SINGAPORE - When a secondary school friend contacted him out of the blue a few months ago asking for a verification code on WhatsApp, administrative executive Tan Jun Heng, 25, did not suspect anything was amiss.
His friend simply claimed to have "accidentally" sent the code to his number.
But, within seconds of sending the code, Mr Tan was automatically locked out of his own WhatsApp account.
It had been hijacked.
"I started panicking and tried to log back in, but I ended up competing (virtually) with the hacker for control of the account," said Mr Tan, who regained control of his account some 24 hours later after writing to WhatsApp.
By then, the hacker had assumed his identity and tricked two of his friends into handing over their verification codes as well.
Mr Tan and his friends are among a growing pool of WhatsApp users who have become victims of social hacking, where scammers use already hijacked social media accounts to contact victims by posing as their friends or family.
Hackers typically request or trick their victims into handing over their WhatsApp security verification codes, which must be entered when registering a mobile phone number for a new phone or device. They then use the codes to gain full access to their victims' accounts.
The Singapore Police Force has issued multiple warnings of such "takeover" attacks in the past two years.
The latest advisory in February noted that there had been at least 18 known reports involving the takeover of a victim's WhatsApp account since December last year. This does not include unreported cases, which is expected to be a much higher number.
Cyber security firm Kaspersky's Asia-Pacific managing director, Mr Stephan Neumeier, said that with over two billion users, WhatsApp has become a "prime target for cyber criminals looking to leverage on the wealth of user data that is available".
National University of Singapore Associate Professor Chang Ee-Chien said the impersonation tactics used by hackers, which are also known as "social engineering" attacks, are far more common than other attacks like zero-day vulnerability attacks, where hackers take advantage of a vulnerability in the application's software.
"It is very low tech, but very effective, as people tend to trust their friends or family," said Prof Chang, whose research interests include data privacy.
With full access to their victim's account, hackers may then exploit the victim's personal relationships and ask for money from friends or family.
Or, if they glean enough information about their victim's place of employment, they may also target the victim's workplace, added Prof Chang.
Ms Yvonne Wong, associate director at the Association of Information Security Professionals (AiSP), noted that bad actors may even sell their victim's personal information on the dark web.
However, experts say, there are preventive measures that users can take to prevent such attacks.
Ms Wong and AiSP executive committee member James Tan said setting up a two-step verification process on your WhatsApp account can prevent others from signing in to it.
Users should not click on suspicious looking links, even if they are purportedly from friends or family, they added.
For impersonation scams, however, "the only solution is to not trust people", said Prof Chang.
He added: "It is very important that you must presume that whoever is speaking to you on the other end is not your friend."
How to safeguard your account
• Enable two-step verification, which requires the entry of a unique PIN to access your account.
• Never divulge your PIN or verification codes to anyone, and do not click on any unknown links or attachments.
• Ensure that you log out of WhatsApp Web properly, especially if your computers are not secured by passwords or biometric data.
• Check app settings to limit the amount of information hackers could get from your WhatsApp account if it is compromised. For instance, do not allow WhatsApp to share location information and do not allow unknown people to add you to group chats.
• Deactivate the autofill option on your phone. While it is a time-saving feature, it also means that your personal details are stored on your phone, and any hacker who has access to your phone will be able to see such information.
• When you have a particularly sensitive transaction to make, use a virtual private network (VPN) to protect yourself from hackers. The VPN will disguise your Internet Protocol address, making it impossible to track you. It also provides another layer of encryption.
• These tips were compiled from Kaspersky, the Association of Information Security Professionals and WhatsApp.
Source: The Straits Times © Singapore Press Holdings Limited. Reproduced with permission.
The views, material and information presented by any third party are strictly the views of such third party. Without prejudice to any third party content or materials whatsoever are provided for information purposes and convenience only. Council For The Third Age shall not be responsible or liable for any loss or damage whatsoever arising directly or indirectly howsoever in connection with or as a result of any person accessing or acting on any information contained in such content or materials. The presentation of such information by third parties on this Council For The Third Age website does not imply and shall not be construed as any representation, warranty, endorsement or verification by Council For The Third Age in respect of such content or materials.