/ Technology

Have you been targeted by scams on WhatsApp?

The personal messaging app is the most recent medium for scammers trying to steal your data. Here’s what to look out for.

Had a friend or family member share a deal that’s too good to be true with you on WhatsApp recently? If so, you’re not alone.

For most people, getting a message like this from someone they know well is more likely than not to be believed – and scammers depend on that trust.

We’ve seen a swathe of scams circulating on the personal messaging app WhatsApp which using big-name brands like Costa Coffee, Morrisons and Sainsbury’s to lure people into parting with their personal details.

Free cash?

These WhatsApp scams all feature promotional deals and competitions that are too good to be true, including a free £150 gift vouchers, a free £120 gift card and a free £75 voucher to celebrate a brand birthday.

Here’s what the latest Morrisons and Sainsburys WhatsApp scams look like:

The message itself is written like an endorsement, often with emojis for an added personal touch.

As the URL shared in the message typically contains the name of a big-name retailer, it looks like a tempting offer from a trusted brand via a trusted source.

Clicking on the link in the message will usually take you to an online survey asking for your personal information, including your email, home address and phone number, before the free ‘prize’ or free ‘gift voucher’ can be sent to you.

Chain scam

When the survey is completed, you’re asked to select WhatsApp friends to share the deal with.

The promotional message and link is then sent to all of those contacts. The scam continues to grow.

If you see any scams like these, let us know so we can help raise awareness when they are happening

So, have you seen any scams like these circulating on WhatsApp? What are your top tips for identifying whether a deal is genuine or a fake?


I seem to remember a similar scam via email a couple of years ago. Why would any organisation choose to give you a gift of substantial value? The tip is surely to simply ignore offers that are too good to be true. If you think there may be some reason you have been singled out for some very generous treatment then you can always email the donor at their known address and ask them.

I agree – if an offer sounds to good to be true, it is likely to be a scam.

That shouldn’t be new news, but many folk seem all too ready to believe everything they see on the internet.

It is a few years since I deleted WhatsApp, after a security problem was announced.

I just delete promotional material and anything saying that I have won a prize.

I avoid apps like Whatsapp, twitter and instagram much as I do Bubonic plague, rats and flea infestations.

Many companies and other organisations expect us to use Twitter, but they can carry on expecting as far as I’m concerned.

I’ve recently checked out a few of the Which? posts on Facebook. Whilst there was nothing wrong with the headline posts, the general standard of the replies and comments was quite poor, i.e. their signal to noise ratio was effectively zero.

A few years ago, I previously found that I did not like twitter for exactly the same reason (but, at least, there is a clue is in the name there).

It has long surprised me that some people are keen on Facebook, others keen on Twitter, others happy using both and a fair number would not touch either despite having no experience.

I do object to those companies who think that Twitter or online chat is acceptable way of dealing with customers with problems.

Whatever means of communication, we all need to be vigilant about scams and it is a reasonable expectation that the service providers will do their best to protect us against problems that have been identified.

I note that one of the “advantages” claimed for WhatsApp is “end-to-end” encryption.

So if a WhatsApp message contains a toxic link, then the only opportunities for flagging that up and rejecting it will be with WhatsApp themselves and on the recipient’s PC or other device.

But whilst many Windows PCs will have good security software that should block (or warn about) dodgy links many other devices (not least Linux PCs and Android devices) won’t have such software in place by default.

Another cunning feature of this latest scam is its chain letter aspect. Thus, like many other computer worms, it can spread disguised as ordinary social media messages.

Hi @derekp, How are you today?

Thought it might be useful to know that we focus primarily on paid social media posts that are designed, optimised and sent out to the audience the information is most relevant to. We do post on our page regularly, so that there is information there for all to see, but we’ve found the above techniques to be more effective at getting the right information to the right people. It can be an art! 🙂

Hi Elena G.

I’m fine thanks – and beginning to enjoy my retirement 🙂

I agree it is good for Which? to use social media platforms as a means for publishing issues and campaigns, not least because platforms like W?C only seem to reach about a dozen active participants.

I also agree that producing clear and simple communications is an art. It can also be a science too. For example, where I last worked, the instructor training included a number of tips for making good PowerPoint presentations. Most of those could be traced back to scientific studies of learning and/or perception.

When I first started work the research director sent round copies of a book “The presentation of technical information”by Reginald Kapp, based on four lectures he gave at University College London. I have just rediscovered it in my garage and have it by the bed ready to re-read. In the preface he says, after the lectures were repeated to a much wider audience “ This experience made it clear that there is a big demand for help and guidance in the art of exposition”

I look forward to seeing what it says again – too long ago to remember.

I’ve lost count of the number of lectures I sat through where the only thing really well demonstrated was how not to use an OHP.

That said a really good piece of communication is a art in itself and one that’s mirrored in the classical structure of the sonata: Exposition, Development, Recapitulation.

The Exposition is of fundamental importance since a badly presented one can lose the listener’s interest for what follows.

But really top class communication involves at least three senses: aural, visual and tactile.

Tactile? You might be right, but that’s only a feeling.

