Introduction

With over 2 billion users, WhatsApp has undoubtedly become an integral part of our everyday communication. But as with any popular platform, it also became a fertile ground for cybercriminals, leading to a surge in WhatsApp phishing attacks. Whatsapp use in workplace has increased significantly in recent years as its easy to send message and its safety feature such as end-to-end encryption in both mobile and PC.

Understanding WhatsApp Phishing Attacks

What is a WhatsApp Phishing Attack?

• Phishing attacks on WhatsApp involve scams where fraudsters trick users into giving up sensitive information like passwords, credit card numbers, or bank details.
• They may impersonate a trusted entity or create a sense of urgency, preying on unsuspecting users.

• WhatsApp phishing techniques used to be relatively straightforward, making them easier to detect. However, starting from 2019, a more sophisticated approach has emerged, enabling phishers to gain control over your account.
• As a result, the success rate of these whatsapp phishing scams has significantly risen.

How does the Whatsapp Phishing scam works?

• Attackers use the common phishing techniques and tactics to trick users into divulging personal or corporate information.
• Attackers impersonate to be CEO or any trusted member and impose a sense of emergency while sending such Whatsapp messages. In recent times there is a increase in unknown Whatsapp calls with such motives.
• Attackers craft different type of messages such as Mom and Dad impersonation, Friend impersonation or verification code scam etc.
• Most of the time the users fall victim to such whatsapp phishing attacks as they tend to be messages from trusted parties.

Why are WhatsApp Users Targeted?

• Given its user base and the trust people place in the platform, it’s no surprise that WhatsApp has become a favorite tool for fraudsters. Cybercriminals go where the numbers are, and WhatsApp provides an abundant pool of potential victims.

• Due to its widespread usage, WhatsApp has become increasingly favored by fraudsters.

• This popularity is precisely why the Fraud Help Desk now receives approximately one thousand reports each month regarding fraudulent activities on the platform.

Common Phishing Techniques

• From fake messages and missed calls to impersonating users by hacking their accounts, the ingenuity of these scams is often shocking. They quickly adapt their strategies, continuously revising their modus operandi to stay a step ahead.
• The attackers often use a very simple message such as message from a manager or employee asking to purchase gift cards on a urgent basis as they are in a important meeting.
• The attackers also know the name and other details of the employee/user they are trying to trick which makes whatsapp phishing attempts more successful.

5 Shocking Examples of WhatsApp Phishing Attacks

Phishing Through Missed Calls

• In recent times, users have been inundated with missed video and voice calls from various country codes. Answering or returning these calls can result in phishing attacks.

• Once the missed call is made, the scammer typically sends a message to the target claiming that they have dialed the wrong number or expressing urgency to communicate about an important matter.

• They may pose as a friend, a family member, or even a representative from a trusted organization.

• The message often includes a request to share a verification code or personal details, such as account credentials or financial information. The scammer preys on the target’s curiosity or concern, hoping that they will unknowingly provide the requested information.

• If the target falls for the scam and shares the requested information, the fraudster can gain unauthorized access to their WhatsApp account, using it for malicious purposes like spreading spam, scamming contacts, or extracting more sensitive information.

What to do –

• If the person is claiming to be any of your trusted individuals call back and verify their identity before sharing any information.

• If the message is financial matter related and if the person is causing a sense of urgency on you, take sometime and call back the individual to confirm the identity before moving on to the transaction. Do not make any transaction without verification if its requested over a message.

Fake Message Lure – Job Offers

• Scammers often craft messages designed to fool users into divulging personal information. These fake messages can be alarmingly convincing, asking you to input credentials or verify account details.

• These messages are majorly in form of WFH (work from home) or any type of job offers which request you to visit a site for the application or asks for your personal information.

• Scammers are also offering Rs50 for liking a video or photo they share over whatsapp messages. These scammers use social media platform such as whatsapp, LinkedIn and Facebook to entice their victims and earn upto 5000rs per day.

• For providing the payment they frequently ask personal information and also ask for payment in exchange for the job offer which does not exist.

