_
_
_
_

WhatsApp scams: How they work and what you can do to protect yourself

Cyber threat actors play on a victim’s emotion to try to convince them to send money via services like PayPal

Así pueden robarle WhatsApp: para qué lo que quieren y cómo protegerse
A woman with her smartphone in her hand reads a WhatsApp message.picture alliance (dpa/picture alliance via Getty I)
José Mendiola Zuriarrain

“Hello, dad, I’ve lost my cell phone and I am writing to you from this new number. Can you send me money? I’m in trouble.” This is how the well-known scam of the son in distress begins. More than money, the malicious actors are after the owner’s WhatsApp account. The most popular messaging application in the world continues to be the main target of cyberattacks, receiving almost 90% of the total, according to a study published by the Russian cybersecurity company Kaspersky.

Why WhatsApp? “If you get a WhatsApp account, you have credible access to the entire spectrum of friends, family and co-workers,” explains Fernando Suárez, president of the General Council of Computer Engineering Colleges in Spain, and this credibility can be used to request money, personal data “or even photos, which are then used to extort the victim.”

The son-in-distress scam is often used to request a money transfer via Bizum, PayPal or even a bank transfer. This technique exploits the vulnerability of a parent who assumes their child is in an emergency and proceeds to pay without hesitation. Although this technique is initially used from a third party line, it becomes more truthful and credible if the message comes from the sender’s own WhatsApp account.

Once they have control of the account, the malicious actor can write from the account to the victim’s contacts openly asking for money, as in the aforementioned scam, or for more personal information that can then be used to extort money from the account holder. In some cases, the scam is so sophistication, the attackers even use of voice synthesizers to emulate the tone of the owner in order to send audios: “Cybercriminals use the compromised account to request money transfers from the victim’s contacts, even using artificial intelligence technologies to imitate the voice of the victim,” reports Kaspersky.

In the same way, whoever has control of the account has access to graphic material and videos, both received and sent, which can then be used as coercion to request money.

How does the attack happen?

The first thing to be clear about is that WhatsApp, like all messaging platforms, has a two-factor verification system. In other words, you need to have a temporary code (known as a token), which is sent to the cell phone number the account is registered with. A cyber threat actor may know the victim’s phone number — the numbers are available on the dark web or dedicated forums, due to leaks and vulnerabilities — but is missing the token to be able to take control of the account.

That’s why, when the attack is carried out, the victim will first receive an official WhatsApp SMS with the aforementioned temporary code, and this is where everything happens very quickly. Immediately, the hackers will contact the victim posing as a friend or family member, indicating that, by mistake, they entered their phone number and need that received code. If the victim gives them the token, along with the additional security code, they will have lost control of the account.

What to do to protect your account

As often happens in other attacks that use phishing techniques, hackers use the human factor, which is the weakest link in the entire protection chain. To reinforce it, experts recommend adopting the following measures:

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition


Tu suscripción se está usando en otro dispositivo

¿Quieres añadir otro usuario a tu suscripción?

Si continúas leyendo en este dispositivo, no se podrá leer en el otro.

¿Por qué estás viendo esto?

Flecha

Tu suscripción se está usando en otro dispositivo y solo puedes acceder a EL PAÍS desde un dispositivo a la vez.

Si quieres compartir tu cuenta, cambia tu suscripción a la modalidad Premium, así podrás añadir otro usuario. Cada uno accederá con su propia cuenta de email, lo que os permitirá personalizar vuestra experiencia en EL PAÍS.

En el caso de no saber quién está usando tu cuenta, te recomendamos cambiar tu contraseña aquí.

Si decides continuar compartiendo tu cuenta, este mensaje se mostrará en tu dispositivo y en el de la otra persona que está usando tu cuenta de forma indefinida, afectando a tu experiencia de lectura. Puedes consultar aquí los términos y condiciones de la suscripción digital.

More information

Archived In

Recomendaciones EL PAÍS
Recomendaciones EL PAÍS
_
_