WhatsApp scams: What they are and how to stay safe

WhatsApp has over three billion users who exchange over 140 billion messages every day—and this makes it a prime hunting ground for cybercriminals. From fraudulent “urgent” pleas to too-good-to-be-true crypto offers, scams on WhatsApp are booming, and they’re getting smarter.
This guide breaks down exactly how WhatsApp scams work, why they succeed, and the steps you can take today to avoid becoming a victim.
What are WhatsApp scams?
WhatsApp scams are fraudulent messages, calls, or links delivered through the app with one goal: tricking you into handing over money, personal data, or account access. They range from obvious “You’ve won!” spam to highly tailored social-engineering ploys that can fool even tech-savvy users.
Why do scammers target WhatsApp users?
Here are the key reasons that WhatsApp is irresistible to fraudsters:
- Huge audience, low cost, high return: With more than three billion monthly users, WhatsApp gives criminals scale and access to users with varying levels of technical knowledge. A scammer doesn't need a high success rate to be profitable—even if only a tiny fraction of recipients fall for a scheme, that can add up to thousands of victims.
- Trust factor: WhatsApp is built for personal communication with family and friends, creating a circle of implied trust. Scammers exploit this by sending messages pretending to be a loved one in distress. This personal context lowers a victim's natural defenses, making them more likely to react emotionally and overlook red flags they might notice elsewhere.
- Cross-border anonymity: Internet telephony, such as virtual phone numbers and call masking, can hide the scammer’s real number, complicating law enforcement efforts.
- False sense of security from encryption: Scammers benefit from the widespread belief that WhatsApp is completely safe. Users may think the person contacting them must be legitimate if the communication is on an “encrypted app.” But scammers operate within the encrypted environment, making the content of their messages, not the transmission, the weak point.
- The immediacy and directness of the platform: Unlike email, which can feel formal and is often filtered for spam, WhatsApp messages arrive instantly on a user’s phone, often with a notification. This creates a sense of urgency. Scammers use this to their benefit, pressuring targets into making quick decisions before they have time to think.
- Ease of multimedia and link sharing: Scammers can easily send images, videos, and official-looking documents to make their stories more believable. For example, a fake job offer might come with a convincing-looking PDF of a contract.
The role of end-to-end encryption in scams
End-to-end encryption converts your messages into a scrambled code on your device, and only the intended recipient's device has the unique key to decipher it. This means no one in between—not internet providers, not government agencies, and not even WhatsApp itself—can read your chats or listen to your calls.
While this is excellent for protecting your conversations from being intercepted, that same technology creates a secure channel for criminals to operate, shielded from the platform’s view.
Because your message content is unreadable to anyone but you and the recipient, the platform cannot automatically scan chats for fraudulent links or malicious text. The responsibility for detection falls entirely on the recipient.
Action is only taken after a person is targeted and decides to file a report. When you report a contact, your device forwards the five most recent messages from that chat to a moderation team for review. And even then, moderators see only metadata, not message content.
While this data helps them spot patterns of abuse, they have no visibility into a scammer's other activities until another report is made. This reactive model means bad actors can operate until they’re flagged.
Main goals behind WhatsApp scams
1. Financial theft
This is the most straightforward goal, often executed through impersonation scams. A criminal posing as a family member in an emergency, for instance, creates a sense of urgency to bypass critical thinking. They might also use romance scams, building a relationship over weeks before fabricating a crisis that requires financial assistance. The methods are designed to exploit emotion for a quick payout.
2. Account takeover
A stolen WhatsApp account is valuable because it can be used to scam the victim’s entire contact list with a high degree of trust. Criminals also sell account credentials on dark web marketplaces, where other fraudsters buy them for their own schemes.
3. Identity theft
Scammers often lure you into sharing sensitive documents—scanned passports, driver’s licenses, or selfies holding your ID—under the guise of “verification” or “trust-building.” It’s a popular method with job offer and fake employer scams.
This information is used for sophisticated crimes like opening bank accounts or lines of credit in your name, applying for government benefits, or creating verified accounts on cryptocurrency exchanges for money laundering. This type of WhatsApp fraud can be difficult to detect and can damage your reputation and financial standing for years.
4. Malware distribution
Scammers use WhatsApp’s convenient file and link sharing to deliver malware straight to your device. The goal here is total data compromise. Common tactics include:
- Malicious APK files or “upgrades” sent as “WhatsApp Video Player” or “Document Viewer” attachments. Tapping the download link installs spyware that logs keystrokes or steals files.
