UAE: Beware! WhatsApp phishing on the rise, here's how to safeguard

Dubai - Several people falling prey to phishing attacks amid the pandemic.


Anamika Chatterjee

  • Follow us on
  • google-news
  • whatsapp
  • telegram

Published: Mon 25 Jan 2021, 3:37 PM

Last updated: Tue 26 Jan 2021, 6:14 AM

In the last week of December last year, Megha Vrinda Gupta, a Dubai resident, received a message from her colleague on her WhatsApp.

Usual pleasantries aside, the message asked for a one-time password (OTP) number that the colleague had ‘inadvertently’ sent to Megha’s number.

“Because it was a colleague who had used my phone before, I did not think much of it,” recalls Megha, who is a doctor.

Megha ended up responding to the message and sharing the code she’d received. For two days, nothing happened.

On the third day, the WhatsApp app on her mobile had not only been blocked, her contacts also began receiving the same message that she’d responded to. At least three of them replied and found their accounts hacked. It wasn’t until WhatsApp sent her a verification code hours later, following which she activated the two-step verification, that her account was restored.

Many UAE residents are falling prey to phishing attacks.

WhatsApp phishing, in general, has been on the rise ever since the pandemic began. But why WhatsApp? “Every single platform that is available today has certain characteristics that attackers latch onto when designing phishing campaigns. The process of phishing on WhatsApp is similar to that of other phishing schemes where a message is sent to the receiver requiring a certain action (for example, clicking on a link),” says Nicolai Solling, Chief Technology Officer (CTO), Help AG (Etisalat Digital Security).

“Phishing is an interesting cyber security threat because it relies on exploiting basic human behavioural tendencies in order to achieve the action from the target. For example, many schemes will start by telling the user something has happened to them (credit card being abused, for example) and will impersonate an entity they trust (such as a central bank) pretending to be helping them to solve the problem. Another strategy is to exploit people’s hopeful nature by informing them that they have won something (such as a lottery) and asking them to take an action to receive their prize. If we’re looking into enterprise-focused attacks, it could be around tricking people to give away their username and password, which can be utilised by the attacker, to gain access into an organisation’s email system, or other private systems.”

Maher Yamout, Kaspersky’s senior security researcher of Global Research and Analysis Team, says with businesses increasingly moving to WhatsApp and even banks using it, the application (app) has become an attractive target for hackers. But with the app being end-to-end encrypted, it shouldn’t be easy to hack into? “Generally, they’re not trying to hack the encryption. They’re trying to take over the WhatsApp number and connect with people,” he says. “They’re not interested in the content of messages, they’re likely to reach out to people and persuade them to give money.”

In many such phishing cases, the first point of target is a WhatsApp group. The rationale, says Haider Pasha, Chief Security Officer (CSO) at Palo Alto Networks, Middle East and Africa (MEA), is that besides helping scale their phishing or spam messages, WhatsApp groups can give attackers visibility into the phone numbers of all the members. “Once the message is received and the new victim account is hijacked, attackers now have visibility into any groups the new victim is a part of and the attack begins to a new set of targets,” he says.

Being connected with other social media apps means that access can be compromised too.

Almost all the experts Khaleej Times spoke to suggest that linking messaging apps with social media accounts means that the latter can also be used for phishing attacks. “For example, WhatsApp is owned and can be linked with Facebook so an account breach of one service, could potentially compromise the other. A general best practice is to use two-factor authentication and set different passwords for each account, using a trusted strong-password generation tool to manage your passwords,” says Pasha.

How to safeguard your WhatsApp:

Don’t share any personal information if your app-based messaging service is asking you

Don’t trust a link you didn't ask for, even if it's coming from a trusted source

Never share your six-digit code verification code with anyone, even if you think it's for a different account

Enable 'Two-step verification' pin in WhatsApp

Beware of social engineering messages from unknown sources making you feel rushed or emotional

Block users who send you spam or hoax messages and report them to WhatsApp within the app

If your account has been breached, follow these steps:

Reinstall WhatsApp immediately and get a new verification code

Set up the six-digit pin on your account

Change your Facebook password

Set up two-factor authentication on Facebook

— Courtesy Haider Pasha, CSO, Palo Alto Networks, MEA


More news from