Recognize and Avoid WhatsApp Scams

Today, WhatsApp’s 2 billion users send an average of 100 billion messages every day; and among those messages lurk scammers waiting to pounce. WhatsApp has become a straightforward way of fraudsters distributing scam messages through various means in the hopes that vulnerable users will fall victim to an online scam.

As a result of the platform becoming so accessible and widely used, WhatsApp cybercrime is rising, costing each victim thousands of dollars on average.

The purpose of this article is to inform you of the real-life WhatsApp scams out there, to help you recognize a scam, and some ways to avoid being tricked by a fraudster.

The types of WhatsApp scams

Several types of WhatsApp scams are circulating, with the list set to grow as scams become more sophisticated. Take a look at some of the most common types of scams below.

Voicemail hacking

Cybercriminals gaining access to a user’s WhatsApp account by breaking into their voicemail box to obtain their verification code is common practice. When you first install WhatsApp, it verifies the account by sending a text method with a six-digit code. A cybercriminal can set up WhatsApp on their own device using stolen account details.

Re-frauding contacts is often straightforward for the criminal as they have contact names, profile pictures, and more. When it comes to WhatsApp sending the code by text, they select an option saying they never received the code prompting verification by phone. The fraudster knows WhatsApp will call the victim’s phone immediately and calls the victim simultaneously, so the call goes to voicemail. A voicemail is left in the victim’s inbox, and generally, for the hacker, the victim fails to change the default pin used to protect the inbox (usually something like 0000 or 1111). The hacker obtains the WhatsApp verification code and takes control of the account.

WhatsApp hijacking

Hijacking is a common method of gaining control of an unsuspecting user’s WhatsApp account to commit fraud. Hijacking consists of a cybercriminal obtaining the first user’s phone number. They install WhatsApp on their own device and then contacts the victim stating they are a friend and at the same time requests a verification code for the victim’s account. They message the victim simultaneously, saying the code was sent by accident to obtain the verification code and gain access to the victim’s account.

Impersonation scams

This type of scam usually involves the scammer pretending to be a friend, family member, or acquaintance, contacting a user from an unknown number (although the profile picture may be familiar), and immediately asking for money as a matter of urgency. The fraudster may entice the recipient with photos they’ve found of a friend on social media or may refer to events that the user has posted about on sites like Facebook.

Malicious links

External links are a simple scam method for fraudsters, enabling mass distribution of a URL that leads to the recipient being directed to a browser to complete a survey promising a freebie. The user completes the survey and parts with sensitive details such as their name, address, email address, and bank details. The fraudster can use these details for identity theft or sell on to third parties.

Compromised apps

Although there are no current unofficial WhatsApp versions on the iOS AppStore or the Android PlayStore, there have been reports in the past confirming malware hidden in apps that were available for download. Once a user downloaded the compromised app, messages were propagated, sending links to the download page to other WhatsApp users to further spread the malware.

Real life WhatsApp scam examples

The Rediroff.com scam

First up on our list is a scam that picked up circulation at the beginning of 2022. The Rediroff.com scam takes advantage of external links that typically start with Rediroff.com or Rediroff.ru. These links are spread and circulated unknowingly by the WhatsApp community. The links are often masked by a “click here to claim your prize” message, so users may not even see the actual URL.

Once clicked, the Rediroff.com link opens a phishing site promising grand prizes to the recipient if they follow specific tasks that make fraudsters heaps of money.Rediroff WhatsApp Scam Example

Source: Twitter.

The link in circulation has different variations, so each user’s tasks may differ. Generally, the user will need to complete a survey that includes their name, address, and card details (to deliver the “prize”) that can be used to steal from them. Another link variation will automatically collect the name, IP address, age, and address. Once the fraudster has your personal information, they can commit identity theft or sell the data to third parties for a profit.

What’s clever about this scam is the requirement to share the link with friends on WhatsApp to be eligible for the prize, which, unbeknown to the recipient, creates more opportunities for the fraudsters to scam more people.

The conversation starter scam

A more straightforward scam that is going around involves a scammer messaging a user with something like “May I ask who this is?” or “Sorry, I didn’t recognize you” as a means of getting a reply from the recipient. Once they reply, that’s the “in” for the scammer to fool the user into handing over their name, email address, social media handles, and even payment info.

The Hi Mom/Dad scam

This next scam that emerged around Christmas 2021 plays on emotions to fool unsuspecting users into emptying their bank accounts with a simple “hello mom” or “hello Dad” conversation starter.

How does the Hi Mom/Dad scam work?

