Singapore police alerts public of new WhatsApp phishing scam

The Singapore Police Force (SBF) have issued a warning about a new phishing scam variant that targets WhatsApp users. Scammers have managed to deceive individuals by creating fake ‘WhatsApp Web’ websites that open access to their WhatsApp accounts.

When looking up ‘WhatsApp Web’ on search engines, these fake phishing sites appear among the top results. They contain QR codes from the official WhatsApp website.

However, when victims scan these QR codes with their mobile devices, scammers secretly gain remote access to their WhatsApp accounts.

They then use the compromised accounts to request personal information, banking credentials, or money transfers from the victims’ contacts. Victims may not realise their accounts are being compromised until their contacts alert them to unusual activity.

The alert from SBF also came along with precautionary measures for members of the public in order to avert such scams. These include making sure that they are using the official WhatsApp Desktop App or the official ‘WhatsApp Web’ site, enabling ‘Two-Step Verification’ in WhatsApp settings, securing the our device with a code and monitoring physical access to one’s phone and so on.

The police have also advised people to not share WhatsApp verification codes, personal, banking details, or OTPs with anyone. On top of it, they have been asked to be cautious of unusual requests received on WhatsApp, even from known contacts and regularly check and manage linked devices in WhatsApp settings and log out from any unrecognised devices.

As per reports, Singaporean actress Aileen Tan was also a victim of this WhatsApp scam. Hackers used her credentials to ask her husband to transfer money to a bank account in Hong Kong.

Phishing scams have been quite abundant across the cryptocurrency sector. Last month, users of password manager application LastPass were affected in a similar attack where they lost about $4.4 million worth of crypto. At least 80 crypto wallets were compromised in relation to the hack, where funds were stolen from the Bitcoin, Ethereum, BNB, Arbitrum, Solana and Polygon blockchains.

In August, layer-1 blockchain Terra’s official website was also compromised where malicious actors reportedly used the site to attempt phishing attacks on visitors.

People who open the website were prompted to connect their online or hardware wallets. The hackers disguised the official Terra webpage in order to insert a malicious code into users’ wallets.

If a user connected a wallet to this compromised web page, they ended up signing a digital signature, giving the hacker access to assets in their wallet.

Terra’s official X (formerly Twitter) account soon posted a warning message saying: “To avoid potential phishing scams, please continue to avoid interacting with sites with the terra(dot)money domain until we post another update confirming full access.” It also requested their users to only refer to the official communication channels for updates.