Zero trust the key to staying one step ahead of wily online fraudsters

Scammers becoming increasingly sophisticated at covering their tracks as they target social media accounts

When the WhatsgApp message arrived, it seemed genuine enough. A friend, asking for a code sent in error to the phone to be passed on. Could I possibly send on the code, as it was quite urgent?

There was something about the message that seemed off though – not least that the only message that had arrived with a code to my phone came from WhatsApp itself, and it was in Spanish. Alarm bells were ringing.

A quick phone call to the friend in question revealed the truth; she had received a similar message and forwarded on the code, and was now locked out of her instant messanger.

Whoever now had control of her account was sending out the the same message to every contact in her address book in the hope that a couple would bite and the cycle would continue again.


There was a scramble to tell a few close people what had happened, just in case they too were taken in. Then a round of social media posts in the hopes of warning others who might fall for the scam.

How does something like this happen? We have all become more savvy at spotting the obvious scams, so scammers have become increasingly clever at covering their tracks. While we may be less inclined to open an attachment from an unknown person, or click on a link in an unsolicited email from a stranger, the scammers have had to up their game to make us fall for their ruses.

Fraudsters rely on social engineering to successfully pull off such scams, ie by making it seem as if the message comes from a trusted source so you lower your guard.

Paul Ducklin, senior technologist with security company Sophos, says the closed nature of instant messaging platforms means we are more likely to trust the messages that arrive through them.

“The messages are inherently going to come from your friends and family,” he explains. With that trust already in place, it is easier then for scammers to hit people up with things that they might believe, such as investment scams or cryptocurrencies.

The messaging companies have measures in place to stop unauthorised people from gaining access to your account without your knowledge. WhatsApp security measures require you to use a code sent by SMS or phone call to the phone number for which you trying to set up an account, regardless of whether it is an existing account on a new phone or whether you are reregistering on a new phone.

Because WhatsApp can only be used on one mobile device at a time, when the account is registered on a new device, it is automatically logged out of any other devices currently using it.

Genuine communications While that is a great security measure to keep your account safe, in this case it was the very thing that locked my friend’s account. By sending on the code to the scammer, it essentially handed over the keys to the account. It took two hours to be able to register the account on her own phone again, which meant that for 120 minutes, they had unfettered access to her account and its contact list – giving them an established, trusted identity to use to try to con others out of their accounts.

We’ve known for a some time that we should be careful how – and with whom – we do business online, and guard certain passwords carefully. But as the scammers get more sophisticated, it can be harder to weed out the genuine communications from the fraudulent messages.

While we may be vigilant about what we do with our financial information – credit card details, bank accounts and so on – that may be the least of our worries.

In fact, while a nuisance, banking information is the easiest thing to change; cards can be frozen via banking apps, or can be cancelled with a quick call, rendering the information virtually useless.

Ditto for passwords, most of which can be easily and quickly changed. But Ducklin warns against becoming complacent about our accounts.

“People think that their banking passwords are important, that their tax office passwords are important, their email passwords, their work passwords,” says Ducklin. “But social media?”

There is certain sense of security there, when people use nicknames instead of real names, or don’t upload anything personal to their accounts.

“They think ‘Why would I really care about losing my password? Why wou

ld I care about two-factor authentication and all that? What can the crooks get out of it?’,” he says. However, he notes, an entry to one is an entry to all.

“Just the waste of time is bad enough let alone if that is an investment scam. If you’ve got 100 friends online and if one, through your sloppy behaviour, is persuaded because it’s in your name to put money where they shouldn’t, that’s a pretty bad feeling.”

Scammers are also counting on our obliviousness. How often do you check your bank statement to check that all the transactions are yours? How about looking at your credit report? According to credit reference agency Experian, identity fraud can typically take up to 15 months to discover.

Financial fraud may come to light eventually. But what about your old social media accounts, long abandoned and forgotten about? According to Sophos’s Ducklin, that could be another way your identity is being used for nefarious purposes, with your old accounts possibly being used to sell fake followers for example.

“People underestimate how these things might come back to haunt them. it’s not all about ransomware and €10 million ransoms.

“It’s also about little things that give the cybercrooks a vehicle to peddle their stuff free of charge with other people’s endorsements,” he said. “Even if you’ve gone under a fake name, it’s still your account. And good luck denying that if it is actually your account.”

There are ways that we can protect ourselves. Keeping antivirus software up to date, installing the operating system updates on our devices in a timely manner, and avoiding sites that seem to good.

Two factor authentication, where available, should also be enabled. That would require anyone trying to gain access to your accounts to not only know the log in and password, but also to have another unique code before they can access the account.

Enabling that would have kept hackers out of WhatsApp accounts, and it is a common feature on everything from social media to large shopping sites such as Amazon. Even our credit and debit cards have it for online purchases these days, thanks to the Payments and Services Directive.

The next time you sign up for a new service too, think about the passwords you are using. While it is tempting to use an easy to remember, probably reused password, that is a major risk. Data breaches happen all the time, meaning your “closely guarded” passwords may already be out there, available to buy on the dark web. Experts recommend using password managers to help you create strong, unique passwords for each service, and then store them securely for you.

Master password

While it might seem counter intuitive to place all your eggs in one basket, so to speak, security experts stand behind such services, provided you can come up with a strong master password with which to protect your log in credentials. Among the most popular services are Dashlane, 1Password, LastPass and NordPass. Some have a limited free option, if you want to try before you buy.

Common sense plays a huge role here too. If something seems too good to be true, it probably is. If a site is asking for information that you would usually use to verify your identity – quizzes that look for your mother’s maiden name, perhaps – then perhaps you should think twice.

One thing that we have all become used to is the free wifi hotspots at cafes and shopping centres.

But convenient as they are, some are unencrypted and as such they could also pose a risk to your private information and put you at risk of having your identity stolen by those intercepting traffic on the network. Scammers can also set up fake wifi hotspots that look legitimate to fool you into trusting them.

With so many risks out there, how do you navigate them safely? If in doubt, don’t do any sensitive business on a public wifi hotspot, including your banking.

The other answer? A virtual private network service, such as Express VPN or NordVPN. Not only can they help you hide your location – a handy way to get around geoblocks for certain services such as video streaming – they can also help keep your internet traffic safe from prying eyes.

There is no guarantee that, even taking all these precautions, you still may not fall victim to online fraud. But when it comes to beating fraud, being less trustful is key. Becoming a sceptic about everything will help you avoid becoming a victim of fraudsters. That means questioning everything, never blindly clicking on a link but rather searching it out on the company’s website itself, and if in doubt, contact the company by a phone number that you know is genuine. And, as I found out, calling a friend to make sure it was in fact them who sent that message.

Ducklin likens it to a situation he found himself in in the US, where he was asked for ID to buy alcohol, despite being over the age of 21.

“The server said ‘the easiest thing to do is just ask everybody, and then we can’t possibly make a mistake’,” he said. “ And I thought if more cybersecurity was like that, then how much more resilient we would be to phishing and social engineering, if you never take anything for granted, the whole zero trust idea, then how much better we would all be.”