Multiple police forces in the UK have issued warnings about a widespread scam targetting WhatsApp users.
In the scam, fraudsters control a WhatsApp user’s account and messages one of their contacts under that guise. This is sent at around the same time a text or email is received by that same contact from WhatsApp, which contains a verification code that the hacker has requested by pretending to be them.
The scammer explains that they accidentally requested the code to be sent to the contact’s number and ask that they send it over to them.
If given, the code will enable the scammer to take over the account. This allows them to read private messages and try further scams on a new set of contacts.
One of the UK police forces that warned of the scam, Southwark Police, said in a tweet: “We have seen a surge in WhatsApp accounts being hacked, if you are sent a text from WhatsApp with a code on it, don’t share the code with ANYONE no matter who’s asking, or the reason why.”
In an FAQ page, WhatsApp has provided further information about the scam and steps users can take to protect themselves from hackers. These include:
- Never share the six-digit registration code you received via SMS with others
- Enable two-step verification
- Protect your data, for example by only allowing your contacts to see your profile photo
Any individual who receives such a message from one of their contacts is advised to call them so they can verify in person.
The security code scam has been used in the past but has recently resurfaced.
Security experts have warned that the growing use of WhatsApp for both business and personal conversations has made it an enticing target for malicious actors. Javvad Malik, a security awareness advocate at KnowBe4, commented: “WhatsApp has been popular among individuals, but it’s also gaining popularity with businesses, and as a result are becoming an even more attractive target.
“Criminals that gain access to WhatsApp accounts can launch attacks against contacts, snoop on conversations or try to compromise business accounts or conduct fraudulent transactions.
“Users of WhatsApp and other messaging platforms need to remain vigilant at all times and be suspicious of unexpected or unknown messages. If a friend makes an unusual request, they should try to contact them outside of WhatsApp to determine if the request is genuine or not. Similarly, secure login codes or MFA codes sent via text or in the app should never be shared with anyone.
“Organizations should also ensure staff are provided appropriate security awareness about the risks that can manifest through social media and chat applications and ensure any suspicious activity is reported.”
Burak Agca, a security engineer at Lookout, believes that social media companies like Facebook, which owns WhatsApp, need to do more to protect their users from these kind of tactics employed by scammers.
“Rather than vulnerabilities, or a compromise of their services, WhatsApp (Facebook) has a growing issue in keeping its customers’ confidence. The continuous re-emergence of this forwarding scam from within the app isn’t very surprising. If you consider the increased volume of cybercrime, attackers will inevitably reuse previously successful tactics and campaigns,” he outlined.
“We have seen the reporting qualifying that over 10 billion credentials have been made freely available on the internet this year alone. The 100GB “RockYou2021” TXT file leaked 8.4 billion to a dark web forum. Personal data of over 530 million Facebook users was posted in a low-level hacking forum, and 700 million accounts have just been released up for sale on RaidForums by a hacker calling himself 'GOD User TomLiner.' That is before a single reported breach by companies is accounted for. With that, attackers now have an almost limitless pool of users to go after.
“This incident exemplifies how a threat actor doesn’t have to be an advanced cyber-criminal or nation-state. The bar to entry is very low now as pre-built phishing kits and malware are available for as little as a few dollars online. Your contacts represent a significant part of your digital footprint and exposure. Think about how many people you communicate with every day using WhatsApp. Over the years, through all your conversations, there could be significant amounts of sensitive information shared amongst friends and colleagues alike.”