The fraudster messages from their own device with an unknown number pretending to be the recipient’s son or daughter. To try and make the messages look authentic, they state they’ve lost or damaged their phone (hence the unknown number).WhatsApp impersonation scam messages

The message has several variations but says something like, “Hey Dad, I have a new number as my phone is damaged.” When they get a response the scammer continues by fabricating a story about the son or daughter needing urgent access to her online banking app, but they’ve been locked out.

“Well, Dad, I can’t do the banking using my own phone number. I have a payment that must be paid today at the latest. That’s now impossible.”

“Because of the security checks which are linked to my old number. Might it be okay if you pay the payment until I get back into my banking? That will be on Friday.”

The Father then makes a payment via bank transfer (or PayPal etc.) and loses the money. Around £50,000 has been lost to this scam at the time of writing.

WhatsApp hijack scam

This one involves a scammer attempting to gain control of your WhatsApp account by requesting a verification code pretending to be a friend or relative to get you to reveal the code.

How the WhatsApp hijack scam works

A fraudster uses their own device or a stolen WhatsApp account to send users a message that says it is from a friend or relative. Around the same time, they trigger the six-digit WhatsApp verification code that you’d request to regain access to your account. The code is sent to you by SMS or email reads, “Your WhatsApp Code is 101-010, Don’t share this code with others.” They pretend the verification code was sent by accident, saying something like, “Hey, it’s John; I’ve just sent a verification code to your number instead of mine. Could you forward it across?”

If the victim forwards the code, this gives the scammer full access to their WhatsApp account, letting them target all account contacts and read private messages that could contain passwords and other sensitive information.

How to recognize a WhatsApp scam

Although we’ve listed some of the most common examples of WhatsApp scams, that’s not to say new scams won’t arise. To ensure you don’t fall into the trap of such a scam, there are a few signs to familiarize yourself with to help you recognize a scam.

  • So long as the scammer hasn’t hijacked somebody’s WhatsApp account, scam messages will come from an unknown number.
  • Fraudsters contacting you from an unknown number may tell you they are a friend (in your contacts) and they’ve changed numbers.
  • Scam messages are often written in poor English and consist of several spelling and grammar errors.
  • There’s usually a sense of urgency with the message, such as an “act now” type of text to get you to part with sensitive details or pay a fee before it’s too late.
  • Messages may start friendly, but the conversation may quickly revert to discussing money.
  • The scammer may ask you to transfer money using a method like PayPal that doesn’t require bank account details.
  • They do not answer your calls if you try to contact them.

How to avoid WhatsApp scams

Familiarizing yourself with the types of WhatsApp scams and knowing how to identify them is helpful, but it’s more beneficial if you can prevent these scams altogether.

Check out the best practices below to give yourself a fighting chance at preventing WhatsApp scams:

  • If you receive a message from a number saying it’s from PayPal, for example, long-press the included link and analyze the URL to see if the web address matches the official PayPal website.
  • Messages from unknown numbers asking for money are usually malicious. We’d recommend confirming with your friend via another communication method before acting.
  • Try calling the number of a contact you don’t recognize, and if nobody answers the call, send an SMS to your friend’s old number asking if it’s them contacting you.
  • You can add a pin code to your voicemail service, which will insert a barrier between you and a fraudster, preventing them from retrieving WhatsApp verification codes from your voicemail.
  • Activate WhatsApp 2-step verification. Once enabled, WhatsApp will send a verification code to your default device when someone tries to log in from another device.
  • Take a closer look at the language used in the messages you receive, asking yourself whether this unknown contact sounds familiar and whether their spelling and grammar are off compared to normal.
  • If someone states they are from your bank or mobile phone provider stating that urgent payment is required, take a step back and consider the message’s legitimacy and how much difference a day or two could make by not paying.
  • Send a reply to the scammer asking something only your contact would know (like their pet’s age). If they don’t reply, you have an idea that it’s a scam.
  • Got a request for a verification code via WhatsApp? Before you check your inbox (or another verification method) and hand over the code, consider if it’s a code you personally requested.

How to report a WhatsApp scam

If you believe you may have been a victim of a WhatsApp scam, you can report it to them by following these steps:

  1. Android: open WhatsApp, hit More Options, and head to Settings>Help>Contact Us to submit a scam report.
  2. iOS: Open WhatsApp, tap Settings>Help>Contact Us.

How to report a suspicious phone number

WhatsApp takes concerns over suspicious contact numbers seriously. You can report questionable numbers to WhatsApp by following these steps:

  1. Open the chat relating to the suspicious contact.
  2. Open the chat details to find the number, group, or contact name to find their account information.
  3. Scroll to the bottom of this section and select Report Contact or Report Group.