Last year, text scammers prowling around on messaging platforms like WhatsApp sent a staggering 19 million messages in December alone. When ploys like these can rake up over $10 million in a matter of months, it's easy to see why.
Which WhatsApp messages are real this year, and which are not? With social engineering attacks, it's increasingly harder to tell. Here's a look at the most probable WhatsApp scams in 2024 and what you can do to avoid them.
Family Member Impersonation Scam
"Are you my mother?" The first kind of scam that has kept its popularity this year is known as the "Mum and Dad scam." Here's the breakdown:
- Cybercriminals will contact WhatsApp users posing as a loved one, usually a child or sibling.
- They will say that they lost their phone and are messaging from a new number.
- Once trust is established, they will convince the family member that they are in financial trouble and ask for a cash transfer to help pay a bill.
WhatsApp users fall victim to this scam due to the sincere belief that the scammer is their family member, and an honest desire to help. However, some banks are savvier than well-meaning mothers and will block a transfer that the system recognizes as suspicious.
The Wrong Number Scam
This is the case of the scammer-turned-conversationalist. They will send you a text, asking if you are "John Smith" from XYZ business. When you reply that you aren't, they'll persist with chatty questions hoping to engage you.
At the point that you've responded back, they count on your interest being piqued and present a delectable investment opportunity. "It must have been fate," they reply. Don't reply back.
Two-Factor Authentication Scam
In the 2FA (two-factor authentication) scam, the victim will receive a verification code they have not requested. Then, the following ensues:
- A person from the victim's contact list will message, explaining they entered their number by mistake.
- The contact requests the code.
- When the code is sent, the scammer uses it to complete the fake login of the victim – the one who sent it over in the first place.
This scam works by a cybercriminal entering information that they can view from your contacts' accounts, such as your name and number, and then requesting that a verification code be sent to complete the login. They prey on your instinctual trust to obtain the code, which lets them access your account as well. Once successful, they will do the same to your contacts, compromising as many accounts as possible.
Scamming the Fear of Missing Out
As far as WhatsApp scams go, this is an extremely versatile attack. These scams are often employed on WhatsApp and through traditional text messaging, like the NHS COVID-19 scam. The basic concept is to send a message that persuades the recipient to click on an external link, usually taking them to a page that masquerades as an official website for a corporation or organization. This is how they get you:
- Free Merchandise | Some messages will promise free merchandise in order to trick consumers into clicking the link, as with the Alton Towers, the Heineken Father's Day, and the Cadbury Easter Egg scams.
- Fear of Harm | Others will prey on people's fears, such as the NHS scam, which made recipients think they had been exposed to the Omicron variant of COVID-19 and needed to visit the website to obtain a free test (which the NHS does not offer).
- Fear of Missing Out | Others still will play on the fear of missing out and offer experiences of prestige, like the WhatsApp Gold scam, which promises access to an elite version of the app that does not exist.
In all cases, the goal is for the user to click a malicious link within the message, thereby initiating the next phase of the attack.
Check out this video posted by Dr. Jessica Barker, CEO of Cygenta, covering the WhatsApp Gold scam.
How to Protect Yourself from WhatsApp Scams
The most important piece of advice when it comes to avoiding these WhatsApp scams is to be wary of the messages you receive.
As Dr. Jessica Barker explains, these scam messages will often stick to a formula:
- They are unexpected communications
- They make you feel something
- They ask you to do something
Barker and other experts stress the importance of slowing down before taking action based on that initial emotional urge. Taking that into consideration, there are a few key things you can do to avoid falling victim, as suggested by Terranova Security.
- First, it is important to ensure that anyone claiming to be a loved one is who they say they are. There are several ways to verify this, from calling them to asking them a question only they would know.
- Look out for manipulative language.
- Second, never share verification codes or two-factor authentication codes with anybody.
- Third, never click on unfamiliar links from unknown numbers.
- As a general rule, don't send confidential information upon request.
As WhatsApp scams continue to threaten cybersecurity and target users with malware, phishing, and attempts to extort money, it is crucial to be on the lookout for common markers. Messages claiming to be from loved ones, corporations, or government organizations should be scrutinized to verify authenticity before any action is taken, and Fortra's Security Awareness Training is a great place to get your employees familiar with this information. This vigilance will help you protect your accounts, your money, and your information from cybercriminals.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.