Another day, another blow: you are at peace, until a message arrives through the Instagram. In it, there is the offer of a free trip to a paradisiacal place, as long as you inform your full name and phone number. Afterwards, a six-digit code sent via SMS is required for the promotion to be confirmed. And when you realize, your WhatsApp was cloned by the scammers.
This is yet another trick to clone WhatsApp: criminals are using fake profiles to apply this type of scam through the social network of photos and videos, as found by Techblog.
This practice uses from the brand of commercial establishments to the name of political parties, as warned by the PDT’s own leadership in the Senate in May by Twitter:
“WARNING: They are using the name of the PDT Senate for a coup. Criminals ask for your mobile number and then try to access your WhatsApp on another device.”
PDT Senado (Twitter)
The action is initially practiced by Instagram’s messaging tool. With a fake profile of a company or institution, the scammers suddenly contact the victim via the social network and offer some very eye-catching offer. This is the case of a free weekend at a hotel, for example.
The message asks for some personal information in order for the offer to be “redeemed”. These include the victim’s full name and area code number. Then, after sending the data, the scammers also request a six-digit code that will be sent via SMS to confirm.
And that’s where the cat’s leap comes: the code sent via SMS is nothing more than the WhatsApp activation code. This credential allows the messenger’s account to be accessed through another device. Thus, if two-step authentication is not enabled, the victim will have his account hacked by criminals.
Scams seek personal data to clone WhatsApp
This is neither the first nor the only strategy to hack into WhatsApp accounts. To Techblog, ESET information security expert Daniel Barbosa explains that there are enough elaborate and creative scams to convince many victims to pass their data. “The main point is that almost everyone uses social engineering,” he said.
“Regardless of the approach, they will need, at a minimum, your name and phone number,” he explained. “All the rest will be additional information that can complement the second part of the scam, which is usually to go into the victim’s contact list and request transfers.”
Adriano Mendes, a lawyer specializing in digital law, also observes the Techblog that there are different types of scams that exist to gain access to personal data. With this information, criminals try to access the victims’ emails and social networks with the same purpose: requesting loans or money from relatives and friends or even gaining access and diverting amounts from bank accounts.
“Part of the scams is to involve the person in a phone conversation to, during the call, ask them to confirm a code sent by SMS,” he explained. “The unsuspecting victim often ends up answering the information and only realizes that he has fallen into a scam when contacted by his contacts or after some time.”
Fake Profiles Violate Instagram Policies
To Techblog, Instagram reported that accounts that try to impersonate other people or commercial establishments violate the rules of the social network:
“Pretending to be another person, brand or business violates Instagram’s Community Guidelines. We have a dedicated team to detect and stop these types of scams, and we encourage people to report any suspicious Instagram accounts or activities through our reporting tools.”
WhatsApp has also stated that it does not allow the use of the service for illegal or unauthorized purposes, including to violate the rights of third parties or to impersonate someone else. The messenger also emphasized that he does not contact him by phone to request any type of password re-registration or confirmation in two steps.
“Whenever a WhatsApp account is activated on a new device, the system sends a code via SMS to verify the number”, they explained.
And how to avoid this type of scam?
Both Instagram and WhatsApp offer ways to strengthen security on platforms. The social network guides users to report accounts that are impersonating other people or commercial establishments. The messenger guides the use of authentication in two steps and never share the verification code sent via SMS or phone call with third parties.
Instagram also informs that it is necessary to be wary of offers with prices well below the average values practiced in the market. “Companies rarely have private profiles, which you need authorization to follow,” they said. Another tip is to look for the blue verification seal that is intended for companies, organizations or public figures.
The ESET expert gives further advice. Barbosa also explains that the first step is always to be suspicious: “any kind of passive approach, that is, one that you didn’t directly request, that will ask for your data, is a potential scam”. In this case, the safest thing is to refuse the request, avoid contact and report the fake profile.
You can also check out these tips:
I fell for the scam and they cloned my WhatsApp. And now?
If scammers are able to access your WhatsApp account, lawyer Adriano Mendes advises you to resume the service as soon as possible. It is also important to communicate banks, change all passwords and register a police report. Then, it is necessary to inform the contact networks to alert what happened.
“After the scare, you must also gather evidence of the blow suffered, which can be done with screenshots of the conversation with the criminal, proof of transfer, negotiations with the bank, in addition to carrying out a police report,” he explained. “With the evidence gathered, the next step is to seek the judiciary, filing a lawsuit to recover the lost amount.”
WhatsApp also informed that the victim must try to register the account again on their cell phone for the criminal to lose access. “Many scammers use their contact list to request sensitive information and request cash deposits,” they explained. “If your account is breached, contact people close to them to let them know what happened and so that no one can impersonate you.”