By Phillip de Wet for Business Insider SA
Scammers are separating helpful South Africans from their money in what appears to be a wave of fraud that relies on hijacking WhatsApp accounts – and then simply asking for money.
The scammers first take control of a victim’s phone number, usually by porting the number to a new service provider, and so associating it with a SIM card under their control. That allows them to receive confirmatory SMSes from WhatsApp, and so take control of an existing account, while the now-offline victim is none the wiser.
Now able to impersonate the victim, the scammers access the phone numbers of friends and acquaintances, in many instances seemingly just waiting for incoming messages, or by way of WhatsApp groups to which the victim belongs. Then they simply ask for money.
Number porting has in the past often been used to intercept one-time PIN (OTP) numbers – but that requirers scammers to have control of bank accounts, either by skimming credit card information or stealing login details for online banking.
In the current wave of scams, the attackers do not need such access. Friends of victims are asked to send money via services such as First National Bank’s eWallet, which sends the code required to withdraw money from an ATM via SMS – with the cash immediately available.
As of Wednesday it was not yet clear how widespread the new scam was, with network operators saying they were detecting only a small number of fraudulent attempts to port numbers – while many people said they were receiving worrying notifications, or had already seen their friends approached for money.
Here’s how to protect yourself against both sides of the latest WhatsApp hijacking scam.
Turn on security notifications in WhatsApp.
WhatsApp security code settings
WhatsApp will alert you when a contact changes their phones – if you let it. For those in many big WhatsApp groups – with people who like to switch phones – the constant messages that a contact’s “security code has changed” can becoming annoying, so some people turn it off.
If you are one of those people, turn those notifications back on by going to “settings”, then selecting “account”, and from there “security”.
Should a “friend” ask for money shortly after their security code changes, be extremely suspicious.
Don’t ignore porting SMSes.
Cellphone companies will send out notification, by SMS, before porting a number – but will consider no response as permission. If you receive an SMS that warns your number is to be ported, do not ignore it.
If you are worried that message might be a scam in itself, phone your network provider on the usual service number.
Don’t turn off your phone if you’re getting annoying calls.
Some victims of porting say they were bombarded by annoying phone calls before their numbers were hijacked. The idea behind constantly ringing your number is to make you turn off your phone – so that you won’t receive porting notifications, and won’t notice you have suddenly been kicked off the network.
If someone keeps phoning then putting down the phone before you can answer, or you keep receiving calls with nobody on the other side, assume you are being scammed, and rather put your phone on silent while watching out for SMSes.
Don’t ignore a loss of cellphone signal.
If your phone suddenly won’t connect to your mobile network – and you aren’t in the middle of nowhere, or in an area being load-shed – assume your number is being hijacked, and get in touch with your network service provider as soon as possible.
Don’t register a new WhatsApp account if you change phone numbers, update your number instead.
Some victims of WhatsApp identity fraud believe they were impersonated after their former, abandoned cellphone numbers were recycled by network operators.
If you are switching numbers and want to be sure nobody can pretend to be you in future, you can change the phone number associated with your WhatsApp account.
If you really care about your security, enable the PIN function on WhatsApp.
WhatsApp 2-step verification
For ultimate protection, you can create a six-digit PIN number in WhatsApp, without which it should be impossible to register on the service – so that no number-porting scam or other mechanism will let someone steal your identity.
There is no better way to protect yourself, but this two-step verification measure comes with a couple of caveats. If you do not associate an email address with that PIN, or lose access to the email address you register, you are in deep trouble if you ever forget your PIN. Also, WhatsApp will from time to time demand the number from you, which could get annoying.
The PIN activation is under “settings”, “account”, and then “two step verification”.