WhatsApp usage has exploded in recent years, growing from 1 billion users in 2016 to 2 billion users in 2020. Only its parent company, Facebook, has more. But like Facebook, WhatsApp security is under constant scrutiny and its popularity has made it a top target for cybercriminals. In Q2, WhatsApp became the second most impersonated social media brand in phishing attacks, coming in at #5 on our latest Phishers’ Favorites report.
WhatsApp is known for its end-to-end encryption, which encrypts WhatsApp messages in transit. But encryption doesn’t protect messages before or after they’re sent, allowing users to both screenshot and forward messages.
In 2019, a security vulnerability allowed hackers to install spyware on WhatsApp users’ phones by placing a WhatsApp call to the victims’ phones. The Pegasus spyware attack hit 1,400 users, according to WhatsApp, and primarily targeted human rights groups and journalists. WhatsApp ultimately sued Israeli-based NSO group, a software vendor known for selling software to government organizations in Uganda and Bahrain.
Another well-known WhatsApp security sticking point is the fact that users who don’t want to part with their WhatsApp chats and messages can create backups in Google Drive. The backups, however, are not protected by WhatsApp encryption.
WhatsApp security has taken a beating in the media due to the above vulnerabilities that have opened users to WhatsApp scams. This, combined with its rising popularity, including among high-profile users and even politicians, has piqued interest from hackers.
WhatsApp phishing was virtually nonexistent in the first three quarters of 2019, and then something changed. In Q4 2019, Vade detected 5,020 unique WhatsApp phishing URLs. This reflected a 13,000 percent increase from the previous quarter and placed WhatsApp at #5 on our Phishers’ Favorites top 25 list for Q4 2019.
What happened? If you recall, the Pegasus spyware incident occurred in mid-2019. Additionally, WhatsApp disclosed 12 vulnerabilities in 2019—seven of them critical. It’s likely that the ongoing news about WhatsApp security vulnerabilities made it a perfect target for cybercriminals looking to exploit vulnerabilities and users while they had a chance.
This brings us to 2020. In Q1, WhatsApp phishing dropped 85 percent from Q4 2019, a significant decrease, but in Q2 it increased 185 percent. Why? Hackers are known to build attacks based on the news cycle. Event-based attacks spike during high-profile current and seasonal events. Often, though, events are regional rather than global. We’ll see spikes in some countries but not others or targeting certain demographics but not all. COVID-19 changed that.
The lockdown felt around the world made anything possible and everything terrible in March 2020. Hackers quickly went to work, primarily sending phishing emails imitating local, state, and global health organizations.
One organization widely impersonated by hackers in phishing emails is the World Health Organization (WHO). Vade identified dozens of WHO phishing emails targeting users early in the COVID-19 pandemic. The emails preyed on the vulnerabilities of a public that hadn’t seen the likes of COVID-19 in its lifetime. They were looking for answers, they were looking for solace. They got phished in alarming numbers.
As the lockdown progressed and friends and family kept apart, they looked to technology to fill the void. Where Zoom provided face-to-face contact, WhatsApp groups provided the feeling of belonging, a place where virtual tribes could connect. Among the tribes, scammers proliferated, creating bizarre 5G rumors and fake audio messages from Britain’s National Health Service. WhatsApp Usage spiked 76 percent in the early months of COVID-19.
In a strange turn of events, WHO launched its own service on WhatsApp. WHO Health Alert takes advantage of the WhatsApp Business API, which was launched in in late 2018 as a platform for businesses looking to connect with customers. It has since spread to nonprofits and governments. Together, WhatsApp and WHO represent two of the most impersonated entities during the pandemic, manipulated for criminal gain and unwilling participants in global scams.
Ultimately, WhatsApp is just one of many social media brands being impersonated by hackers. Facebook is the 2nd most impersonated brand in phishing attacks on our Phishers’ Favorites Q2 report. LinkedIn phishing has slowed down somewhat, but it also spiked during the pandemic, also a result of increases in user engagement, namely out of work users looking to make connections and upgrade their skills. It will be interesting to see in the coming months which social media platforms rise and fall with the news cycle.
Read the Phishers’ Favorites Q2 2020 Report