Municipalities are reporting to the information security service (IBD) of the VNG an increase in attempted Whatsapp fraud. Earlier, the police and the openbaar ministerie 's office warned of an increase. Criminals can use a six-digit code to take over a Whatsapp account in a way intended for people who have a new phone and want to transfer their account. The IBD provides some advice to prevent civil servants, politicians or administrators of municipalities from becoming victims.
After the criminals take over the account they can send messages on behalf of the victim to all contacts in the account, they also receive all new messages intended for the victim. The criminals seem intent on making quick money, we have no indication that the criminals are concerned about the information or that it is a targeted action towards municipalities. In the information security threat assessment of Dutch municipalities, we would classify this threat as unfocused and intended.
The IBD offers some advice to avoid victimizing municipal officials, politicians or administrators.
When Whatsapp is first installed, the program asks for the phone number. To verify that it is correct, Whatsapp sends a text message with a six-digit code to the phone number entered.
Criminals enter the victim's number, immediately after which the victim receives a text message with the code.
Shortly before or after this message, the victim is contacted by phone or Whatsapp.
This person starts a chat, for example about an ad on a well-known trade website ("Do you still have X for sale? I'm interested!").
Then the victim receives a message saying he or she accidentally received a code. "The code was actually meant for me. Would you mind forwarding it?"
With this code, the criminals take over the victim's WhatsApp.
Never share the registration code or your PIN for two-step verification with others
Enable two-step verification. You can find this setting in the menu 1. settings - 2. account - 3. two-step verification
Set a PIN and add an email address in case you forget the code
Pay attention to who has physical access to the phone. Someone who has physical access to your phone can use your WhatsApp account without your permission.
What should you do if you are a victim?
Report the situation directly to your CISO
Restore your access to your own Whatsapp account, for more information read the instruction on the Whatsapp website.
If the perpetrator enabled two-step verification, you may have to wait seven days to regain access to your account.
Regardless of this verification code, the other person will be logged out of the account as soon as you enter the six-digit SMS code.
Inform your contacts that your account has been taken over and warn them of possible scam attempts.
File a police report.