How is it carried out ?

• This scam begins by sending victim a message informing that they have a job with limited slots and in order to reserve a slot you must respond to the message.

• Once you respond and ask for Job details, the scammer tells its a simple job and all you have to do is like Youtube videos and send a screenshot of the like and you will be paid 50rs per like.

• Some scammers even provide 100 – 150 rs at the beginning to have the victim hooked.

• Once you like the video and send them the screenshot of the tasks provided the scam moves to phase 2.

• In phase 2, scammers act as if there is some difficulties in transferring the amount and will ask you to download an app for the easy transfer.

• This app contains malware or trojan and acts as a entry point to your mobile and your personal information.

• The scammer will then request you to send 1rs for the payment gateway verification after which they will get access to all your OTP’s, Emails and even your bank information.

What to do –

• Do not reply to any messages from unknown numbers offering Job or any other type of offers. It is advised to block such numbers right away.

• Do not download any app which seems suspicious or which a unknown individual suggests.

Social Media Trap

• Fraudsters also use social media platforms like Facebook or Instagram to launch their attacks. They create fake accounts and post deceptive messages luring users into phishing traps with enticing offers or threatening account closures.

Account Impersonation / Hacked Account

• The most prevalent scam at the moment is whatsapp impersonation, where the attacker pretends to be someone you know or trust. This can be your parents, friends or mostly colleagues of the company you work at or even CEO of a company.

• In this type of whatsapp phishing, attackers gather information on CEO or the target they are going to impersonate via LinkedIn or any other social media.

• The attackers then use their name and picture and send messages to the victim.

• The messages will be well crafted and will have sense of emergency to make the victim ignore to fact check such messages.

• Most of the time these messages will have financial gains or personal information leaks, and have high rate of success as it appears from a trusted source.

What to do –

• If you get such messages, firstly call back and confirm if the person is who he is claiming to be or request a voice note from the person to verify the identity.

Two-Step Verification Scam

• In a more sophisticated scam, attackers set up two-step verification on the victim’s account. The user might be locked out of their own account for days, losing control over their personal data.

• In this type of whatsapp phishing attack, the victim receives messages from a unknown number which contains a verification code.

• Then the unknown number will apologize for sending their verification code to your number and press you to share them the verification code.

• Once you share them the verification code your account will be taken over by the attacker.

What to do –

• WhatsApp sends these verification codes as push notifications when you register your phone number on the app. This could happen if someone mistyped your number or is trying to take over your account. 

• If you get a text message with an unexpected verification code, delete it. Block any WhatsApp user that asks you to send them a code or PIN. Finally, turn on two-step verification if you receive multiple one-time codes out of the blue.

Protecting Yourself from WhatsApp Phishing

Call to Confirm

Always be wary of any message that induces panic, offers unrealistic deals, or asks for personal information. Unusual urgency or pressure is often a sign of a phishing attempt. Always call and verify who is on the other side before sharing any information.

Be wary of urgent money requests

Scammers always cause of sense of emergency on money requests. Always question urgent requests for money

Report to Whatsapp

Report any suspicious activity to whatsapp right away. They can work on shutting down these fradulent accounts and ensure other users are not impacted.

Never answer a whatsapp call from Unknown Number

Scammers call random users from mobiles numbers obtained from possible data leaks using international numbers to pose fake job offers etc. It is advised not to attend any unknown call over whatsapp and block such numbers immediately.

Change Whatsapp privacy settings

Change your privacy settings to view you last seen, profile picture and about to only contacts or nobody.

Set up 2FA

Two-factor authentication helps to improve the security of any online account, not just your WhatsApp account.

Setting this up ensures an additional layer of protection when you log into an app. A one-time code is sent to your phone, email, or authentication app before you can log into WhatsApp

Conclusion

With technology becoming more embedded in our lives, cybersecurity awareness is crucial. Understanding the tactics employed by fraudsters can protect us and our sensitive information from falling into the wrong hands. With increasing whatsapp scams it is best to know the steps which can protect you from losing sensitive data to financial information.