There was a problem loading the comments.

Case Study: Social Engineering via WhatsApp – The “Vote for Agnes” Scam

Support Portal  »  Knowledgebase  »  Viewing Article

  Print

Overview

In mid-2025, a wave of social engineering attacks emerged, targeting WhatsApp users through emotionally charged messages that appeared to come from trusted contacts. The scam exploited users’ empathy and trust to gain unauthorized access to their WhatsApp accounts.

 

Attack Vector

Victims received a message from a known contact, typically reading:

 

“Hi! Could you vote for Agnes? It’s really important to her—she’s trying to win a scholarship for university.”

 

The message included a link to a seemingly legitimate contest website (e.g., related to children's gymnastics). To cast a vote, the site prompted users to “log in via WhatsApp.” In reality, this process connected the attacker’s device to the victim’s WhatsApp account using WhatsApp Web pairing.

 

Impact

While WhatsApp account takeover does not directly compromise bank accounts, it enables attackers to impersonate victims and solicit money from their contacts—often via instant transfers or other peer-to-peer payment methods.

 

Prevention Strategies

  • Never log into WhatsApp via suspicious websites. Always verify the URL carefully—fraudulent sites often differ from legitimate ones by a single character.

  • Be cautious with QR codes and device linking. Confirm only those connections you initiated and trust.

  • Verify unexpected requests—even from friends. If you receive a strange message, call or message the person through another channel to confirm its authenticity.

  • Do not share verification codes. WhatsApp never asks for them via third-party websites.

Lessons Learned

This case highlights how attackers leverage emotional manipulation and social trust to bypass technical defenses. Even tech-savvy users can fall victim if they don’t pause to verify the legitimacy of a request.

 


Related Articles

© ALLWARE