The Police would like to alert members of the public to a new variant of phishing scams which compromises WhatsApp accounts through the use of fake “WhatsApp Web” phishing websites. These websites trick users into authorising access to their WhatsApp accounts for the scammers.
In these cases, victims who wished to access their WhatsApp accounts through their desktops would search for the official website for “WhatsApp Web” using online search engines. Thereafter, victims would click on the first few search results generated by the online search engines without verifying the URL addresses due to convenience. However, the URL addresses visited were not the official website for WhatsApp, but were phishing websites embedded with the genuine QR code extracted from the official website of WhatsApp.
When the victims use the QR code scanning function in WhatsApp on their mobile devices to scan the QR code in the phishing websites, they would notice that the websites would be unresponsive as they would not bring them to WhatsApp Web’s interface on their desktops. However, scammers who had embedded the QR codes in the phishing websites would then be able to gain remote access to the victims’ WhatsApp accounts, performing unauthorised actions such as messaging the victims’ contacts asking for their personal details and i-banking credentials, or requesting for monies to be transferred to a designated bank account.
As the victims could still access their WhatsApp accounts while scammers were concurrently using the victims’ accounts to conduct scam activities, the victims would only discover that their WhatsApp accounts were compromised when they were notified by their contacts of unusual requests such as asking for the transfer of monies or i-banking credentials.
The Police would like to advise members of the public to adopt the following precautionary measures:
- Always ensure that you are using the official WhatsApp Desktop App or visiting the official website from WhatsApp for “WhatsApp Web”. The official URL address is https://web.whatsapp.com;
- Never share your WhatsApp account verification codes, personal information, banking details and OTPs with anyone;
- Beware of unusual requests received over WhatsApp, even if they were sent by your WhatsApp contacts;
- Protect your WhatsApp account by enabling the ‘Two-Step Verification’ feature. This can be done by opening WhatsApp and go to ‘Settings’ ‘Account’ ‘Two-step verification’ ‘Enable’;
- Check your linked devices regularly. Go to WhatsApp Settings > Linked Devices to review all devices linked to your account. To remove a linked device, tap the device > Log Out. For instructions on how to activate additional security features on WhatsApp, visit https://www.whatsapp.com/security; and
- Set a device code and be aware of who has physical access to your phone. Someone who has physical access to your phone might use your WhatsApp account without your permission.
If you have any information relating to such crimes or if you are in doubt, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness. All information will be kept strictly confidential. If you require urgent Police assistance, please dial ‘999’.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. Fighting scams is a community effort. Together, we can ACT Against Scams to safeguard our community!
Screenshot of the phishing website impersonating as WhatsApp Web’s Official Website ▼
SINGAPORE POLICE FORCE
27 October 2023 @ 1:35 PM