Man sitting and using his smartphone to send a text message.

Singapore Police Warn Of New Variant Of WhatsApp Phishing Scams

WhatsApp users numbering in the millions have recently received a new alert message following the discovery of a new phishing scam targeting user accounts. It appears that users of the messaging app who want to view their messages via the popular WhatsApp Web feature are becoming vulnerable to scams.

The Singapore police released a media statement on October 27 alerting the public about fake websites designed to trick users into providing criminals access to their WhatsApp accounts. People wishing to use WhatsApp on their personal computers often use search engines to find the official website.

Unfortunately, many of these websites are phishing sites that use authentic QR codes stolen from the authorised website. When inexperienced users scan these QR codes, they are directed to unresponsive websites rather than the legitimate WhatsApp Web page.

Phishing site of the official WhatsApp website
Phishing site of the official WhatsApp website (Singapore Police)

These expertly designed links, which trick users into visiting phishing websites that closely resemble WhatsApp’s official page, were used by scammers. The scammers took meticulous steps to include authentic QR codes from WhatsApp’s official website on their malicious webpages. They were able to deceive victims into accidentally giving them remote access to their accounts through this scam.

Cybercriminals who embedded QR codes into phishing websites, on the other hand, can use this to get unauthorised access to victims’ WhatsApp accounts.

Once inside, they may engage in fraudulent activities such as asking personal information or banking credentials from the victim’s contacts or requesting money transfers to a particular bank account.

Victims may have noticed that the QR codes on the fake phishing websites did not link them to the desktop version of WhatsApp Web. They did not realise their accounts had been compromised because they could still use WhatsApp.

Victims would only realise their WhatsApp accounts had been stolen after receiving warnings from their friends about strange activities, such as money transfers or requests for online banking information.

Recommendations

WhatsApp scams are becoming more complicated, making them more difficult to detect without a good eye for warning indications. Fortunately, most fraudsters tend to follow similar patterns, which may help you identify potential risks easily.

Make sure to use the official Desktop App or visit the legitimate website to use WhatsApp Web. Enabling two-factor authentication is a critical security step for protecting your WhatsApp account. While no security solution is 100% fool proof, two-factor authentication adds an extra layer of security and significantly enhances the overall security of your WhatsApp account.

Regularly review and manage your linked devices on WhatsApp to enhance security. If you notice any unfamiliar devices, you can select the device and log out to disconnect it.

Report and block any suspicious chats or users as soon as possible. When you detect a potential fraud, you must act quickly and terminate communication. Messages are reviewed by human content reviewers as well as artificial intelligence tools when they are reported. They review the last five messages you received from the reported contact to ensure they comply with WhatsApp’s Terms of Service.

These agreements explicitly ban the release of false communications as well as any efforts at fraud. If it is discovered that the reported communication does indeed breach these usage rules, the account responsible for sending it will be suspended.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts