‘Always double-check the URL, don’t be like me’: Victim of WhatsApp Web impersonation scam

A 42-year-old man fell victim to an impersonation scam after he inadvertently accessed a fake “WhatsApp Web” phishing link on Oct 29.

The man, who wanted to be known only as Mr Fidie and who works at a construction firm, clicked on the first search result for “WhatsApp Web” on a Google search, not realising that this was not the official site.

He scanned the QR code there, which allowed scammers to log into his account from their own device.

Pretending to be Mr Fidie, they contacted 10 of his colleagues, including his boss, asking that they urgently lend “him” thousands of dollars for a family emergency.

One colleague fell for the ruse, and transferred $1,000 to a bank account designated by the scammers within half an hour of being asked. 

He did not check with Mr Fidie, even though the scammers’ messages were in English and not Malay, which Mr Fidie typically uses to communicate with him.

Mr Fidie told The Straits Times that he felt bad that his colleague, who has four young children, lost money to the scam and has repaid him. “We trust each other,” he said.

The scammers’ activities happened without Mr Fidie’s knowledge, as the scammers had archived the chats – hiding them from Mr Fidie’s list of WhatsApp chats – so he could not see what was going on.

He found out he had been scammed only a day after accessing the phishing link, when another colleague contacted by the scammers noticed that the language used was uncharacteristic of Mr Fidie, and brought it to his attention.

Mr Fidie quickly informed everyone he knew about the scam, and was told of the $1,000 loss.

The police have issued two advisories in the past month, warning of “WhatsApp Web” phishing links that open the door to impersonation scams.

From Nov 1 to 13 alone, such scams have claimed at least 93 victims and caused $176,000 in losses.

One of these victims is a 37-year-old accountant who wanted to be identified only as Ms KY.

A frequent user of “WhatsApp Web” at work, she unknowingly accessed a phishing link to the site on Nov 1 – the first link that she saw on a Google search.

She recalled that her first attempt at scanning the QR code on the fake site failed, but she did not think too much of it and simply scanned it a second time.

The first scan would have given the scammers access to her account.

The scammers waited three days before asking two of her close friends for money for an “aunt” who was in hospital. They even addressed the friends by nicknames that Ms KY typically uses in their WhatsApp chats, and also uploaded a picture of a woman lying on a hospital gurney.

One of Ms KY’s long-time friends quickly sent $3,000 to the scammers, as she was worried that Ms KY needed the money urgently.

As with Mr Fidie, the scammers covered their tracks, and Ms KY found out about the scam only when she returned a missed call from the friend.

“This was my first time encountering such a scam, so I was not on my guard,” said Ms KY.

To guard against such scams, the police advise members of the public to enable two-step verification on their WhatsApp accounts, and check that they are using the official WhatsApp Web website (https://web.whatsapp.com) or desktop app.

They also advise users to review their WhatsApp-linked devices regularly, and to beware of unusual requests received via WhatsApp.

“Now, I don’t dare to use WhatsApp Web any more,” said Mr Fidie.

He decided to speak to the media about his case to raise awareness about such scams.

His advice: “Always double-check the URL, don’t be like me.”