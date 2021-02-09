Social media is everywhere and whether you use WhatsApp or other platforms, chances are that you have a significant social media digital footprint.

The continuing rise in use of social media and messaging apps is pervasive, while they are important tools, they come with many risks such as phishing, targeted attacks, spread of malware, exploitation of accounts and end points, and loss of reputation for organisations.

With over 2 billion WhatsApp users globally, attackers can use the application as both a form of delivery and a way to reach more targets after each successful attack.

The pandemic enhanced our need for a real-time social platform to stay connected with friends and family, but it also significantly increased the level of attacks by using app-based messaging services as the preferred medium.

What are the security risks?

The process of a WhatsApp attack is the same we see in email phishing attacks, which starts with a message embedding a legitimate-looking web link – from either a known and compromised user account or a random phone number.

Even though WhatsApp provides a preview of the website link, attackers can fake the page enough to show its legitimacy to the user.

With an emotional, motivational or time-sensitive connotation to it, once you click the link and upload any credentials, the attacker could invade your privacy or upload a malware to your device used as ransomware.

The fake website can look like your Facebook or bank’s login page, or any other frequently visited website. Once you enter any credentials, you may get redirected to the real website or the page could time out. By this time, the attacker has your credential details along with access to your mobile device.

Unlike email solutions, these services do not have any security features that can detect and prevent attacks like phishing or malware. Your WhatsApp account can be at risk if an attacker has access to your contact list or new incoming messages.

Attackers can send messages to your family, friends or any other contacts who will trust messages coming from you, typically asking for money or to install malicious content.

Organisations are constantly breached through public platforms and all it takes is one compromised account for an attacker to access more contacts and groups.

As a security practitioner, it is easier to challenge the use-cases and limitations of WhatsApp and how its intended for personal communication versus sharing confidential business-related information.

Although WhatsApp encrypts messages sent on its network, it is still not suitable for sensitive information (credit card, passport, IDs, etc.) because the user has no control over the data, including where it is gathered, stored, or destroyed, and that presents a potential risk.

Organisations and individuals who require a higher level of security can opt to use private paid channels, such as Slack, which offer similar functionality to mainstream messaging services but gives the user more control of their data.

How to stay secure

WhatsApp and general app-based messaging tools are public and free of cost, and not without security vulnerabilities. Also, while changes to policies and regulations by social media companies and countries may make life more difficult for some cybercriminals, users of these platforms remain vulnerable, especially if they have linked their social media and messaging accounts using the same credentials.

A general best practice is to use two-factor authentication and set different passwords for each account, using a trusted strong-password generation tool to manage. As we do in our work environment, we must always stay vigilant against any potential cyber-attacks such as phishing.

It is important to follow a list of practices such as:

Do not share personal information if your app-based messaging service is requesting it.

Do not trust a link you didn’t ask for, even if it’s coming from a trusted source.

Never share your 6-digit verification code, even if you think it’s for a different account.

Enable ‘Two-step verification’ Pin in WhatsApp.

Beware of social engineering messages from unknown sources making you feel rushed to take action or emotionally obligated.

Block users who send you spam or hoax messages and report them to WhatsApp within the app.

If your WhatsApp account has been breached, follow these steps:

Reinstall WhatsApp immediately and get a new verification code.

Set-up the 6-digit pin on your account.

Change your Facebook password.

Set up two-factor authentication on Facebook.

Much like any email service, there is usually no way to stop incoming messages easily. On widely used platforms such as WhatsApp, it is even more difficult to avoid attacks such as phishing because of the massive scale of people using the platform. If we follow the best practices highlighted above, however, we will be much closer to a more secure user experience.

Haider Pasha is chief security officer at Palo Alto Networks, Middle East and Africa (MEA)