- Malicious files masquerading as PDF invoices, image files, or voice notes. Once opened, they can execute harmful code on your device.
- QR codes shared in chats that, when scanned, redirect you to malicious sites that can download malware to your device or steal your data.
5. Contact harvesting
Before launching a scam, criminals need a list of potential targets. One goal of an initial attack might simply be to harvest a WhatsApp user's entire contact list. By tricking someone into installing a malicious app or visiting a fake site, a scammer can scrape the phone numbers of their friends, family, and colleagues. This provides a fresh, verified list of numbers for future scams.
6. Spreading disinformation
Sometimes the goal isn't to steal money or data, but to spread false or misleading information. A criminal or state-sponsored actor might take over accounts or use automated bots to blast propaganda, fake news, or market manipulation narratives to a huge audience. On a platform like WhatsApp, where information is often shared among trusted contacts, disinformation can spread rapidly.
How scammers adapt to trends
Scammers are opportunistic and constantly update their tactics to reflect current events, trends, and technological advancements. Their goal is to create schemes that feel relevant and urgent, increasing the likelihood that a target will engage with them. This adaptation typically happens in two main ways: changing the story and changing the method.
Adapting the story
A scam’s narrative is often tied directly to major news headlines, cultural moments, or economic conditions:
- Newsjacking: When a topic dominates the news, scams follow. A cryptocurrency bull run leads to a surge in “crypto investment” schemes. A major political election triggers waves of disinformation campaigns and fraudulent donation requests.
- Tech releases: The launch of a highly anticipated product, like a new iPhone, is a predictable opportunity for criminals to send fake giveaway links and bogus surveys designed to harvest personal data from enthusiastic consumers.
- Economic stress: In times of high unemployment, there is a corresponding spike in fake job scams. These offers promise easy, high-paying remote work to prey on financially vulnerable people.
- Global and seasonal events: Scammers use events like the Olympics or Black Friday to create fake ticket offers, travel packages, and retail deals. Likewise, tax season prompts criminals to impersonate tax authorities to extort payments.
- Disaster fraud: When a natural disaster occurs, fake charity websites and donation links appear almost immediately, exploiting the public’s goodwill to divert funds from legitimate victims.
Adapting the method
Beyond just updating their narratives, criminals incorporate new tools to make their scams more convincing.
A good example is the adoption of artificial intelligence (AI). Scammers can now use AI to generate highly realistic but fake pictures and videos (deepfakes) or to write more persuasive, error-free messages.
They can even create “voice clones” from small audio clips found online. This allows them to send a WhatsApp voice note that sounds exactly like a victim's family member, making impersonation scams far more difficult to detect.
Common types of WhatsApp scams
Below are 15 of the most common WhatsApp scams—learn the red flags so you can spot the next scam before it hits.
1. Verification code scams
You receive an SMS or in-app prompt: “Your WhatsApp code is 827-449. Do not share with anyone.” Immediately after, a “friend” messages, “Hey, I sent my code to your phone by mistake—can you tell me what it is?” Sharing that code lets the attacker register your WhatsApp on a new device and lock you out—an instant account takeover.
🚩Red flags
- Unsolicited verification SMS
- Urgent request for the six-digit code
2. Crypto investment scams
A stranger claims they made “10× profits” trading Bitcoin on a new platform and offers to “mentor” you. They shepherd victims into Telegram or shady websites, then vanish once you transfer funds to them.
🚩Red flags
- “Guaranteed returns” promised
- Pressure to act fast or miss out
- Requests to move chat off WhatsApp
3. Romance and catfishing scams
Scammers often build weeks-long relationships with victims on WhatsApp, creating trust before inventing a crisis: for example, “My wallet was stolen; can you wire $300 so I can fly home?”
This grooming phase is designed to lower the victim's defenses by building a deep, manufactured sense of trust and intimacy. This makes the eventual request for money feel like helping a real partner through a crisis, rather than a transaction with a stranger.
A more sinister variation adds a layer of sextortion: the scammer will steer the conversation toward intimate photos or video chat. Then they threaten to share the compromising material with your contacts unless you pay up, usually in hard-to-trace cryptocurrency.
🚩Red flags
- Refusal to video chat or meet in person
- Financial requests framed as emergencies
- A new contact who quickly steers the chat in a sexual direction
4. Impersonation scams (“mom and dad”)
An example of this kind of scam is a message like “Hi Mom, dropped my phone. This is my new number—can you send rent money today?” The criminal counts on parental panic to override skepticism.
