Skip to content
Naked Security Naked Security

Police warn of WhatsApp scams in time for Social Media Day

Happy Social Media Day! Make it a day to review whether your social media security really is up to scratch.

You might be forgiven for thinking that every day is social media day, given how much gets shared each day via social media services.

For the past 11 years, however – yes, we’ve been addicted to social media for at least that long – the date 30 June has been given capital letters and referred to as Social Media Day, a 24-hour period when we are supposed to…

…well, we’re not entirely sure how you cheer about any one day of social media content more than any other, so we can’t advise you how to celebrate #SocialMediaDay.

But we do think that #SocialMediaDay is a great excuse to take a few minutes to stop and think about how to improve your safety and security on social media in general.

Indeed, police in London, UK warned only yesterday – on social media, of course! – about the resurgence of a WhatsApp scam designed to trick you into handing over login codes so that crooks can take over your account:

Hijacked accounts used for hijacks

We’ve discussed this scam before on the Naked Security podcast, because it’s a good reminder of how cybercriminals use one hijacked social media account to target others.

The idea is simple.

Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place.

That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.

You may have friends who try to shock you for a laugh, or rickroll you, or to tell you zany stories that you aren’t really interested in, but they’re unlikely to set out with the intention of tricking you into installing malware, filling in a fraudulent web form, or investing in an outright scam. In contrast, your email feed is probably littered every day with messages from unknown senders who are deliberately trying to pull of one or more of those very cybercrimes.

It’s not who you know

Strictly speaking, of course, you can’t always rely on the fact that social media messages in closed groups come from someone you know, but merely that they come from the account of someone you know.

And if you have ever had a password compromised, you will be well aware of the sinking feeling that comes with realising that someone else has control over one of your online accounts.

Suddenly, someone else gets to put words in your mouth, to post images that claim to be yours, to riffle through all your protected posts, to get in touch with your friends under your name, to root around in the profile data in your account, to decide who you’re following and who’s allowed to follow you, and much more.

Even worse, a crook who takes over your account may be able to reconfigure your security settings so that they’re in and you’re locked out.

If that happens, you will probably end up in lengthy back-and-forth negotiations with the social media service concerned in order to prove not only that your account was stolen in the first place, but also that you are, indeed, the rightful user to whom it should be restored.

And during the back-and-forth process to recover your account, the crook who took it over will typically retain control, giving them more than enough opportunity not just to harm your reputation or steal your personal data, but also to prey on your friends and family…

…who will be more inclined to trust any fraudulent messages they receive, for the very reason we mentioned above, namely the reasonable assumption that friends generally don’t foist spam messages, phishing tricks, malware attacks and scams on their own friends.

Need money urgently

You’re probably familiar with the “need money urgently” scams that have circulated for years via hacked social media accounts.

In these scams, crooks use an account they have taken over to pretend to be friend of yours who has mugged while on vacation (practically homeless, no ID or cards, please send a wire transfer at once!), or to be having trouble paying pack a payday loan (deadline is midnight tonight to avoid heavy interest, please pay this bill for me right now!), or some other reason that tugs at your heart strings.

Those scams go after your money, but a recent variant involves going after the accounts of people you know.

In this modern variant of the “mugged abroad/send money now” trick, a message will arrive from a friend’s account with a cock-and-bull story to the effect that this friend inadvertently copied-and-pasted your phone number into their own WhatsApp account.

As a result, the scammer will say, they are now on the point of being locked out of their own account because their security codes will go to your phone instead of theirs from now on.

Would you be so kind, your “friend” will ask, as to forward the next security code you receive to them?

That way, they can “sort the mess out” and reset the phone number on their own account, so that you won’t get bothered by the SMS codes any more?

Never do this!

The only true part of this scam is that you won’t be bothered by SMS security codes any more – because the crook won’t be changing the phone number on your friend’s account (they’ve already done that), but will reset the phone number on your account instead.

You won’t be helping your friend retain control of their account; you will be actively particpating in compromising your own!

Once the crooks are in, they’ll then use your account to go after the accounts of your friends and family, and so on, and so on.

What to do?

