ExplainersFeaturedHeadlineHomepageMedia LiteracySecurity

How WhatsApp scammers circumvent security features to swindle Nigerians

Frank, whose real name is withheld, has been putting in much work from Sept. to early Oct. (2023). He had a task, and his determination to perfect the project led him to extreme exhaustion. Luckily, his friend, a firm believer in the magic of yoga, suggested he give it a shot. 

“It’ll do you good,” his friend advised. 

Reluctantly, Frank started searching online for yoga classes. Around that time, he received a call from an unfamiliar number offering a yoga session. Frank marvelled at the power of technology. 

“These things now read minds,” he brooded! 

The process seemed straightforward: click on a link and share the 6-digit code you receive– the calm, reassuring voice behind the call instructed him. But hours later,  Frank received calls informing him that his WhatsApp account was being used for shady financial dealings. Panicking, he tried to access his WhatsApp account, only to find himself logged out.

“I got a call inviting me to join what I thought was a yoga class. Then, I was sent a link and asked to click on it. When I clicked, I was prompted to share a six-digit number I received (OTP code). Unbeknownst to me, it was the OTP code for my WhatsApp verification,” Frank explained.

The scheme is too real to be fake

Olu (name withheld for financial security sake) is a chess enthusiast and a member of a particular golf club. When he received a call claiming to be from this golf club, inviting him to a “meeting of their international members,” he didn’t think twice before sharing the 6-digit code he received. The caller sounded mature (in her 50s), which made it more convincing. His WhatsApp account was hacked minutes later, and his contacts were hit up for money. 

It is a simple but effective social engineering trick. Mr Olu said, “I was in my office around 4:30 pm when I got a WhatsApp call from an older Yoruba woman, around 50, I’d say. She claimed they were from ACC. I asked what that was, and she said Abeokuta Club. It seemed believable since Abeokuta Chess Club had my WhatsApp number. She then said they were having an international members’ meeting in the evening at 7:30 p.m. and wanted to confirm my attendance. She claimed they had sent a code to my phone, which I should read to her for confirmation.”

Actual account numbers with real names

These are not isolated cases. Many people have received suspicious WhatsApp messages supposedly from their loved ones, requesting money with a promise to pay it back, only to realise it was a scam. In both Olu and Frank’s cases, the account name provided to receive the funds was “Bruno Sewa” at Guarantee Trust Bank, with the account number 0868143335.

Account details and request Frank’s contact received.

Mr Frank said that the same name had once messaged him on Facebook offering the same service, but he was too busy to respond.

The Facebook message Olu received from a Facebook user named “Bruno Sewa,” the same name on the account details.
Olu’s post, putting out a warning over the Facebook account that chatted him over a possible yoga offer with the same name in the account details subsequently sent to his contacts.

Some WhatsApp users have shared similar messages from a different account seeking money: Rebecca Olotu, with account number 9029468406 on Palmpay.

Other WhatsApp users have also been sent this account details named “Rebecca Olutu,” seeking money.

WhatsApp boasts various security features, including end-to-end encryption, to keep your messages private. However, even with these safeguards, WhatsApp is not immune to hacks that can compromise message privacy and contact lists.

It’s always technology that beats technology 

Rahul Sasi, the CEO of CloudSEk, a leading cybersecurity firm, has highlighted the repercussions of this WhatsApp scam in several posts on his LinkedIn. 

Mr Sasi explained that hackers send a number that appears to be a service request for call forwarding when the victim’s number is busy or engaged. They then forward the victim’s calls to their own number. While the victim is occupied, the hackers initiate the WhatsApp registration process and choose the “send OTP via phone call” option. Meanwhile, the OTP goes to the hacker’s phone. Hackers often trick users into calling a specific number, or they craft a convincing lie based on the victim’s interests or values to get them to share the OTP. Once they have the OTP, the hackers hijack the WhatsApp accounts and ask contacts for money.

Some examples of scam attempts Mr Sasi received on his WhatsApp account.

This method can also hack anyone’s WhatsApp if the hacker has physical access to their phone and call-making permissions. 

“Every country and service provider has a similar service request number, so this trick works globally,” he added.

The possible solution: A way out!

The best way to protect yourself from a WhatsApp hacker is not to respond to calls from unknown numbers or make calls to unknown numbers. Also, be cautious of spam numbers, and, most importantly, do not leave your phone unattended where others can access it.

While some fingers also point at banks for hosting unverified account numbers, social media platforms also need to enhance their security features.

For Mr Olu, the situation could have been different if he had access to the WhatsApp number, but he does not at that moment. “Under normal circumstances, I should have been able to log out, log back in, receive the OTP on my phone, and lock them out. But in this case, it was a number I no longer had access to,” he said.

He still wonders how the scammers could determine his interests and tailor their scheme accordingly. “I’m still scratching my head about how they knew to use <> Golf Club, or where the leak came from…”

Bruno Sewa’s Facebook page is still active, even after Mr Frank raised the alarm publicly. Many WhatsApp users have complained about how strange numbers reach out with various offers. One of these numbers is the same as the one sent to Mr Frank by Bruno Sewa’s Facebook account: “+62 838-7488-37661.”

Various messages received by WhatsApp users pledging various services tailored to their interests with the same phone received by Mr Frank.

Until a permanent solution is found, some experts suggest that users include a disclaimer on their social media profiles, stating they will never solicit funds except through direct phone calls. A disclaimer that Mr Olu and Frank wish they had implemented earlier.

Show More

Related Articles

Leave a Reply

Back to top button