SMS, the dinosaur-era “app”, is still being used by people even if you’re a millennial who’s moved on to Telegram: you need SMS to log in to SingPass with 2FA, you need SMS to receive a 2FA code when you’re ordering McDonald’s sour egg yolk fries online and you need SMS to remind you that your IPPT is due.
And most importantly, you need SMS to verify your most-used messaging platforms like WhatsApp or Telegram.
Kind of how you need Internet Explorer to download Google Chrome.
And scammers being scammers, they’ve come out with a way to scam you via this 2FA system in an ingenious way—so smart, they’ve scammed at least 10 people in Singapore this year, and we’re only less than two weeks into 2019.
Here’s how it works and what you should take note of, and most importantly, how you can help break this “chain” of scam because it needs more victims to have more victims.
WhatsApp Takeover with Verification Code
Whenever you switch your phone and install a new WhatsApp into your new phone, you’d be asked to verify your account. To do so, you’d receive a SMS to your phone number so as to verify that you’re really changing your phone.
Now, here’s the scary part: people can register a WhatsApp account even without your SIM card. They merely need to key in the phone number and ta-da: they can log into your WhatsApp account…if they have the verification code, that is.
It seems so common to receive verification codes you didn’t request for that the WhatsApp website even has a FAQ page to this:
So here’s how the scam works: the scammer would have already had access to your friend’s, say Bufflord95, account. With that, he found your number.
He then tried to register your WhatsApp account and so, you’ll receive a verification code from WhatsApp. He’d then use Bufflord95’s account to contact you and ask for the verification code.
Given that you trust Bufflord95 (not knowing that his account has been compromised), you then provide the code…and ta-da: you account has been compromised as well.
And so, the cycle goes on and the scammer tried to scam your friends and take over their accounts, too.
What Do Scammers Do with Accounts That Have Been Overtaken?
Well, simple: they’ll get your friends to help buy gift cards online and with the gift cards, they’ll sell it.
Kind of like how many years ago, people’s Facebook accounts were hacked and they were going around asking others to help buy gift cards online.
The scam works because just like the Facebook scam back then, it looks like a legit message from your friend—from the verification code to the gift card purchase. You won’t want to reject your crush, eh?
Here’s our friendly Police’s advice:
- Beware of unusual requests received over WhatsApp, even if they were sent by your WhatsApp contacts;
- Always call your friend to verify the authenticity of the request;
- Protect your WhatsApp account by enabling the ‘Two-step Verification’ feature, which is available under ‘account’ in the ‘settings’ tab of your WhatsApp application. This will prevent others from compromising your WhatsApp account.
If you’d have noticed, as long as the scam cycle is broken, it won’t spread as it needs more victims for the scam to work.
So do yourself a favour and tell more people about this.
This is SPF’s official statement on this scam:
In the meantime, do yourself a favour and subscribe to our YouTube channel as well: we work very closely with the police to spread anti-scam messages like these videos we’ve done with them: