Ensuring Secure WhatsApp Payments: Expert Insights from Ian Lim, Field Chief Security Officer at Palo Alto Networks

As the popularity of digital payment services continues to soar, the introduction of WhatsApp’s in-chat payment feature in Singapore has provided users with a convenient and cost-effective way to send and receive money. However, alongside the benefits of this innovation, there are growing concerns about the rise in financial scams targeting WhatsApp users.

To shed light on these issues and provide guidance on protecting oneself from scams, we interviewed Ian Lim, Field Chief Security Officer, JAPAC, at Palo Alto Networks. With extensive expertise in cybersecurity, Lim shares valuable insights and best practices for users, businesses, and banks to enhance their security measures and ensure a safe experience with WhatsApp payments.

What is your opinion on the new in-chat feature launched by WhatsApp in Singapore that enables local businesses to accept payments directly through the application?

Convenience: With WhatsApp Pay, users can easily send and receive money without needing a separate app.

• It also works well because many users may not have other payment platforms installed, and WhatsApp is universally used across the user demography. This has also widened the ability of users to interact with local businesses – in addition to only viewing storefronts, they are able to make direct purchases.
• No transaction fees: WhatsApp Pay does not charge any transaction fees, making it a cost-effective payment method.
• Some of the other platforms tend to have hidden fees or may charge a commission.

However, we also see that threat actors are getting more sophisticated by the minute in how they try to scam users. As with any innovation or tech feature, users need to be hypervigilant in how they use the feature, be aware and identify possible scam tactics, and avoid them as much as possible.

While the new feature may provide ease of doing business and expand revenue streams, there are concerns about the rising volume of financial scams in Singapore. What are your thoughts on this issue?

We see impersonation attacks as one of the very common modes of exploitation for this WhatsApp feature.

Scammers may try to impersonate family members in difficulty and in urgent need of money. Scammers may also impersonate authorities or hospital workers, presenting a sense of urgency for the WhatsApp user to pay money. Victims then transfer money using the WhatsApp Pay feature, thinking they are helping out their loved ones.

Account takeovers are also another risk. Many of us log on to WhatsApp on different devices using a QR code. Some of these devices may be unprotected, allowing hackers to compromise, gain access and remote control to the WhatsApp account – they can now reach out to the user’s WhatsApp contacts for money.

Another concern is social engineering attacks, which emerge from the fraud risk linked to WhatsApp’s large user base. The 2022 Unit 42 Incident Response Report highlighted that 42% of the suspected used means of access by threat actors are phishing and social engineering.
The privacy concern is a larger problem with WhatsApp than the other payment applications primarily because of its large user base, making it much harder for the company to curb social engineering attacks.

Clarifications from WhatsApp: Payments on WhatsApp is only available for businesses using the WhatsApp Business Platform. This means that people in Singapore will only be able to pay local businesses through this feature, and not other users. WhatsApp has no further plans for this. Furthermore, WhatsApp policies require users to provide their legal name and identity as part of verification measures before they can use Payments. In order to use the feature, businesses will need a WhatsApp Business Account, a Stripe account, and their business’ Goods and Services Tax (GST) number. WhatsApp’s payments partner, Stripe, will also have their own onboarding and regulatory requirements for businesses. These collectively add additional layers of security for both users and businesses.

The service launched earlier in India and Brazil has been widely used by scammers to swindle people of their hard-earned money. Do you think that this could be a potential threat to users in Singapore as well?

Mobile payment security concerns are still at large amongst businesses and consumers alike. No payment apps or countries are immune to risks.

In 2022, Palo Alto Networks predicted that the API economy will usher in a new era of digital fraud and exploits, including in the financial sector. We’re seeing how the rise of open banking and solid fintech growth in the region, and poor programming done at the API level can have serious repercussions. Moreover, our State of Cybersecurity ASEAN 2022 report found that financial services and fintech were the prime targets for cyber attacks.

Users need to be aware that while digital and mobile payment services bring greater convenience and accessibility, they are not without potential risks. Reliance on digital services presents more opportunities for cybercriminals to carry out identity theft, fraud, and unauthorized data collection.

Any security misconfigurations in fintech apps or digital banking APIs could be exploited as an entryway for scammers to gain access to personal data and carry out other attacks, such as spear-phishing, account takeovers, or compromise business e-mail systems.

What are the challenges of not being able to spot and block scam messages due to encryption?