🚩Red flags
- New number claiming to be a close relative
- Plea for urgent bank transfer or gift cards
- Excuses for why they can’t call live
5. Fake lottery and giveaway messages
The message reads something like, “You’ve won a $1,000 Amazon gift card! Click to claim.” The link leads to a phishing site that harvests personal and credit card data.
🚩Red flags
- You never entered the contest
- URL full of random characters
- Up-front “processing fee” to release the prize
6. Gift card and coupon scams
Forwarded graphics promise generous gift vouchers in exchange for completing a short survey—but the form collects your email, birth date, and phone number for future spam or identity theft attempts.
🚩Red flags
- Requires sharing with “20 contacts” to unlock
- Domain name misspells the real brand
- Countdown timer pressuring instant action
7. QR code and malware links
Scammers send QR codes that, when scanned, open a malicious site or auto-download spyware on your phone. One tap can also grant the attacker broad device permissions. For example, some QR codes are designed to link the scammer’s device to your WhatsApp Web session—known as session hijacking or “QRLJacking”—giving them a live view of your incoming and outgoing messages.
🚩Red flags
- QR code arrives out of context
- Sender urges you to scan immediately
- The browser warns, “File may be harmful”
8. Wrong number scams
A polite stranger starts small talk—“Sorry, is this Rachel? My mistake!”—then slowly steers you toward crypto “advice” or romance grifts. This technique is the start of a tactic sometimes called “pig butchering.” The term refers to the scammer’s process of “fattening up” a victim with weeks of friendly conversation and trust-building before convincing them to buy into the scam.
🚩Red flags
- Flattery and rapid trust-building
- Promises of side-income or investment tips
- Reluctance to answer direct personal questions
9. Call forwarding attacks
You receive a message that’s designed to trick you into dialing a code like *21phone-number***. But when you do, this forwards all calls (including WhatsApp verification calls) to the scammer, who then hijacks your account.
🚩Red flags
- Instructions to dial obscure service codes
- Claims it’s for “contest entry” or “to recover a WhatsApp account”
10. Job offer and fake employer scams
Victims receive messages about easy freelance gigs—“$200 a day just liking videos,” for example. A small upfront “training fee” or crypto deposit is required, but after payment, the recruiter disappears.
🚩Red flags
- Unrealistic pay for minimal work
- Upfront fees or requests for ID documents
- Gmail or free-mail addresses, not corporate domains
11. WhatsApp Gold and app upgrade frauds
WhatsApp is always free on official app stores—there is no paid or “premium” version. Yet scammers circulate viral messages promising “WhatsApp Gold” or exclusive “app upgrades” with extra themes, stickers, or features.
They often distribute these through forwarded chain messages containing a link to download an APK or IPA file. Installing the file can unleash adware that hijacks your browser, credential-stealing malware that captures your logins, or spyware that turns your phone into a monitoring device.
🚩Red flags
- Claims of secret “premium” features or early-access upgrades
- Instructions to forward the message to multiple contacts to unlock the download
- URL not from Google Play Store or Apple App Store, where the real WhatsApp is hosted
12. Fake charity donation requests
After natural disasters, scammers pose as aid groups, sharing heart-wrenching images and asking for PayPal or crypto donations. Of course, if you make a donation, it goes straight to the scammer, not to the disaster victims.
🚩Red flags
- Emotional pleas plus urgency (“Families need food tonight!”)
- Personal wallets instead of NGO websites
- No verifiable registration number or receipts
13. Survey and reward scams
In survey and reward scams, you receive a WhatsApp message saying something like, “Congratulations! You’ve been selected for a quick 3-question survey and a chance to win an iPad!” The link leads to a form that asks basic questions (age, email, phone number) before claiming you’ve won a prize.
To “release” it, you’re typically asked to pay a small shipping or handling fee via gift card, mobile top-up, or cryptocurrency. Behind the scenes, your responses feed fraud rings, and your payment disappears with no iPad ever delivered.
🚩Red flags
- Generic branding (“Global Market Research”)
- Mandatory forwarding to contacts
- Shipment fees for “free” prizes
14. E-commerce order confirmation scams
A message claims your recent Amazon order (that you never placed) has been shipped, with a link to “review or cancel.” It leads to a fake login page that harvests your Amazon credentials.
