Site icon Sophos News

Police warn of WhatsApp scams in time for Social Media Day

You might be forgiven for thinking that every day is social media day, given how much gets shared each day via social media services.

For the past 11 years, however – yes, we’ve been addicted to social media for at least that long – the date 30 June has been given capital letters and referred to as Social Media Day, a 24-hour period when we are supposed to…

…well, we’re not entirely sure how you cheer about any one day of social media content more than any other, so we can’t advise you how to celebrate #SocialMediaDay.

But we do think that #SocialMediaDay is a great excuse to take a few minutes to stop and think about how to improve your safety and security on social media in general.

Indeed, police in London, UK warned only yesterday – on social media, of course! – about the resurgence of a WhatsApp scam designed to trick you into handing over login codes so that crooks can take over your account:

Hijacked accounts used for hijacks

We’ve discussed this scam before on the Naked Security podcast, because it’s a good reminder of how cybercriminals use one hijacked social media account to target others.

The idea is simple.

Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place.

That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.

You may have friends who try to shock you for a laugh, or rickroll you, or to tell you zany stories that you aren’t really interested in, but they’re unlikely to set out with the intention of tricking you into installing malware, filling in a fraudulent web form, or investing in an outright scam. In contrast, your email feed is probably littered every day with messages from unknown senders who are deliberately trying to pull of one or more of those very cybercrimes.

It’s not who you know

Strictly speaking, of course, you can’t always rely on the fact that social media messages in closed groups come from someone you know, but merely that they come from the account of someone you know.

And if you have ever had a password compromised, you will be well aware of the sinking feeling that comes with realising that someone else has control over one of your online accounts.

Suddenly, someone else gets to put words in your mouth, to post images that claim to be yours, to riffle through all your protected posts, to get in touch with your friends under your name, to root around in the profile data in your account, to decide who you’re following and who’s allowed to follow you, and much more.

Even worse, a crook who takes over your account may be able to reconfigure your security settings so that they’re in and you’re locked out.

If that happens, you will probably end up in lengthy back-and-forth negotiations with the social media service concerned in order to prove not only that your account was stolen in the first place, but also that you are, indeed, the rightful user to whom it should be restored.

And during the back-and-forth process to recover your account, the crook who took it over will typically retain control, giving them more than enough opportunity not just to harm your reputation or steal your personal data, but also to prey on your friends and family…

…who will be more inclined to trust any fraudulent messages they receive, for the very reason we mentioned above, namely the reasonable assumption that friends generally don’t foist spam messages, phishing tricks, malware attacks and scams on their own friends.

Need money urgently

You’re probably familiar with the “need money urgently” scams that have circulated for years via hacked social media accounts.

In these scams, crooks use an account they have taken over to pretend to be friend of yours who has mugged while on vacation (practically homeless, no ID or cards, please send a wire transfer at once!), or to be having trouble paying pack a payday loan (deadline is midnight tonight to avoid heavy interest, please pay this bill for me right now!), or some other reason that tugs at your heart strings.

Those scams go after your money, but a recent variant involves going after the accounts of people you know.

In this modern variant of the “mugged abroad/send money now” trick, a message will arrive from a friend’s account with a cock-and-bull story to the effect that this friend inadvertently copied-and-pasted your phone number into their own WhatsApp account.

As a result, the scammer will say, they are now on the point of being locked out of their own account because their security codes will go to your phone instead of theirs from now on.

Would you be so kind, your “friend” will ask, as to forward the next security code you receive to them?

That way, they can “sort the mess out” and reset the phone number on their own account, so that you won’t get bothered by the SMS codes any more?

Never do this!

The only true part of this scam is that you won’t be bothered by SMS security codes any more – because the crook won’t be changing the phone number on your friend’s account (they’ve already done that), but will reset the phone number on your account instead.

You won’t be helping your friend retain control of their account; you will be actively particpating in compromising your own!

Once the crooks are in, they’ll then use your account to go after the accounts of your friends and family, and so on, and so on.

What to do?


Exit mobile version