In the “whatsapp theft” modality, cybercriminals usurp the identity of a real user. And with that contact list in their possession, they generate a chain of scams, simple in their behavior, but no less harmful, of course: they convince friends of the beneficial contact, to transfer money, or to sell them dollars.
The most used message is that the real owner of that account “needs it urgently” and cannot connect to her virtual banking or home banking. The friends think they are helping him and transfer – to the scammers, of course – money to the bank account that comes to them via WhatsApp. Immediately the sum is redirected to another account to be withdrawn.
In the modality that offers “opportunity to buy dollars”, the subsequent circuit is identical: the transfer to a bank account, and from there to another, until the transferred money is withdrawn. Needless to say, the dollars never reach the recipient.
From the Argentine Association for the Fight Against Cybercrime (AALCC), explain that, on the technique of "digital identity theft", they have recorded in recent months "a flow of 200 to 300 daily complaints, which is quite a lot" laments Luis Nocera, its president. And he affirms that the use of WhatsApp for this modality “is new, it started strongly in the post-pandemic.” But cybercrime on this scale took hold during the covid lockdown.
Its complexity lies in the anarchy and spread of virtual operation. So much so that, when the banks began their prevention campaigns – the first was Banco Provincia de Buenos Aires – “the massiveness was already such that it was very difficult to approach it” explains a banking reference. This is how what is known today as “identity substitution crime” was born, a crime that, like covid, has spread and infected all the countries of the world.
The modus operandi
The scam begins with a phone call from a stranger. With the camouflage of a bank or state agency. The most used argues: "I am from the Ministry of Health, I call for the vaccination shift". This intensified before the campaign for the fourth dose of the Covid-19 vaccine. The unsuspecting user answers and the cybercriminals' work begins: while they speak they make another call so that the cell phone opens the voice mail. "That's how they take control of your WhatsApp" explains a Channel 9 cameraman who had "that misfortune." "Several friends sent the money and it was a journey that I prefer to forget about because it generates a barbaric mess, anguish and anger," he recalls.
The journey includes blocking accounts, notifying contacts, reporting. But waiting for the judicial circuit exasperates the defrauded. They can mediate between six and eight months until the investigation progresses. Such is the average in the CABA Prosecutor's Office, which has "one of the best laboratories for digital crimes in the country," they explain from AALCC.
Although when digital theft began, the scam consisted of “getting the key from a bank account”, today they “ask” for money, on behalf of a friend. By accessing the contacts and copying the WhatsApp image, they can start the fraud. Or they steal a phone, see the contacts and review the conversations, to decide how to operate. They use social intelligence in open source systems such as Instagram –associated with Facebook or WhatsApp–, where it is possible to see the contacts. “Or they usurp a phone number because WhatsApp, like any system, has vulnerabilities. They find them and use them” define Nocera.
Get the money back?
“Get the money back? Impossible, forget it!” refers another victim of fraud. There are a few cases where people “for ethical reasons” decide to “return the money to the abused friend in his good faith”. "I prefer to sleep peacefully, that's why we decided it that way with my husband," says a teacher who had two friends who were victims of the scam.
A few others have been able to recover the money through the banking system. Although sometimes the bank grants the refund, both public and private banks admit that there is no regulation regarding the fact. “Once it is transferred, it is difficult to make the reversal since the scammer takes the money from that account, in general, within a few minutes of the event,” he explains from a private bank. "The bank can decide the return to verify the scam" explains Nocera. Or appeal to "human error" and ends up in a mediation in Consumer Protection.
the bank window
"The bank always blames the customer," reasons Nocera. Prosecutor Azzolín shares: “The reality is that the banks are denying the possibility of returning the money. But it has a certain logic because the transfer is voluntary, albeit under deception, and the bank does not have strict liability.
By "transferring money from your account to another without valid credentials - adds the prosecutor - it is difficult to arbitrate the claim." Although he refuses to generalize, Azzolín explains that the modality “which is a crime and can be investigated”, finds its maximum defense in prevention: not giving account passwords and using double validation to access the cell phone. "That doesn't stop someone from creating a new account and mimicking your identity," he admits. This is where the new crime wave is born.
From the AALCC they maintain: "There is a legal vacuum in the face of this digital scam." However, from the UFECI, prosecutor Azzolin is exhaustive: “Identity substitution is not legislated, but the reality is that these types of maneuvers are associated with fraud. The main thing then is fraud. And before that we do not have a legal vacuum. Hence, the first recommendation is to denounce: in the police, the prosecutor's office and the banks. Both the user who had his identity stolen and the victim of the money theft. Meanwhile, banks face complaints seeking to cancel transfers made, which are not as many as the frauds that occur.
The "mules" of accounts
In the scheme the "mules of accounts" are added. They are people who "lend or sell" their bank account just so that people deposit the money from these crimes. “Digital wallets are also being used” they explain in private banking. That makes the police investigation difficult, they add from the AALCC, “because some central houses are in other countries and not all of them have cooperation agreements. A lot of time is wasted and any investigation can fail.”
The "mules" can be elderly people, or victims of another crime since they "use" identity to open an account. And in general this is done in inhospitable areas. This makes the search more complex because "in those places the security levels are not that high," says Nocera. And she adds: “they think about everything, a great intelligence job is done, and the worst thing is that most of these scams come from active cell phones within the prison services.”
Being alert and confirming the identity of the sender when we receive a message of dubious origin is the first closure to prevent these crimes. Block accounts and social networks, when the fraud has been carried out. And make the bank, police and prosecutor's report.
It is necessary to "strengthen the digital education of the population in general, alert about these scams, warn about the proper use of technologies by disseminating effective and simple recommendations, such as activating the two-step validation offered by the WhatsApp platform." The latter is the most effective to block the entry of intruders to a cell phone.
In this sense, Banco Provincia insists on being attentive to who calls us and confirming the identity of the destination accounts with the people who request "help". Azzolín insists that since it is a crime that can be investigated, the problem “can be addressed socially, knowing that this maneuver exists and works, being alert. And also as internet users, be vigilant”.