• The challenge of being unable to spot and block scam messages due to encryption is that it makes it difficult for authorities, service providers, or individuals to monitor and identify malicious activities.
• Encrypted messages are designed to be secure and private, so they cannot be read by anyone except the sender and recipient.
• This also means that scammers can use encrypted channels to conduct their fraudulent activities without being detected easily.
• It makes it harder for law enforcement agencies to investigate and prosecute scammers, and it also puts the onus on individuals to be vigilant and protect themselves from scams.
• Without the ability to spot and block scam messages due to encryption, the risk of financial losses, identity theft, and other types of fraud is higher.

Clarifications from WhatsApp: When making a purchase, buyers are directed to a webpage to enter their payment card details. This webpage is hosted by a payment partner – Stripe, in the case of Singapore – who collects the necessary information to process the payment (image below). The information goes directly to the payment partner, and is not processed or seen by WhatsApp, enhancing security for users.

Reporting is one of the key ways WhatsApp is able to identify scam messages, and ban accounts that violate its Terms of Service. When an account is reported, WhatsApp receives the last five messages sent by the reported account, and is able to ban it if found to be in violation of WhatsApp’s Terms of Service. Users can easily report and block malicious messages on WhatsApp. WhatsApp also uses advanced machine learning technology to spot suspicious patterns of behaviour and ban scammers on the platform. Through user reports and advanced machine learning technology, WhatsApp has been able to identify and remove over 2 million accounts per month (globally) engaging in suspicious and abusive behaviour.

There have been cases of scamsters offering people to complete a small task for a “reward” in the form of cash and luring them into fake job offers. Can you share your insights on this?

This is a common tactic used by fraudsters to trick unsuspecting individuals. This scam is known as a “work-from-home” or “job offer” scam. The scammers typically ask the victim to complete a simple task or assignment, such as filling out a survey or data entry job, and promise to pay them upon completion.
Once the task is done, the victim is asked to pay an upfront fee or provide personal information, such as their bank account or credit card details, to receive the promised payment. In reality, the job offer is fake, and the scammers never intend to pay the victim.

This scam preys on vulnerable individuals struggling to find work or looking for ways to make extra money. The scammers use the promise of a small reward to lure victims into their trap and then exploit their financial situation for their gain.

To avoid falling victim to this type of scam, it is essential to be cautious and sceptical of any job offers or work-from-home opportunities that seem too good to be true.

It is also important to research the company or individual offering the job and never to provide personal information or pay any fees upfront before receiving payment.

Scammers have also been using QR codes in WhatsApp payments to siphon money through online shopping offers. Can you explain this modus operandi?

When a consumer buys items via online selling platforms, chances are the sellers will send the QR code for their account to make the payment, and at times this is sent to the consumer’s mobile number through WhatsApp. Scammers may try to send their own QR code, which is then used by the customer to pay for the item they are purchasing, hence stealing money from the consumer.

As reliance on QR code technology grows, cybercriminals are taking note. These codes could offer an entryway to potential cyber-attacks because they don’t provide visibility into the webpage, application etc., behind them. Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more, which provides cybercriminals with opportunities to insert themselves into the process.

During the pandemic, Unit 42 by Palo Alto Networks observed cybercriminals in underground online forums discussing ways to abuse QR codes and target the everyday consumer. The intelligence team also found open-source tools and video tutorials offering training on conducting attacks using QR codes.

There are several ways cybercriminals could leverage QR codes for their own malicious objectives:BEC: Bad actors may put QR codes in phishing emails to get employees to visit dangerous websites. Unsuspecting employees may be tricked into divulging confidential information about themselves and the company.

• BEC: Bad actors may put QR codes in phishing emails to get employees to visit dangerous websites. Unsuspecting employees may be tricked into divulging confidential information about themselves and the company. Unit 42 Incident Response Report 2022: BEC was among the top 2 attacks responded, accounting for approximately 34% of all incident response cases.
• Malware that runs on Java can be downloaded in the background without your knowledge. Now that the malware has access to your device, it can open backdoors to let more malware in or steal personal information and send it to the attackers so they can use it to steal your identity or sell it on the Dark Web. Malware can also be used to track your location, open your webcam, access the device’s location, or steal your contact list.
• Honeypot – Threat actors could set up an unsafe Wi-Fi network promising free internet to anyone that scans their QR code. Once a device is connected, hackers can eavesdrop or intercept the data being shared, and steal personable identifiable information, confidential business information, online banking credentials, and credit card information.
• Hacking into a business’s website and replacing the QR code with their own. Scanning this code could automatically route unsuspecting consumers to a phishing URL, where cybercriminals could request user credentials and then take control of email or other accounts.
• Leading users to a less legitimate app store, prompting them to unknowingly download a malicious app containing a virus, spyware, trojan, or another type of malware, which could lead to data theft, privacy breach (GPS or contact list stolen, calls/messages being intercepted), ransomware extortion, or sometimes crypto mining.

