How identity theft works on WhatsApp and what you can do to prevent it

According to security experts, a growing number of people are falling victim to SIM swapping, a scam used by hackers to access passwords and empty bank accounts

To carry out SIM swapping, only a phone number is needed.
To carry out SIM swapping, only a phone number is needed.Picture Alliance via Getty Images

Daniel Trejo had no idea his WhatsApp account has been hacked until he received a call from his mother. “She asked me if my house was going to be repossessed, that she had received a message from my number asking for money,” he says. Trejo had become the latest victim of a scam known as SIM swapping, whereby a phone number is cloned and used by identity thieves by assigning it to a new SIM card, after which they are able to access passwords and empty bank accounts. In order to carry out this cloning, thieves make use of a mechanism that is available on the dark web for around $200, or even with inside help from corrupt employees at cell phone companies who cut off the user’s service.

Dmitry Bestuzhev, director of research and analysis for Latin America at cybersecurity company Kaspersky, says that an increase of 120% in the theft of accounts has been detected over the past 12 months, as well as in the distribution of phishing and ransomware via instant messaging applications, with WhatsApp being the most popular. “It’s all about social engineering. All a criminal needs is our phone number to set the process of identity theft and extortion in motion,” Bestuzhev explains.

To carry out SIM swapping, only a phone number is needed. The user will find their services cut off for a few minutes, which is sufficient time for a hacker to take control of the messages the user will have received and any archives shared on the network. “Many people share very sensitive information, and in a very short space of time the victim has lost control of their accounts,” says Bestuzhev.

In the course of just a few moments, Daniel Trejo became the victim of several crimes: identity theft, attempted extortion of his contacts and also the removal of 2,000 pesos (around $100) from his bank account. “Fortunately, none of my contacts made the deposit they were asking for, pretending that I was asking them to do it because they were going to repossess [my home],” he says.

Of the 84.1 million internet users in Mexico, 75% use WhatsApp to stay in touch with family and friends, according to data from Mexico’s Federal Telecommunications Institute, but fewer than 20% use two-step verification to prevent hackers from accessing their account. The verification method used by WhatsApp is very simple: a user just has to go settings and type in a six-digit PIN number. “Criminals may be able to get hold of this number, but once they have been attacked, they are no longer able to do anything,” says Bestuzhev.

Another method employed by cybercriminals is the use of voice bots that make calls via which they can assume control of an account. Through social engineering, hackers can make a fake call from those companies that follow the user and trick them into revealing passwords that are then used to take control of their accounts. “Even family members of security professionals have fallen victim to this crime,” notes Bestuzhev.

Of the 84.1 million internet users in Mexico, 75% use WhatsApp.
Of the 84.1 million internet users in Mexico, 75% use WhatsApp.Moisés Pablo (Cuartoscuro)

Keys to ensuring security on WhatsApp

The first thing Bestuzhev recommends is setting up two-step verification and creating a strong password that is not easy to guess – the classic 123456, for example, is an open invitation. Additionally, the specialized website WABetaInfo has detailed some security measures that can be put in place to prevent hackers from accessing data.

Firstly, users should establish a robust security configuration, avoid showing when they were last connected (the “last seen” function in privacy settings) and make their profile images unavailable to anyone not in their contacts list. Furthermore, if the user is included in groups with lots of people, it is advisable to set up a privacy configuration that keeps any sensitive data hidden.

User behavior is also important, given that that database leaks are a frequent occurrence. In a single month in April, 2021, 553 million Facebook users had their data stolen, among which were telephone numbers – the first step for hackers to steal identities or hijack accounts.

A golden rule for WhatsApp groups is to avoid opening links, above all when they lead to news stories that look strange, as these could well be malicious URLs via which ransomware and viruses can be installed. Likewise, it is important to avoid sending account numbers, bank statements and other sensitive information via WhatsApp. “It is important to understand that WhatsApp is not a secure platform, although many people think it is. The best thing to do is to not share delicate information,” Bestuzhev concludes.

More information

Recomendaciones EL PAÍS
Recomendaciones EL PAÍS