🚩Red flags
- Reference numbers that don’t match any real order
- The sender address isn’t the merchant’s verified business account
- URL misspells the retailer’s name
15. Technical support scams
A message, often with a fake WhatsApp or Meta logo, claims there is a problem with your account (e.g., “suspicious activity detected” or “your version is outdated”). It instructs you to click a link to verify your identity or update the app to avoid account suspension. The link leads to a phishing page to steal your login credentials.
🚩Red flags
- Claims to be from WhatsApp official support (they rarely contact users directly this way)
- Threat of account suspension or deletion
- Asks for your password or verification code to “secure” your account
How to protect yourself from WhatsApp scams
Staying safe on WhatsApp boils down to a mix of vigilance, smart privacy settings, and good digital hygiene. Use the checklist below to close the loopholes scammers exploit most often.
1. Recognize the red flags
- Urgent request message: Anything pushing you to act “right now” (pay, click, share a code) is almost always social engineering.
- Too-good-to-be-true offer: Free phones, guaranteed crypto profits, instant job riches, or salaries much higher than typical for the job—big promises, zero proof.
- Spelling or grammar slips: Professional brands rarely send sloppy copy. That said, with the prevalence of easy-to-access AI platforms, spelling and grammar are no longer the big giveaway they used to be.
- Odd payment methods: Watch out for gift cards, crypto, and “friends and family” PayPal transfers—these are all irreversible once sent.
- Requests to move off WhatsApp: Scammers prefer unmoderated channels like SMS once they hook you in.
- Refusal to talk live: If a contact claiming to be someone you know consistently has excuses for why they can't take a phone call or do a quick video chat, it is a massive red flag. This is also common in romance and catfishing scams, where a live conversation would be likely to expose the fraud.
2. Always verify the sender
There are a couple of fast and immediate ways to verify:
- Call or video-chat a known contact on their old number before trusting a “new phone” message.
- Reverse-image-search profile photos from unknown numbers to see if they appear on stock sites or dating profiles. But remember, AI-generated avatars and profile images can be brand-new, so use this alongside other checks.
- Check the business badge of the profile. Legitimate companies use WhatsApp’s verified green checkmark.
3. Never share personal or financial data
Treat WhatsApp like a postcard: if you wouldn’t print a detail on the front, don’t type it in chat. Scammers often start with small asks—birth date, mailing address—then escalate to banking info.
4. Keep WhatsApp and device software updated
Updates contain security patches that close loopholes—or exploits—that criminals actively use to deliver malware and compromise your device. The most effective way to stay protected is to turn on automatic updates within the Google Play Store, the Apple App Store, and your phone’s main system settings.
5. Lock down your WhatsApp privacy settings
Scammers often begin by gathering information from your profile. Limit what strangers can see by adjusting your audience settings in Settings › Privacy.
Here, set the following options to My Contacts instead of Everyone:
- Profile photo: Prevents unknown numbers from using your photo to create impersonation accounts or for identity theft.
- Last seen and online: Hides your activity patterns, making it harder for a scammer to know when you’re active or to create a believable story around your habits.
- About: Your “About” info can give away personal details, so restrict it to your contacts.
- Groups: This is a key one. Setting this to “My Contacts” prevents anyone from adding you to a group without your permission. This stops scammers from pulling you into large, fraudulent groups designed for crypto or investment scams.
6. Enable two-step verification (PIN)
Adding a six-digit PIN prevents account takeover, even if a scammer steals your SMS verification code. Follow these steps:
- Go to Settings › Account.
- Tap Two-step verification.
- Tap Turn on and create a PIN.
- Then, add an email address in case you forget your PIN. Enter the six-digit verification code sent to that email. Tap Verify.
- You’ll be asked for the PIN whenever you register WhatsApp on a new phone. WhatsApp will also regularly ask you to enter your PIN as a reminder.
7. Avoid clicking suspicious links or attachments
Long-press any URL to reveal the full link in your browser’s status bar—and don’t trust WhatsApp’s thumbnail preview, which a scammer can spoof. If the real domain looks off (misspellings, unexpected domains), don’t tap it.
When in doubt, you can copy the URL into a safe text editor or use an online link expander to inspect the true destination before proceeding. And on WhatsApp Web, you can hover over links and check the bottom-left status bar before clicking.
What to do if you’ve been scammed on WhatsApp
After a scam, it’s crucial not to panic but to act fast. Follow the steps below to minimize the damage.
1. Stop all communication immediately
Block the scammer’s number, plus any backup profiles they shared. Don’t argue; anything you say gives them data to exploit. Just click Menu (⋮) and choose Block or Report.ExpressVPN tip: Keep your VPN connected while you report the scammer. This means your real IP stays hidden, so the scammer can’t trace your location even if they’re still watching your traffic.
