Singapore Police issue warning on WhatsApp Web phishing scams involving fake QR code

The Singapore Police Force has sounded the alarm on the increase in impersonation scams on social media involving WhatsApp.

"With the latest updates of WhatsApp for iOS and Android, WhatsApp is rolling out the ability for users to record and share longer voice notes via status updates," reported WABetainfo.
Representational image. WhatsApp. Photo Courtesy: Pixabay

SPF said it “would like to remind members of the public to remain vigilant against social media impersonation scams”.

It said that the new scam involves scammers gaining access to WhatsApp accounts through the use of fake “WhatsApp Web” websites.

“The owners of the compromised WhatsApp accounts were led to the fake websites after conducting searches on online search engines. Such compromised accounts were subsequently used to contact and scam the account owner’s contacts. Since January 2024, at least 20 such reports have been lodged, with total losses amounting to at least SGD 46,000,” the SPF news release stated.

How does the scam happen?

Users who intended to access their WhatsApp accounts using their desktops would search for the “WhatsApp Web” website using online search engines. Users would click on the first few search results without verifying if these belong to the official WhatsApp website.

Screenshot of the fake websites. Photo courtesy: SPF
Screenshot of the fake websites. Photo courtesy: SPF

The users were then led to fake websites embedded with a genuine QR code which had been extracted from the official website of WhatsApp by the scammers. Scanning the QR code on these phishing websites would cause the user’s WhatsApp account to be linked to the scammer’s desktop. However, the users would still be able to access their WhatsApp account on their mobile phone/computer so they would not realise that their WhatsApp accounts have been compromised.

The scammers would use the compromised WhatsApp accounts to reach out to potential victims on the user’s WhatsApp contact list. The scammers would impersonate the WhatsApp account owner and deceive victims into transferring monies.

Genuine WhatsApp Web login page. Photo courtesy: SPF
Genuine WhatsApp Web login page. Photo courtesy: SPF

Scammers would typically claim that the monies are needed urgently for various reasons (e.g. to pay for purchases) under the pretext that their bank accounts have been restricted (e.g. exceeded transfer limits). Victims would then be asked to transfer money to bank accounts or PayNow numbers provided by scammers.

Police list measures

The police force have advised Singaporeans to stop using unknown websites found in their search engine to load “WhatsApp Web” website and to adopt the following precautionary measures:

ADD – Security features to the WhatsApp account by enabling the ‘Two-Step Verification’ feature.

CHECK – That they are using the official WhatsApp Desktop App or visiting the official website from WhatsApp when loading “WhatsApp Web” website. The official URL address is https://web.whatsapp.com;

Check with their WhatsApp contacts for any unusual requests purportedly made by them;

Check the linked devices in the WhatsApp settings tab regularly and log out linked devices that are not in use; and

Never share the WhatsApp account verification codes, personal information, banking details and OTPs with anyone.

TELL – authorities, family, and friends about scams. Report the compromised WhatsApp accounts to Meta/WhatsApp.

“If you have any information relating to such crimes or if you are in doubt, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness. All information will be kept strictly confidential. If you require urgent Police assistance, please dial ‘999’.

“For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. For instructions on how to activate additional security features on WhatsApp, visit https://www.whatsapp.com/security. Fighting scams is a community effort. Together, we can ACT Against Scams to safeguard our community!” it added.