In mid-2025, a wave of social engineering attacks emerged, targeting WhatsApp users through emotionally charged messages that appeared to come from trusted contacts. The scam exploited users’ empathy and trust to gain unauthorized access to their WhatsApp accounts.
Victims received a message from a known contact, typically reading:
“Hi! Could you vote for Agnes? It’s really important to her—she’s trying to win a scholarship for university.”
The message included a link to a seemingly legitimate contest website (e.g., related to children's gymnastics). To cast a vote, the site prompted users to “log in via WhatsApp.” In reality, this process connected the attacker’s device to the victim’s WhatsApp account using WhatsApp Web pairing.
While WhatsApp account takeover does not directly compromise bank accounts, it enables attackers to impersonate victims and solicit money from their contacts—often via instant transfers or other peer-to-peer payment methods.
Never log into WhatsApp via suspicious websites. Always verify the URL carefully—fraudulent sites often differ from legitimate ones by a single character.
Be cautious with QR codes and device linking. Confirm only those connections you initiated and trust.
Verify unexpected requests—even from friends. If you receive a strange message, call or message the person through another channel to confirm its authenticity.
Do not share verification codes. WhatsApp never asks for them via third-party websites.
This case highlights how attackers leverage emotional manipulation and social trust to bypass technical defenses. Even tech-savvy users can fall victim if they don’t pause to verify the legitimacy of a request.