WhatsApp Web Hit by Phishing Scam: What You Need to Know
Beware – it’s phishing day for the chronically online crooks called scammers. And this time, they are readying their fishing rods at WhatsApp; more specifically, users of WhatsApp Web.
Malware scam? What’s that?
What is phishing?
Phishing is essentially the same as fishing – just online, and a lot more wicked. In this type of scam, scammers disguise themselves as official websites or text messages, tricking victims into revealing sensitive information like their passwords or bank details.
Sometimes, scammers may even gain access to a victim’s device by downloading malware on it.
Unluckily for us, scammers are getting creative – which explains the many types of phishing scams we have to look out for. However, we have to be especially cautious when it comes to QR code phishing.
QR code phishing
Unless you’ve been living under the world’s biggest rock, you’ll probably know what QR codes are. They are square-shaped barcodes, filled with squiggly pixels – which when scanned, take you to websites or applications. Sounds simple and convenient, right?
But there are dangers, too. Since there are no ways of telling which website you’d be taken to, you are at a huge risk of being transported to a fake website.
And this is exactly what happened in the new WhatsApp Web scam.
New WhatsApp Web scam uses fake website to gain access to victims’ accounts
If WhatsApp Web sounds unfamiliar to you, it’s a handy way in which you scan a QR code to use WhatsApp on your computer. After reading all that about QR code phishing – or quishing – I’m sure you know what can go wrong.
In this scam, scammers created fraudulent versions of the official WhatsApp Web website. These malicious websites were accidentally accessed when victims searched for WhatsApp on online search engines and clicked on the first few search results (usually ads) without verifying the URL links.
This phishing site contained a genuine QR code taken from the official WhatsApp website – which meant when the victims scanned it, remote access to the account was given to the scammers.
Upon scanning it, victims found that instead of bringing them to WhatsApp Web’s desktop interface – the page became unresponsive. However, assuming that it was just an untimely freeze, they did not suspect that their WhatsApp accounts had been compromised.
Scammers would use victims’ accounts to carry out unauthorised actions
Meanwhile, with access to the victims’ accounts and messages, scammers would pretend to be the victim and message their contacts to ask them for money. Sometimes, they also requested personal details or online credentials like passwords.
As the victims could still access their WhatsApp accounts while the scammers used the victims’ accounts to conduct scam activities, the victims would only discover that their accounts were compromised when their contacts informed them of unusual requests made from their accounts.
Victim lost $35,00 in this scam
According to The Straits Times, one unlucky victim, a sales specialist named only as Mr Louis, lost $3,500 in this scam on Wednesday, 1 November. He had received a WhatsApp message from his close friend and colleague Amer Shazally Rosni requesting a $3,500 loan, and believing it to be legitimate, sent the money through PayNow without questions.
After the first transfer, “Mr Amer” requested another transaction of $3,500 to another bank account, explaining that he could not access his account. Mr Louis, who was engaged in work at that moment, transferred the money for the second time – this time to the account “Mr Amer” specified – in other words, to the scammer.
But then “Mr Amer” messaged again, saying that the money was not enough and that he needed more. Mr Louis, who quickly began to smell a rat, immediately called Mr Amer – who responded that he had not sent any of those messages.
Upon investigating, Mr Amer found out that a scammer had infiltrated his WhatsApp account and had messaged seven different contacts, requesting money from each of them.
Only Mr Louis had sent the money.
To make things sneakier, the scammer even archived the conversations – so that Mr Amer could only see them if he clicked on a separate folder, where WhatsApp stored archived chats.
Mr Amer, who works in the automotive industry, recalled scanning a QR code to use “WhatsApp Web” earlier that morning. The code, which was fraudulent, authorised the scammer access to his device.
After the scam, Mr Amer logged out of all his linked devices – explaining that he doesn’t dare use WhatsApp Web anymore.
Actress Aileen Tan was also affected; “Husband” demanded HK$10,000 through WhatsApp
Mr Louis was not the only victim. Local actress Aileen Tan was also affected – with a scammer pretending to be her husband Gerald Lee and messaging her on WhatsApp to ask for HK$10,000 (equivalent to SGD 1730).
Thankfully, the real Gerald Lee warned her about the scam in time, notifying her that his sister was also asked by the scammer for cash.
The actress suspects her husband’s account was compromised by logging onto a fake WhatsApp website – the same way Mr Amer did.
4 ways to spot this scam
However, despite all this, I’m not asking you to steer clear of WhatsApp Web completely. Using it is a great way to type out an important message without typo-ing to oblivion; and as long as you are on WhatsApp’s official website, you’re all good.
All you have to know is how to spot this scam.
First, check the URL address of the website. If it’s different from the original website (for WhatsApp Web, it is https://web.whatsapp.com) – do not click it. Avoid it like wildfire.
Second, as advised by the police – never share your WhatsApp account verification codes, personal information, banking details and OTPs with anyone.
Third, beware of unusual requests sent by your contacts on WhatsApp. Yes, even if your mother messaged you asking for some money, investigate first.
Lastly, checking your linked devices regularly to check if anything suspicious is happening is also highly important. To do that, go to WhatsApp Settings > Linked Devices to review all devices linked to your account. To remove a linked device, tap the device > Log Out.
If you want to be extra secure, you can also enable “Two-Step Verification” on WhatsApp, which makes you enter a unique PIN to access your account.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688.