WhatsApp scams: How they work and what you can do to protect yourself

“Hello, dad, I’ve lost my cell phone and I am writing to you from this new number. Can you send me money? I’m in trouble.” This is how the well-known scam of the son in distress begins. More than money, the malicious actors are after the owner’s WhatsApp account. The most popular messaging application in the world continues to be the main target of cyberattacks, receiving almost 90% of the total, according to a study published by the Russian cybersecurity company Kaspersky.

Why WhatsApp? “If you get a WhatsApp account, you have credible access to the entire spectrum of friends, family and co-workers,” explains Fernando Suárez, president of the General Council of Computer Engineering Colleges in Spain, and this credibility can be used to request money, personal data “or even photos, which are then used to extort the victim.”

The son-in-distress scam is often used to request a money transfer via Bizum, PayPal or even a bank transfer. This technique exploits the vulnerability of a parent who assumes their child is in an emergency and proceeds to pay without hesitation. Although this technique is initially used from a third party line, it becomes more truthful and credible if the message comes from the sender’s own WhatsApp account.

Once they have control of the account, the malicious actor can write from the account to the victim’s contacts openly asking for money, as in the aforementioned scam, or for more personal information that can then be used to extort money from the account holder. In some cases, the scam is so sophistication, the attackers even use of voice synthesizers to emulate the tone of the owner in order to send audios: “Cybercriminals use the compromised account to request money transfers from the victim’s contacts, even using artificial intelligence technologies to imitate the voice of the victim,” reports Kaspersky.

In the same way, whoever has control of the account has access to graphic material and videos, both received and sent, which can then be used as coercion to request money.

How does the attack happen?

The first thing to be clear about is that WhatsApp, like all messaging platforms, has a two-factor verification system. In other words, you need to have a temporary code (known as a token), which is sent to the cell phone number the account is registered with. A cyber threat actor may know the victim’s phone number — the numbers are available on the dark web or dedicated forums, due to leaks and vulnerabilities — but is missing the token to be able to take control of the account.

That’s why, when the attack is carried out, the victim will first receive an official WhatsApp SMS with the aforementioned temporary code, and this is where everything happens very quickly. Immediately, the hackers will contact the victim posing as a friend or family member, indicating that, by mistake, they entered their phone number and need that received code. If the victim gives them the token, along with the additional security code, they will have lost control of the account.

What to do to protect your account

As often happens in other attacks that use phishing techniques, hackers use the human factor, which is the weakest link in the entire protection chain. To reinforce it, experts recommend adopting the following measures:

• Be wary of requests by message. “It is important to remain alert and distrust any message that requests personal information or click on links, even if it appears to come from a known contact,” recommends the Russian multinational Kaspersky. Attacks are becoming increasingly sophisticated and it is easy to let our guard down when we believe that it is a family member or friend who is writing to us. Likewise, you should never click on a link if you are not 100% sure of its origin.
• Contact the sender by another means. Cyber threat actors often try to trick their victims by posing as family or friends. If this happens, a good solution is to contact the friend or family member by another means — a phone call may be enough — to verify the person’s identity.
• Activate two-step verification. WhatsApp includes an extensive list of security recommendations to protect the account as much as possible. Among them, it is essential to make sure you have two-step verification activated (within the app itself, in Settings > Account > Two-Step Verification). When activated, the platform asks you to create a six-digit PIN and, in case the user forgets it, gives you the option of adding an email account to recover it.
• Use antivirus and have the device updated. The use of antivirus on cell phones has always been a source of controversy, especially on the iPhone, but it represents an additional layer of security to detect malware: it works by analyzing and detecting links that may arrive through WhatsApp. Keeping both the WhatsApp app and the phone’s operating system updated also ensures that the latest vulnerabilities are addressed.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition