It’s probably no shock that WhatsApp is one of the most popular messaging apps in the world. It’s so popular, in fact, that outside of the US and Canada, people will often prefer it to their phones’ built-in texting apps. But this situation has also led to it being a major target for scammers, so here’s what you need to know about some of the most common WhatsApp scams and how to stay safe.
10 common WhatsApp scams and how to avoid them
Edgar Cervantes / Android Authority
1. “WhatsApp Gold”
In this one, an unsolicited message claims you’ve been invited to use WhatsApp Gold, an upgraded app with new features. There is of course no Gold app, and tapping on the download link is either going to subject you to a phishing attack — in which a fake website tricks you into sharing private info — or malware that risks infecting your device. That risk is very low as long as you keep your device up-to-date.
Because most WhatsApp users are aware that there’s no Gold upgrade, this scam shouldn’t be much of a threat, but it’s further identifiable by the URL (web address) the scammer sends — a real link would point you to the Google Play Store or Apple App Store, or at least whatsapp.com.
2. Fake friend/family emergency
This scam involves someone pretending to be a friend or family member of yours who’s messaging from a new phone number. Chat may seem innocent at first, but the person will eventually steer the conversation towards asking for money, or perhaps sharing private info that could be used to spoof your identity. They’ll use a fake emergency as an excuse.
If you’re worried there might be a legitimate emergency, ask the person for details that should confirm their identity. That might be something like their supposedly defunct phone number, or a personal fact that isn’t posted online. If the person can’t answer anything, it’s a scam.
3. Free gift cards/vouchers
Matt Horne / Android Authority
It should be obvious, but companies don’t send free gift cards to random people on WhatsApp, since there’s no profit to be had. If you tap the link asking you to claim your card (or a voucher), you’ll be faced with a phishing or malware attack and get nothing in return.
There’s not much more to be said about this one, but a general rule of avoiding scams is that if something seems to be good to be true, it probably is. Fake gift card URLs also tend not to match the company they’re supposed to represent.
4. Unrequested QR codes
This is actually just a variant of other scams, substituting a QR code you have to scan in place of a link you’re expected to tap. There can be many excuses for why you should scan it, but no matter which one the scammer picks, you’ll still be taken to a URL exposing you to phishing or malware.
If an unknown contact sends you a QR code, just ignore it. It’s a way of camouflaging a fake URL. You’re meant to scan legitimate QR codes on TVs, monitors, boxes, manuals, or real-world signs, since in messaging apps there’s no reason why someone wouldn’t just share a URL directly.
5. Tech support/verification
Here someone pretends to be a representative with WhatsApp (or another major tech company) asking you to verify an account. They may or may not ask for data directly, but whether you share it in chat or via a phishing website, the scammer’s goal is likely to hijack your account and/or extract useful details.
Because of the likelihood of this sort of scam, WhatsApp and other tech firms don’t actually contact users this way. If some sort of account verification is needed, it’ll probably be initiated by you, and in the case of WhatsApp specifically, verification is handled via phone calls, SMS, or iCloud Keychain. You won’t get a message in WhatsApp itself.
6. Two-step verification “mistakes”
You’re unlikely to encounter this one, but someone may send you a message claiming they were doing two-step verification (2sV) and need the verification code accidentally sent to your phone number. If you did get a code, don’t share it — since WhatsApp accounts are based on phone numbers, you may be giving them the exact thing they need to hijack your account.
If you encounter this scam, go ahead and change your 2SV PIN as soon as possible to make sure hackers are locked out. Don’t pick digits that are easy to guess.
7. Fake lotteries and giveaways
This is identical to a gift card/voucher scam except that the criminal claims you’ve been selected for a prize. To claim it you’re supposed to tap a link, but you’ll only be exposing yourself to phishing or malware.
It’s another example of the “too good to be true” rule, but some more food for thought is that legitimate lotteries and giveaways tend to operate in public, not by messaging people individually. Certainly organizers won’t notify winners via an app they can’t guarantee someone will have.
8. Crypto and other investment scams
Edgar Cervantes / Android Authority
Yes, real people have made honest fortunes off of cryptocurrencies like Bitcoin, but if you’re being approached by someone on WhatsApp claiming you can turn a large profit after providing a small initial investment, they’re going to take the money and run. The same applies if they’re hawking a “secret” guide to crypto investing.