How can users identify and protect themselves from WhatsApp payment scams?

• Never hand over security codes, a password or a Pin to anyone – not even friends or family. This includes the user’s WhatsApp account 6-digit activation code, mobile phone pin, email password, etc.

• Be very wary of messages from loved ones asking for money. Pause and think promptly before giving out any money or personal information, especially when you receive messages randomly.
• When in doubt, call a friend or family member to check. Verify the person’s identity by asking for something personal that only you know – anything from a nickname to a pet’s name.
• Set up the two-step verification option for extra security.
• Beware of a sense of urgency. When you sense that there is an urgency or time limit to respond or you will be charged a fine, take that as a red flag.
• Look for spelling or grammatical mistakes, as scam messages often have them.
• Report spam messages or block a sender you believe is trying to scam you.

What are the best practices that businesses and banks can follow to enhance their security features in this regard?

As cyberattackers’ techniques become more sophisticated, we recommend businesses and financial service providers to:

• Build customer trust and enhance anti-fraud measures by including customer education as part of their security strategy. Special care should be given to groups like the elderly, who may be more susceptible to fraud as new users of digital banking platforms.
• On the backend, financial services providers need to integrate security into all stages of the software delivery process and ensure they have visibility on their entire API ecosystem. In addition, they also need to implement API security to their inventory and assess the security of external-facing APIs.
• Monitoring and addressing any anomalous activities within API interactions is also vital. Moreover, financial service providers may need to consider a consolidated solution of AI, machine learning, automation, and data analytics to counter cyberattacks.
• Conduct cyber awareness training for employees to educate them on cybersecurity best practices. These include using strong and unique passwords for both personal and work accounts, setting up MFA, and identifying phishing emails as well as unsafe virtual environments. Cyber awareness training will equip employees with the essential knowledge to make sensible decisions, lowering the risk of attackers gaining access to any personal and corporate networks, devices, and data.
• Cybersecurity is a shared responsibility between digital providers, businesses, and individuals. We recommend the perspective of “zero trust, zero exceptions”, where organizations are encouraged to secure a network by eliminating implicit trust and continuously validating at every stage of digital interaction.

Lastly, can you shed some light on the modus operandi of payment scams that may emerge from international WhatsApp calls?

Recently, there have been reports of WhatsApp users receiving missed calls from international numbers, both audio and video. Users noticing these missed calls may be tempted to call or message back, particularly as the callers are seemingly coming from other countries.

It is essential to note that just because a call seems to be from an international number, it does not necessarily mean that the call’s origin is from that country. Nowadays, some agencies sell international numbers for WhatsApp calls.
These calls point to a phishing attempt to gain the user’s Personal Identifiable Information (PII), or other confidential data that can be used for the threat actor’s benefit. Upon noticing the missed call, users tempted to call or message back are socially engineered to give up confidential data, which is then used for the attacker’s benefit. This is similar to the Luna Moth Callback Phishing Campaign tracked by our threat intelligence team Unit 42 last year that relied heavily on fraud emails.

To prevent falling prey to such scams, users can employ the following mitigation strategies:

• Block and report: Users must promptly ignore, reject, block, and report calls from suspicious numbers, especially those that terminate after a single ring.
• Enable two-factor authentication (2FA): Enabling 2FA on WhatsApp adds an extra layer of security and privacy to account access.
• Maintain vigilance: Users should stay informed about the latest scams and exercise caution while using WhatsApp. Being aware of such scams can prevent them from falling prey to the attacker’s techniques.
• Update phone software regularly to incorporate the latest security patches and protect against any potential vulnerabilities and exploits.
• Deploy security solutions, such as antivirus and anti-malware software.
• Enhance password security: Adopt password guidelines that thwart password spraying attacks by using a combination of unique characters, numbers, and letters.

1. More on API protection solution here