WhatsApp is being used by ‘phishing’ fraudsters to circulate convincing links
for supermarket vouchers in order to obtain your bank details.
How Does The Scam Work?
The WhatsApp messenger app is being used to send messages purporting to be from well-known supermarkets such as Asda, Tesco and Aldi that contain a link to an online survey. The message tempts the receiver into completing the survey with the offer of hundreds of pounds worth of shopping vouchers.
In order to complete the survey, victims must give financial information, and have to send the link to 20 contacts in order to receive the vouchers. This helps to legitimise the scam as the contacts are likely to recognise and trust the sender.
Small Differences In Letters
The bogus supermarket link has been able to fool more than 30 people so far because a very subtle, difficult to spot substitution of certain letters with similar characters. For example, the d in Aldi was swapped with a ḍ (notice the small dot underneath), which is actually a Latin character. Also a đ, known as a ‘crossed D’ (or dyet) has been used instead of a normal lower case d in order to fool potential victims.
As yet, it is unclear whether just clicking on the link itself does something malicious like downloads malware, and there have been reports that doing so on social media has meant that the message was shared without the consent of contacts.
Brand Used Twice This Week
This is the second time in a week that the value and trust of the WhatsApp brand has been exploited by fraudsters. Earlier this week there were reports that a fake version of the WhatsApp messaging service for smartphones was distributed to more than one million unsuspecting people after it was put on Google Play store. In that case, the bogus app was used to spread spam adverts.
The association of the WhatsApp brand with scams is damaging anyway, but the timing is particularly bad with the announcement only last month that WhatsApp is about to launch ‘WhatsApp Business’, with a free version for small businesses, and a paid-for version (a chance for WhatsApp to monetise its services) for enterprises with a global customer base.
WhatsApp has also suffered from bad PR, again by association, after it was announced that WhatsApp had been used by London terror attacker Khalid Masood minutes before he killed and injured multiple people back in March. This, in turn, led to Home Secretary Amber Rudd campaigning to abolish end-to-end encryption in social media platforms and to enable ‘back doors’ to be built into them for use by the authorities.
What Does This Mean For Your Business?
This is another example of how fraudsters are using the powerful combination of the trust placed in brands, very convincing messages, and apparent referrals from friends to commit socially engineered fraud. Cyber-criminals are becoming ever-more sophisticated and devious in their methods, and our use of social media platforms and mobile devices, and the lack of time and attention that we can give to individual messages, are helping criminals to carry out fast and successful scams.
It should be remembered, however, that a social media / messaging platform is simply the medium, and not all messages posted therein can be trusted. As advised by Action Fraud, people should avoid unsolicited links in messages, even if they appear to come from a trusted contact.