What’s behind the spurt in WhatsApp missed calls?

“We are going to ask WhatsApp a simple question in the notice — what is the breakdown in your user sign-up mechanism that you are using to verify if a mobile number is genuine? If somebody has figured out a loophole, then plug that gap,” Chandrasekhar told The Indian Express. “You certainly cannot allow people to sign up on your platform using cloned mobile numbers.”

He added that the IT Ministry will work with the Telecom Department to ensure that platforms generating such cloned numbers are blocked in the country. “If a platform (WhatsApp) is allowing someone to operate with a fake mobile number, there is something fundamentally wrong in the way they are signing up people,” he added.

The scam typically involves defrauding unsuspecting people on platforms such as WhatsApp, where the victim, who responds to a missed call, is promised money for YouTube video likes or a positive Google review. The scammer makes initial payments to the victim, who is invited to join a group, typically on Telegram app. The victim is encouraged to “invest” small amounts for bigger payouts, but after a considerable sum has been invested, they are blocked from the group.

An investigation by The Indian Express and conversations with cybersecurity experts and “agents” – people who carry out the WhatsApp scams – have revealed that at the heart of this scam is a multi-million-dollar industry where fraudsters get their hands on international numbers, largely through three ways: 1) free access websites that generate virtual phone numbers of any country; 2) platforms that create such numbers for a fee that’s paid through cryptocurrency; and 3) a thriving ecosystem of people on platforms such as Telegram and eBay that generate such numbers.

One of the agents, who insisted on using Telegram for a conversation, explained some of the ways in which hundreds and thousands of fake WhatsApp accounts are generated and used to carry out fraudulent activities.

“There are publicly available free websites such as receive-smss.com, sms24.me, etc., that allow you to choose from phone numbers of any country and use them on services such as WhatsApp that require a one-time password (OTP) to start an account. On these websites, you can access the inbox associated with those numbers and can simply copy the OTP,” the person said, adding that there are other paid platforms too for more coordinated fraud groups.

The agent explained that the fraudster who intends to target multiple people doesn’t even need to manually call each of them. “There are a number of automatic dialer software where you can paste the entire database of phone numbers you want to target and the software will make automated missed calls to those numbers in one go,” the agent said.

Agents pointed out that with free websites, the error rate is higher since these offer publicly showcased numbers that anyone can use. “So, if someone is already using that number on WhatsApp, it becomes difficult to create an account,” one of them said, adding that that’s where the paid apps come in.

Experts and agents revealed that a small payment of around Rs 500 in Bitcoin or Ethereum earns the potential scammer a WhatsApp account with a phone number from a foreign jurisdiction.

One of the agents directed this correspondent to a platform called smscodes.io, through which phone numbers from a number of countries, including the US and UK, Poland, the Philippines, Indonesia and Mali, among others, could be created.

Apart from creating a phone number, the app also generated the OTP needed to create the business account on WhatsApp. “There is practically very little possibility that this number can ever be traced back to an individual,” the person said.

There are other apps that generate international numbers for a fee, including Phoner, TextNow and 2nd Line, some of which are directly available on play stores of Apple and Google.

Another route that fraudsters take to acquire these numbers is by buying them from one of hundreds of dealers on platforms such as Telegram and eBay. An investigation revealed that an international number can be bought for about Rs 100, with the price coming down further for purchases made in bulk.

An agent demonstrated how the WhatsApp business accounts are generated – within minutes, the agent had created a fake account using a US number, another account using a Poland number, and a third with a Philippines number.

A detailed questionnaire sent to WhatsApp on whether it was aware that its platform was being used by an ecosystem that created fake accounts to scam people and if it was working to strengthen its firewall remained unanswered till the time of publication of this report.

Cybersecurity expert Rajshekhar Rajaharia told The Indian Express that it is the sheer volume of users on WhatsApp that results in them getting exposed to coordinated scam groups.

“There are a number of forums on the dark web where hackers routinely share leaked information of users of various platforms, including their phone numbers and email addresses. Access to this information is typically ensured after paying a registration fee. WhatsApp is usually the first target (of the fraudsters) because of the sheer numbers of users the platform has, which includes a number of users who may not be as digitally competent and are more likely to fall for scams.”

“WhatsApp is a great funnel for scammers because it has more than 500 million users, a majority of whom also use the app almost everyday. That is very rare for other platforms – you do not check your Facebook, for instance, every day. Once a user has shown initial signs of falling for a scam, they are then asked to join services like Telegram. You can create a Telegram account without a phone number – unlike WhatsApp – so there is a far greater level of anonymity on that platform,” said the agent.

Experts also pointed to holes in WhatsApp’s security systems. “For people in that industry, it is not very difficult to procure an international number. That, however, is only a small part of it. The real issue is WhatsApp allowing calls from unknown numbers,” said Anand V, cybersecurity expert and co-founder of Deepstrat, a think tank which has done extensive research on fintech scams.