The Cyber Security Authority (CSA) has advised the public to maintain security consciousness whilst using their social media accounts to prevent takeovers from online scammers.
A statement issued by the Authority, said the CSA had observed a worrying trend of increased reports of unauthorised access and online scams perpetrated through the takeover of social media accounts particularly, WhatsApp.
It said the compromised social media accounts were used to commit fraudulent activities such as investment fraud, online shopping scams, job recruitment scams, romance scams, and solicitation of funds, among others.
The statement said a second trend had to do with WhatsApp users being lured to expose their nudity over a video call with someone they thought they knew.
It said the session was recorded by the other party (or an associate) without the knowledge of the victim and then the malicious actor came back to extort money from the victim in exchange for not releasing the video.
The statement said a potential victim would either receive a call from an unknown number, or a message from a friend (whose social media account may have been compromised) requesting the victim to share a one-time password (OTP) (usually a 6-digit verification code) sent to the victim’s number as a text message.
It said the scammers applied social engineering, typically creating a sense of emergency and request for the OTP which was sent to the victim.
The statement said the victim would thereafter lose access to the account after providing the scammers with the verification code.
It said the scammers, after gaining access to the victim’s account, then targeted persons and groups on the victim’s contact list as the next potential victims.
The statement said through this, the scammers would impersonate the victim’s friends and promote other fraudulent activities or solicit funds.
It said the scammers’ request would be on the pretext of helping them to join online groups such as work or school groups or sign up and claim prizes for fake lucky draws allegedly conducted or joined.
The statement said a potential victim would typically make a new friend on a social media platform such as Facebook.
It said eventually, the two parties would exchange WhatsApp numbers and the chats would continue over there, establishing a level of trust and familiarity.
The statement said after some time, a video call was initiated over which the victim ended up being persuaded to go nude.
“Unknown to them, the session is recorded by the other party. Some days afterwards, the other party (or an associate) will contact the victim indicating that they have these videos and will threaten to release them in public unless they receive a specified payment.”
“In some cases, the criminals will go ahead to share it online, provide a link (URL) to where it is and indicate it would only be taken down when they are paid. The demands typically do not end once the first payment is made,” it said.
The statement urged online users to enable ‘Two-Step Verification’ on WhatsApp.
This can be done by Opening WhatsApp Settings. Tap Account > Two-step verification > Enable. Enter a six-digit PIN of your choice and confirm it. Provide a valid email address you have access to or tap Skip.
“Providing the email address is recommended. Otherwise, if you forget your PIN, you will have to wait 7 days before you can reset it. Tap Next. Confirm the email address and tap Save or Done,” it said.
The statement advised them to avoid initiating and/or participating in video calls of an intimate nature where nudity was displayed, sexually explicit acts were performed.
It said if victims received a ransom demand, they should not make payment but instead, report it immediately to the CSA’s Cybersecurity/Cybercrime Incident Reporting Points of Contact for guidance.
The statement urged them to never share their social media application account verification codes with anyone.
It said they should protect all their social media application accounts by enabling the ‘Two-Step Verification’ or ‘Two-Factor authentication (2FA)’ feature.
The statement said they should be aware of who had physical access to their phone, adding that if someone had physical access to their phone, they could use their account without permission.
It advised them to beware of unusual requests from strangers or even their social media contacts.
The statement asked them to be wary of claims that they had won a prize, especially if they had not participated in any campaign or lucky draw.
“Check official websites to determine whether the lucky draw offers are legitimate. Always verify the authenticity of the request by contacting your friend, but do not do so through the social media platform as the account might have been taken over by scammers.”
It urged them not to transfer money or give out personal information, bank account or credit/debit card details, and One-Time Password (OTP) to anyone, including family and friends.
“If you are contacted by anyone claiming to have images and/or videos of you of an intimate nature requesting a payment in exchange for not releasing them to the public, report it immediately to the CSA’s Cybersecurity/Cybercrime Incident Reporting Points of Contact for guidance. Do NOT make any payments.”
“The CSA has a 24-hour Cybersecurity/Cybercrime Incident Reporting Points of Contact (PoC) for reporting cybercrimes and for seeking guidance and assistance on online activities; Call or Text – 292, WhatsApp – 050 160 3111, Email – email@example.com.”