is a registration code to allow your WhatsApp account to be ported over to another device. Users in India also recently suffered a flurry of group-based scams around World Yoga Day. Criminals would invite users to join yoga classes and send a link that, upon clicking, requests a 6-digit OTP (one time password) code, so victims unknowingly pass over a code that unlocks their account.  

Eight Tips To Protect Yourself

WhatsApp are attempting to shore up security: they’ve introduced a new ‘Silence Unknown Callers’ option and created a Privacy Checkup tool to take users step-by-step through its security features. But, unfortunately, it still falls to users to be aware of popular scams and take steps to protect themselves. Here are seven top tips to stay safe on WhatsApp.

1. Keep your WhatsApp updated:   Keeping apps like WhatsApp updated are about more than enjoying the latest user features. There’ll be important security updates included to patch discovered vulnerabilities so you should install any updates as soon as they are released.

2. NEVER share your OTP code:   As seen above, once you share your OTP code with someone, it’s game over. An OTP code verifies your identity and is the key to unlocking your WhatsApp account. Never share it with anyone.

3. Choose a strong password.. :   Your password is a crucial line of defence in protecting your account and so it needs to be a strong one. Make sure it’s at least 8 characters in length and includes upper and lowercase letters, numbers and symbols.

4. …and then enable two-factor authentication:   Don’t let perceived ease undermine your security. Enable two-factor authentication on your WhatsApp account: you’ll be asked to create a unique PIN that you’ll additionally need to enter to log into your account. This makes it much harder for criminals to hack your WhatsApp.


5. Verify information for yourself:    It’s good to be suspicious on WhatsApp. Be wary of messages asking you to provide personal information and if you receive an ‘emergency’ message from a supposed friend or relative asking you for money, make sure you verify this by calling them via a different channel.
Don’t let criminals panic you into sending money or sensitive information without thinking it through first.

6. Be wary of links:   Phishing links are a common scamming tactic but they’re popular because they’re very easy to fall for. Be cautious about clicking links. Don’t know the person sending you a link? Leave it alone. It’s also important to make sure you’re only installing apps from official app stores. 

7. Stay alert for the latest attacks:   Just like WhatsApp’s security team, scammers will be continuously updating their tactics so make sure you’re keeping abreast of the latest types of attacks. News outlets will report on new scams and it’s crucial to read past the headlines.

8. Keep work chats off WhatsApp:   It’s tempting to use WhatsApp to help conduct business - it’s quick, easy and so many people already have it. But using messaging apps as shadow IT (tech used without the IT department’s approval or oversight) opens up an organisation to huge risk. Not only is there the possibility of human error in accidentally sending confidential, sensitive information to anyone in your contacts, it’s a goldmine for any criminal who gains access to your account.

The large, personal role WhatsApp plays in people’s lives and its power to connect anyone in the world makes the platform invaluable to scammers. Protect yourself from falling victim by following security best practice thinking very carefully about the messages you receive.

François Rodriguez is Chief Commercial Officer at RealTyme

Image: Eyestix Studio

You Might Also Read:

Online Safety Bill UK: WhatsApp, Encryption & The Implications For Privacy:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Empower Your DaaS Programs
Navigating User Experience, Performance & Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

Identiv

Identiv

Identiv is a global security technology company that establishes trust in the connected world, including premises, information and everyday items.

MSAB

MSAB

MSAB is a pioneer in forensic technology for mobile device examination.

Cyber London (CyLon)

Cyber London (CyLon)

CyLon is a leading cyber security accelerator and seed investment programme. We help entrepreneurs from across the globe to build cyber security businesses, raise investment, and develop partnerships.

Zivaro

Zivaro

Zivaro provides transformational consulting and technology services to help clients attain real business value from their technology investments.

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU Arab Regional Cyber Security Center (ITU-ARCC)

ITU-ARCC acts as ITU’s cybersecurity hub in the Arab Region localizing and coordinating cybersecurity initiatives.

PBOSecure

PBOSecure

PBOSecure is a dynamic and progressive IT consultancy company specializing in IT and Industrial Control System (ICS) security.

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau

Lithuanian National Accreditation Bureau is the national accreditation body for Lithuania. The directory of members provides details of organisations offering certification services for ISO 27001.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

Innosphere Ventures

Innosphere Ventures

Innosphere Ventures is Colorado’s leading science and technology incubator, accelerating the success of high-impact startup and scaleup companies.

Cobalt Iron

Cobalt Iron

Cobalt Iron is a global leader in SaaS-based enterprise backup and data protection technology.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

Bolster

Bolster

Bolster (previously RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

LiveAction

LiveAction

LiveAction provides end-to-end visibility of network and application performance from a single pane of glass.

ThreatBlockr

ThreatBlockr

ThreatBlockr (previously Bandura Cyber) is the only active defense cybersecurity platform that fully automates the enforcement, deployment and analysis of cyber intelligence at a massive scale.

Cyber Crucible

Cyber Crucible

Cyber Crucible is a cybersecurity Software as a Service company definitively removing the risk of data extortion from customer environments.