2. Take screenshots and save evidence
Screenshot or export the entire chat—messages, voice notes, images, phone numbers, transaction receipts, and URLs. Save files to an encrypted cloud drive or USB stick.
3. Report the account to WhatsApp
Open the chat, tap Menu (⋮) › More › Report, and forward at least five recent messages when prompted.Reporting also trains WhatsApp’s filters, helping remove similar scams before they reach others.
4. Notify local authorities or cybercrime unit
In cases of financial loss, many banks and credit bureaus need a case number before they’ll reverse fraudulent charges. In the U.S., you can report the scam to the Internet Crime Complaint Center (IC3)—https://ic3.gov. In the UK, contact Action Fraud at https://actionfraud.police.uk.
Whatever country you’re in, you can do an online search to find the relevant details for the authorities to report to.
ExpressVPN tip: Make sure your VPN is connected when filling out and submitting these report forms, especially on hotel or public Wi-Fi, so personal details travel through an encrypted tunnel and can’t be intercepted.
5. Inform your bank or financial institution
Call the number on the back of your card, explain you were scammed via WhatsApp, and request a freeze or chargeback. If you paid with PayPal, open a dispute in the Resolution Centre (https://paypal.com/disputes).
For wire transfers, contact the service’s fraud hotline and ask that a fraud alert be placed on your account so unusual activity is flagged instantly.
6. Change passwords and enable MFA
Prioritize accounts by their impact. Start with your email—the recovery hub for everything else—then secure banking, move on to cloud storage with personal documents, and finally lock down social media profiles.
Remember to use long, unique passwords or passphrases and save them in a dedicated password manager such as ExpressVPN Keys.
You can also add app-based two-factor authentication (e.g., Microsoft, Google Authenticator, or Authy) to all accounts that offer it, so a stolen password alone is useless.
7. Scan your device for malware
If you’ve clicked a malicious link or scanned a shady QR code, it’s possible that your device is infected with malware. To find and remove any threats, use a reputable antivirus tool to run a full scan of your system.
8. Report to national consumer protection agencies
Adding your case to national databases helps investigators link cybercrime patterns and forces companies to tighten anti-fraud measures.
- U.S.: Federal Trade Commission – https://reportfraud.ftc.gov.
- EU: Contact your local Data Protection Authority.
- Global: Find relevant bodies via https://consumerinternational.org.
9. Warn your contacts
If your account was compromised, the scammer now has access to your entire contact list. They will likely start impersonating you to scam your contacts immediately.
Use another method (like SMS, email, or a phone call) to warn your key contacts. Let them know your WhatsApp account was taken over and to ignore any messages from it asking for money or information.
FAQ: Common questions about WhatsApp Scams
Is WhatsApp secure to use?
WhatsApp employs end-to-end encryption, meaning only you and the person you chat with can read the messages. However, encryption can’t stop social engineering tricks, and it can help scammers to maintain their anonymity. To ensure strong account security, keep two-step verification on and never share SMS codes.
Can my WhatsApp be hacked?
Direct “hacks” are rare; most account takeovers come from human error—sharing a verification code, tapping a malicious link, or forwarding calls with a service code. Protect yourself by enabling a PIN, setting a strong phone lock, and being skeptical of unsolicited requests.
Why do I receive messages from unknown numbers?
Scammers often buy leaked phone lists or use auto-dialer bots to guess active WhatsApp numbers. Deleting random messages without engaging deprives them of confirmation that your number is valid. You can also block any new contact request.
Can I prevent strangers from messaging me on WhatsApp?
You can’t block first contact entirely, but you can restrict who sees your profile photo, “About,” and Status to your contacts only. This lowers your appeal to scammers, who are looking for open profiles to exploit. And if you do still receive unwanted messages, you can simply block the number (and report it, if necessary).
Is it safe to give a WhatsApp number to strangers?
Only if you’re comfortable with them seeing your profile info and potentially calling you. For sales listings or dating chats, consider alternative apps that hide your real number, or use a secondary SIM.
Can you trace a scammer from a WhatsApp number?
Law enforcement agencies can request metadata (like time stamps and IP logs) from WhatsApp via legal processes, but individuals typically can’t trace scammers on their own. Your best move is to preserve evidence and file a formal report.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN
Comments
Olá! Tem curso para esses ataques? Sabendo como o ataque funciona, defenderemos melhor.