Now even scanning QR code to use desktop version of WhatsApp may not be safe, thanks to scammers

Watch out for fake “WhatsApp Web” websites.

They are part of a new phishing scam that tricks you into authorising access to your WhatsApp account for scammers, warned the police.

What happens is when you want to access your WhatsApp accounts on your desktop, you might search for the official website for “WhatsApp Web” using online search engines.

Scam victims would click on the first few search results generated by the online search engines without verifying the URL addresses due to convenience.

But the URL addresses visited were not the official website for WhatsApp but were phishing websites embedded with the genuine QR code extracted from the official website of WhatsApp.

When the victims used the QR code scanning function in WhatsApp on their mobile devices to scan the QR code in the phishing websites, they would notice the websites would not respond as the websites would not bring them to WhatsApp Web’s interface on their desktops.

But scammers who had embedded the QR codes in the phishing websites would then be able to gain remote access to the victims’ WhatsApp accounts, performing unauthorised actions such as messaging the victims’ contacts asking for their personal details and i-banking credentials, or requesting for monies to be transferred to a designated bank account.

As the victims could still access their WhatsApp accounts while scammers concurrently use the victims’ accounts to conduct scam activities, the victims would only discover that their WhatsApp accounts were compromised when they were notified by their contacts of unusual requests such as asking for the transfer of monies or i-banking credentials.

You are advised to adopt the following precautionary measures:

• Always ensure that you are using the official WhatsApp Desktop app or visiting the official website from WhatsApp for “WhatsApp Web”. The official URL address is web.whatsapp.com.
• Never share your WhatsApp account verification codes, personal information, banking details and one-time passwords with anyone.
• Beware of unusual requests received over WhatsApp, even if they were sent by your WhatsApp contacts;
• Protect your WhatsApp account by enabling the Two-Step Verification feature. This can be done by opening WhatsApp and going to Settings → Account → Two-step Verification → Enable.
• Check your linked devices regularly. Go to WhatsApp Settings > Linked Devices to review all devices linked to your account. To remove a linked device, tap the device > Log Out. For instructions on how to activate additional security features on WhatsApp, visit www.whatsapp.com/security.
• Set a device code and be aware of who has physical access to your phone. Someone who has physical access to your phone might use your WhatsApp account without your permission.