A number of news outlets in recent months have reported an increase in WhatsApp text scams–individuals getting targeted over WhatsApp into either clicking malicious links, handing over personal or sensitive information, or sending money to the sender’s bank account.
A more recent WhatsApp scam message that is currently circulating–particularly in the UK–is attackers impersonating a relative of the recipient. Using the tried and tested tactics of social engineering and employing urgency, the sender will pretend to be in need of money for bills but are locked out of their bank account for whatever reason, and could the recipient please lend some money for just a couple of days until the issue is resolved. The recipient will usually be referred to as a generic parental figure.
Other scams involve attackers posing as WhatsApp’s support team in order to harvest financial credentials or PIN codes that can give the attacker access to the user’s WhatsApp account.
For the most part, individuals and their personal data are the sole target. But what does this mean for businesses?
Well, not a lot right now but that’s not to say it won’t pose a serious threat in the future. In a recent interview with Lior Kohavi from Cyren, he tells us, “We believe that at some point, there will be a different go-to messaging platform for attackers. It might be Slack, Teams, mobile apps, SMS, WhatsApp, you know.”
WhatsApp is becoming an increasingly favored method of communication, often used in business between colleagues or just from users using WhatsApp web while they work.
Spear-phishing tactics are becoming more and more personal and targeted as time goes by. With work and personal numbers displayed on LinkedIn, along with a slew of work and personal information at savvy attackers’ disposals, crafting a believable, legitimate backstory to dupe employees isn’t out of the realm of possibility and has happened before.
So, what is to be done?
For the most part, security awareness training (a training program that educates and tests employees on cybersecurity and phishing scams to help defend your business) tends to focus on email communications, with texts and calls very rarely being included in these programs, which feels like a potential lack of oversight. With the influx of BYOD policies, remote working, and so on, the company network perimeter isn’t what it used to be, and as the years go by, savvy attackers are getting savvier and savvier.
Urging your employees, alongside their initial SAT program, to be aware of the potentiality of WhatsApp (or indeed text and call) related scams help keep them on alert and understand that attacks don’t just always operate through the work sphere.
Tactics employed via email are the exact same as those done through WhatsApp, text, or call messages. Tell your employee to keep alert for telltale signs such as spelling or grammatical errors, signs of urgency, requests for sensitive or financial details, click links, or dubious messages from senior figures within a company asking to complete a task without going through the official channels first. Any strange requests need to be verified through known and official contact details before being actioned first.
For now, it’s just simple enough to just make sure your users stay on alert, until attackers begin to branch out enmasse to other forms of phishing scams. Then it’s just a case of the security industry catching up.
The Top 10 Security Awareness Training Solutions For Business