You may encounter other investment-related scams on WhatsApp, but they tend to follow a similar template. Before making any substantial investment, research the product and its risks, and only pull the trigger through well-established platforms. Be prepared for risk, too — cryptocurrencies in particular are volatile, so if the market turns south, you could be out thousands of dollars or more.
9. Romance/catfish and prostitution scams
While this is more likely with services like Instagram, there’s still the possibility that you’ll be approached by a stranger offering prostitution services. Whether or not prostitution is legal in your region, pitches on WhatsApp are likely fraudulent, or simply another way of getting you to tap on a phishing or malware link.
Almost more insidious is a romance/catfish scam. This involves a long con, creating the illusion of an authentic relationship even though you don’t actually know the person that well. Once the time is right, the scammer will manufacture some sort of emergency that involves you sending money to help.
Even intelligent people can be taken in by a romance scam, but being a good skeptic will help. If a scammer has social media profiles at all, they may have few if any friends on their networks and use stolen photos. Use a reverse image search tool like TinEye to catch them. And before getting emotionally invested in someone, insist on a video call and/or meeting in public place. If they keep coming up with excuses to avoid that, you’re being scammed.
10. Fake donation schemes
Taking things to an even deeper low, this sort of scam asks for money with the promise that it’ll help a good cause — anything from personal surgery or disaster relief to supporting a church, mosque, temple, political party, or other ideological group. Once the scammer has your money, the “charity” vanishes into thin air.
You can avoid falling prey by refusing to donate to unknown contacts or tapping on any links they share. A reputable charity always operates in the open instead of contacting people one-by-one on messaging apps. As with many WhatsApp scams it’s best not to reply at all, since that may only confirm that your phone number is valid and you’re a potential victim.
What to do if you get scammed on WhatsApp
First, halt any interactions with the suspected scammer, but take as many screenshots as possible. This may help not just in interactions with WhatsApp’s moderation team, but in any complaints you make to police (more on that in a moment).
The next step is to block the scammer and report them to WhatsApp. Moderators will receive the last 5 messages sent to you by the other person, whether they include text, photos, or video. At that point you’ll have to wait for the company to respond, but if they accept your report, the scammer’s account should be kicked off the service.
In more serious circumstances, it may be worth reporting an incident to local police as well. There may not be much they can do without personally identifiable information, or if the scammer is in another country, but it will at least put the scam on police radar and raise the chances of eventual action. Remember, you probably weren’t the only target.
You may also need to doublecheck your privacy and security settings. The less publicly visible your WhatsApp information is, the better, and you should definitely have two-step verification on as a fallback.
How to stay safe on WhatsApp
Edgar Cervantes / Android Authority
Skepticism is your best ally. You should automatically be wary of messages from people you don’t know, and/or who claim to be someone you know but are oddly aggressive or upfront about wanting something. Unless they’re pulling a long con, scammers don’t want to waste time with small talk.
Always avoid tapping on links from unknown contacts, since they’re probably attempts at phishing or spreading malware. You’ll note that the URLs for these links deviate from the ones used by the companies they’re meant to imitate.
Finally, as we’ve mentioned a couple of times already, apply the “too good to be true” rule. Is someone claiming you can make a fortune off Bitcoin in just a few days? Probably bogus. Likewise, the odds of the love of your life messaging you out of the blue are extremely low.
There are many possibilities. You might have it on a social media profile somewhere, such as Facebook, and left that profile public. It could also be listed in a WhatsApp group, or somewhere else on the web. The person might simply be bombarding every number in a particular area code, hoping to get lucky.
They can potentially hijack your account, especially if you don’t have two-step verification (2SV) enabled.
Not usually, anyway. They’re most likely using fake or anonymous details, and while you can try to message them, they’ll probably just ignore or block you if they haven’t already moved on to another account. You might be able to use a reverse phone lookup service if their number wasn’t a burner.
Potentially, but there’s no good reason to, and you may be signaling that you’re a human who can be targeted in future scams. Telling a spammer off isn’t going to stop them.
Yes, at least if you’re in a group or individual chat, or you’re saved in someone’s contacts. This does create a vulnerability, but also means that scammers (or other malicious actors) can’t hide behind an anonymous username.