  • Never share security codes for any online service with anyone. If you’ve turned on 2FA on your various accounts, good for you. It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.
  • Regularly review the privacy settings on all your accounts. Unfortunately, each social media service typically has its own set of privacy menus and security options, so we can’t give you a generic tip that will work for all of them. But it doesn’t take long to explore the privacy and security menu of your various online accounts. We like to take screenshots of important configuration pages, which serve as a handy reference to find those settings again.
  • Never use the same password on more than one account. If crooks compromise one of your accounts (which needn’t be your fault, for example if a service suffers a data breach of its password database), you can assume they will try that password right away on all your other accounts, just in case they get lucky.
  • Guard your email account at least as strongly as any other account. That’s because your email service is often the route by which you reset passwords on your other accounts if something goes wrong. A crook who can take over your email account typically moves one step closer to controlling all your other accounts at the same time.
  • Never trust messages simply because they come from a friend’s account. Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them . If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.

6 Comments

What is the current view of the security of the password managers built into email clients?
Because of the regular “polling for new mail” nature of these clients strict 2FA would be a PITA even if it was available; so where do the compromises lie?
Are you relying on your screen saver password!

Many email clients (including web-based ones like Outlook.com) have a “remember me for next time” option to reduce the number of times you need to enter a 2FA code. Likewise, mobile phone apps tend to do this by default once you’ve logged in so that you don’t need to type in your password often.

My approach is to log out formally from email in my browser every time I shut dowm my computer, so I force myself to re-do 2FA once a day. Likewise, I regularly (but not every day) use the “log me out” menu option in the various email and social media apps on my phone (annoyingly, they are all different in where and how to do this), which similarly forces me to reauthenticate next time.

Most people don’t like this sort of hassle so they do leave themselves logged in for ages at a time (days, weeks, perhaps even months if the service will let them), which I don’t recommend…

…but as long as 2FA kicks in whenever a new device tries to log in, you still get some protection from a simple “password only” takeover by a crook.

Having said that, most people’s phones or laptops, even if they are the most aggressive adopters of 2FA, tend to be in a state where anyone who finds them unlocked will have instant access to many or most accounts. So, yes, that lock screen password really is important. (And even if you logout from everything annd shut down your laptop fully every time you leave the room, whoever else it around… you still want to set a fairly aggressive “autolock” setting – I suggest 5 minutes as a maximum – just in case you forget, or an emergency crops up where you simply don’t have time to take your usual manual precautions.)

Thanks – partly cover my concerns

1. I use a password manager that handles browser based passwords – that can have 2FA applied to it.
2. I use an Email Client to access multiple email accounts (Thunderbird) which not being a browser has to hold its passwords in its own password manager. Q. (My original question): How secure are these password managers? Can an on-line intruder – or walk-by access the password file and decrypt it? The master password to the email client’s password manager does not have 2FA – so is vulnerable to shoulder surfing.
3. When my Email client polls for new mail it does not do a 2FA hand-shake with my email-server (managed by my hosting company) – so I cannot see how I can implement 2FA when using an Email client to access emails. (Accessing the email-server to change passwords, create accounts etc. which is done through a browser (and cPanel) can be 2FA protected if you have a compatible smart phone.)
4. I am not aware of a way to “lock” my email client password manager other than by closing the client.
5. Abandoning the email client (and all the associated functionality) is not a very attractive option!

Does that mean that if your CFO has set up their email to also work on their home email client, have they opened a vulnerability?

It’s many years since I used Thunderbird… I don’t know how secure its password storage is.

Back in my own pre-webmail days I didn’t let my email client remember my IMAP/POP3 passwords but would re-enter them each time I started the app.

I don’t know if you can tell Thunderbird to “forget” the master password (and thus lock access to your email accounts) without shutting down the app entirely.

Any Thunderbird users out there able to help?

How are WhatsApp SMS verification codes considered 2FA since the platform doesn’t do passwords? Far as I can tell these SMS codes are all that’s needed to associated WhatsApp with a phone number. (Unless *actual* 2FA is enabled which is a contact PIN)

I’ve edited the article slightly to avoid any ambiguity. I mostly refer just to “security codes” now, so that whether an app has traditional passwords or not, it’s clearer tht we are talking about “the special codes that are send to you and you alone.”

Thanks for the comment!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?