Click to vote, lose your chat: WhatsApp users warned of phishing scam that steals accounts

KUALA LUMPUR, Sept 27 — Cybersecurity experts from Kaspersky are urging WhatsApp users to be vigilant against a new phishing scam that hijacks accounts through fake online voting contests.

The scam lures victims to a fraudulent website that convincingly mimics a legitimate voting platform, often featuring photos of athletes and live vote counters to appear authentic.

Users are then prompted to “authorise” their participation by entering their WhatsApp-linked phone number.

Attackers exploit this information to request a one-time login code from WhatsApp Web, which is then requested on the phishing site's interface.

Once the user enters the code, attackers gain full control of the WhatsApp account, allowing them to read private conversations and send messages impersonating the victim.

“We see that online contests that include voting are very popular now, and this is used by attackers who exploit trust in this seemingly harmless activity,” said Tatyana Shcherbakova, a web content analyst at Kaspersky.

“By combining social engineering with convincing fake interfaces, attackers are weaponising user engagement to steal sensitive data.”

To protect against this and similar attacks, Kaspersky strongly advises all users to enable two-step verification on their WhatsApp accounts, which requires a user-created PIN for any new login attempt.

Users should also avoid entering personal details on suspicious websites and always verify the legitimacy of URLs before interacting with them.

Crucially, users should never share verification codes with anyone, as WhatsApp will never legitimately ask for them through external platforms or messages.