Police warn of WhatsApp scams in time for Social Media Day

You might be forgiven for thinking that every day is social media day, given how much gets shared each day via social media services.

For the past 11 years, however – yes, we’ve been addicted to social media for at least that long – the date 30 June has been given capital letters and referred to as Social Media Day, a 24-hour period when we are supposed to…

…well, we’re not entirely sure how you cheer about any one day of social media content more than any other, so we can’t advise you how to celebrate #SocialMediaDay.

But we do think that #SocialMediaDay is a great excuse to take a few minutes to stop and think about how to improve your safety and security on social media in general.

Indeed, police in London, UK warned only yesterday – on social media, of course! – about the resurgence of a WhatsApp scam designed to trick you into handing over 2FA (two-factor authentication) codes so that crooks can take over your account:

Hijacked accounts used for hijacks

We’ve discussed this scam before on the Naked Security podcast, because it’s a good reminder of how cybercriminals use one hijacked social media account to target others.

The idea is simple.

Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place.

That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.

You may have friends who try to shock you for a laugh, or rickroll you, or to tell you zany stories that you aren’t really interested in, but they’re unlikely to set out with the intention of tricking you into installing malware, filling in a fraudulent web form, or investing in an outright scam. In contrast, your email feed is probably littered every day with messages from unknown senders who are deliberately trying to pull of one or more of those very cybercrimes.

It’s not who you know

Strictly speaking, of course, you can’t always rely on the fact that social media messages in closed groups come from someone you know, but merely that they come from the account of someone you know.

And if you have ever had a password compromised, you will be well aware of the sinking feeling that comes with realising that someone else has control over one of your online accounts.

Suddenly, someone else gets to put words in your mouth, to post images that claim to be yours, to riffle through all your protected posts, to get in touch with your friends under your name, to root around in the profile data in your account, to decide who you’re following and who’s allowed to follow you, and much more.

Even worse, a crook who takes over your account may be able to reconfigure your security settings so that they’re in and you’re locked out.

If that happens, you will probably end up in lengthy back-and-forth negotiations with the social media service concerned in order to prove not only that your account was stolen in the first place, but also that you are, indeed, the rightful user to whom it should be restored.

And during the back-and-forth process to recover your account, the crook who took it over will typically retain control, giving them more than enough opportunity not just to harm your reputation or steal your personal data, but also to prey on your friends and family…

…who will be more inclined to trust any fraudulent messages they receive, for the very reason we mentioned above, namely the reasonable assumption that friends generally don’t foist spam messages, phishing tricks, malware attacks and scams on their own friends.

Need money urgently

You’re probably familiar with the “need money urgently” scams that have circulated for years via hacked social media accounts.

In these scams, crooks use an account they have taken over to pretend to be friend of yours who has mugged while on vacation (practically homeless, no ID or cards, please send a wire transfer at once!), or to be having trouble paying pack a payday loan (deadline is midnight tonight to avoid heavy interest, please pay this bill for me right now!), or some other reason that tugs at your heart strings.

Those scams go after your money, but a recent variant involves going after the accounts of people you know.

In this modern variant of the “mugged abroad/send money now” trick, a message will arrive from a friend’s account with a cock-and-bull story to the effect that this friend inadvertently copied-and-pasted your phone number into their own WhatsApp account.

As a result, the scammer will say, they are now on the point of being locked out of their own account because their 2FA (two-factor authentication) security codes will go to your phone instead of theirs from now on.

Would you be so kind, your “friend” will ask, as to forward the next security code you receive to them?

That way, they can “sort the mess out” and reset the phone number on their own account, so that you won’t get bothered by the SMS codes any more?

Never do this!

The only true part of this 2FA scam is that you won’t be bothered by SMS security codes any more – because the crook won’t be changing the phone number on your friend’s account (they’ve already done that), but will reset the phone number on your account instead.

You won’t be helping your friend retain control of their account; you will be actively particpating in compromising your own!

Once the crooks are in, they’ll then use your account to go after the accounts of your friends and family, and so on, and so on.

What to do?

  • Never share 2FA security codes with anyone. If you’ve turned on 2FA on your various accounts, good for you. It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.
  • Regularly review the privacy settings on all your accounts. Unfortunately, each social media service typically has its own set of privacy menus and security options, so we can’t give you a generic tip that will work for all of them. But it doesn’t take long to explore the privacy and security menu of your various online accounts. We like to take screenshots of important configuration pages, which serve as a handy reference to find those settings again.
  • Never use the same password on more than one account. If crooks compromise one of your accounts (which needn’t be your fault, for example if a service suffers a data breach of its password database), you can assume they will try that password right away on all your other accounts, just in case they get lucky.
  • Guard your email account at least as strongly as any other account. That’s because your email service is often the route by which you reset passwords on your other accounts if something goes wrong. A crook who can take over your email account typically moves one step closer to controlling all your other accounts at the same time.
  • Never trust messages simply because they come from a friend’s account. Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them . If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.

go top