WhatsApp Scams in 2022: What to Look out for | The State of Security

WhatsApp is ranked as the most popular mobile messenger app in the world.  In fact, there are two billion active users on the app. This is an incredibly large audience. Unfortunately, it is also a huge number of potential victims for criminals to target. Cybercriminals are increasingly using WhatsApp as the medium for their attacks, and while people have become generally more wary of email phishing over the years, cybercriminals have adapted their tactics, implementing more sophisticated methods of phishing.  These tactics include an expansion into text messages, social media, and communication apps like WhatsApp.

Victims of certain WhatsApp scams are losing thousands of dollars to cybercriminals who deceive them into transferring money for a variety of reasons. The British Lloyds Bank reports a 2000% increase in WhatsApp scams in the past year. Other types of scams attempt to target users with malware or gain access to their accounts.

Dr. Jessica Barker, CEO of Cygenta, recently posted a video discussing prominent examples of WhatsApp scams in 2022, explaining how to avoid falling victim to them. Below is a summary of notable scams and how to avoid them.

Cybercriminals Impersonating Loved Ones

The first kind of scam that has been gaining in popularity this year is known as the “Mum and Dad scam,”
a form of impersonation fraud where a cybercriminal pretends to be a loved one in order to trick a relative into sending them money. Cybercriminals will contact WhatsApp users as a loved one, usually a child or sibling, saying that they have lost their phone and they are messaging from their new number. They will then convince their target that they are in financial trouble and ask for a cash transfer in order to help them pay a bill.

WhatsApp users fall victim to this scam due to the belief that their loved one is contacting them, and their desire to help. Some banks will block a transfer that the system recognizes as suspicious, stopping the target of the scam from sending the money. On the other hand, many targets of this scam have sent the money and been unable to get it back.

Two-Factor Authentication Scam

Another type of WhatsApp scam is called a “2FA (or two-factor authentication) scam.” In this kind of scam, a person will receive a verification or authentication code that they have not requested. This is closely followed by a message from a known contact saying that their code was sent to the wrong person by mistake, and requesting the code that was sent. In reality, the contact in question is somebody who has already fallen victim to the scam and whose account is compromised.

This scam works by a cybercriminal entering information that they can view from your contacts’ accounts, such as your name and number, and then requesting that a verification code be sent to complete the login. They prey on your instinctual trust of the contacts that you already know and recognize in order to obtain the code, which lets them access your account as well. Once successful, they will do the same to your contacts, compromising as many accounts as possible.

Fake Links and the Fear of Missing Out

An extremely versatile form of attack is one that is known by a variety of names, depending upon which iteration of the scam is taking place. Some notable examples are the WhatsApp Gold scam discussed in Dr. Jessica Barker’s video, the Alton Towers scam, the Heineken Father’s Day scam, and the Cadbury Easter Egg scam. The basic concept is to send a message that in one way or another persuades the recipient to click on an external link, usually taking them to a page that masquerades as an official website for a corporation or organization. These scams are often employed on WhatsApp, and through traditional text messaging, like the NHS COVID-19 scam.

This scam varies in both method and purpose. Some messages will promise free merchandise in order to trick consumers into clicking the link, as with the Alton Towers, Heineken, and Cadbury scams. Others will prey on people’s fears, such as the NHS scam, which made recipients think they had been exposed to the Omicron variant of COVID-19 and needed to visit the website to obtain a free test (which the NHS does not offer). Others still will play on the fear of missing out and offer experiences of prestige, like the WhatsApp Gold scam, which promises access to an elite version of the app that does not exist. In all cases, the goal is for the user to click a link in the message.

Some of these links lead to malware which can infect devices and disrupt their function. Others will ask for a payment of some kind, often a low sum which is allegedly paying shipping and handling for “free” items. Some will simply ask for information, such as a user’s address, phone number, or email. In all cases, cybercriminals are counting on you clicking the link in their initial message so they can implement the next phase of their attack.

How to Protect Yourself

The most important piece of advice when it comes to avoiding these scams on WhatsApp is to be wary of messages you receive. As Dr. Jessica Barker explains, these scam messages will often stick to a formula: they are unexpected communications, they make you feel something, and they ask you to do something. Barker, and other experts stress the importance of slowing down before taking action based on that initial emotional urge. Taking that into consideration, there are a few key things you can do to avoid falling victim.

First, it is important to ensure that anybody claiming to be a loved one is actually who they say they are. There are several ways to verify this, from calling them to asking them a question only they would know. Second, never share verification codes or two-factor authentication codes with anybody. Third, never click on unfamiliar links from unknown numbers.

As WhatsApp scams continue to threaten cybersecurity and target users with malware, phishing, and attempts to extort money, it is crucial to be on the lookout for the common markers. Messages claiming to be from loved ones, corporations, or government organizations should be scrutinized to verify authenticity before any action is taken. This vigilance will help you protect your accounts, your money, and your information from cybercriminals.

About the Author: PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.