I hadn’t realised you’re fresh into retirement! I love stuff like that – when you know the science behind how we learn, or how we process information, in particular. With PowerPoints, the way you lay things out and present a story is a science. Were you a whiz with PowerPoint? I bet you don’t miss it whether you were a whiz or not! 😉

Powerpoint made presenting talks and lectures so much easier. Saved all the work in preparing slides, diagrams and photos when you could import them and project in decent quality.
Two of a number of the ways people used it irritated me:
– the speaker whose complete text appeared on the slides as he/she read it
– all the silly features – flying letters for example – that people used only because they were there, not because they enhanced the talk – they did the opposite for me.

Maybe there ought to be a professional version of PowerPoint without the whizzy bits.

My personal hate is visiting speakers who feel the need to have their corporate logo on each slide.

Sometimes corporations require their logo to be on all their slides – if so, that won’t be the speaker’s fault.

For further critiques of PowerPoint, comedian engineer Don McMillan has some nice stuff on his Youtube channel.

This could be one of them: https://www.youtube.com/watch?v=MjcO2ExtHso 🙂 I think you mentioned Don McMillan last time we discussed PowerPoint. Searching for ‘death by PowerPoint’ will produce hours of viewing, much of it not very entertaining.

In the early days we had directives about corporate identity including using corporate PowerPoint templates. As far as I know, none of my colleagues payed any attention. I remember we were told to use a particular font on the basis that it was ‘restful on the eye’. I wrote to the author of that edict and politely explained that I wanted to command attention and not put people to sleep. The corporate identity guy was redeployed and given something useful to do.

Back on WhatsApp, the friend who encouraged me to use the app to call him when abroad now just phones me on his mobile. I’m presuming that this will still be possible after Brexit.

wavechange, I doubt anyone would get the sack for failing to follow corporate identity guidelines.

But approvals for conference attendances and approvals to publish and present papers could be easily withheld.

In my experience, some corporations are much stricter than others. In the consumer domain, “lookalike brands” and “fake brands” can be used to deceive consumers, so it can be good to see companies defending their brands. Some supermarket “own brands” clearly use very similar colours and shapes to leading brands.

Working in industry would not have suited me. 🙁

I am strongly opposed to counterfeiting but not very concerned when different brands share similar packaging.

In most industry counterfeiting is not a significant issue. All trades and professions have their share of cheats with wiley ways. Mainly down to the individuals who work in them.

Derek referred to lookalike brands and these are used extensively. It does not concern me because I can generally spot the differences, but why not make products distinctively different from the most popular brand rather than producing copycat versions?

Because most products are made in China Wavechange and much as China is a big economic power they are not terribly innovative and thats easy to see by the massive copying of Russian military hardware .

Yes, but if you go into a supermarket you will see brands that to a greater or lesser extent look similar to the market leader. Counterfeiting – producing goods that are intended to look like a genuine article – is unquestionably wrong.

wavechange, I think a lot of supermarket own brand ranges cover both bases by producing both distinctive own-brands, e.g. Sainsbury’s SO organic, and bland generic lookalikes, e.g. tomato ketchup by Sainsbury’s.

If a shopper’s perception of say, tomato ketchup, is a vague mental picture of Heinz’s product, but they don’t particularly believe that they must only buy the branded version, then they may find a lower priced but similarly styled product to be most acceptable. (Or they might just follow Homer Simpson’s wine-ordering principle, and get the 2nd least expensive one.)

With more fashion conscious buyers, it may be essential for most products to ape the styling of brand leaders, for example my two cheap Alcatel “iphones” here, or any training shoes (and other sportswear) not actually carrying a flagship brand.

Perhaps you would give examples of “extensive use”?. In my experience this is largely restricted to certain products in supermarkets. Many products do not deceive but their design follow similar trends – smart phones, TVs, cars etc.

There was a Convo on copycat products.

Derek – I’m sure we have all seen examples of what you mention. I’m not too concerned.

Alan G says:
18 August 2018

Most link alerts come from the browser so Linux/Android PCs will have the same link protection as any other user of Firefox/Chrome etc. Admittedly many Linux users turn it off because they reckon they can spot dodgy links better than the software…. But the capability is always there.

Alan G, I’m not sure my experience of Firefox/Chrome etc. on Linux/Android PCs supports your views here. I’ve seen too many “user sanctioned” adware & spyware infections to think that a good browser alone is enough.

Do you, by any chance, know of any additional security softwares for Linux/Android PCs that can help here?

To give you a real life personal ,up to date example. I decided to take advantage of the BT Plus offer but was told I could get BT Sport free for the length of the contract time (18 months ) . This is an app , but I told the sales lady I do not have a smartphone –she tried to sell me one –strenuously, it didn’t work , I told her I have a Linux system . she assured me that ,if I went to BT.com I could click on a link and I would get it . No I couldn’t as it was only for Apple Mac & Windows 10 . On informing them I was told I would have to pay for “breaking the contract ” as –slyly it wasn’t part of the 14 day cancellation period –I cancelled , costing me -£25, I put in a protest and call for investigation as I was sold something that -quote -is as much use to me as a chocolate tea pot. I am waiting them to contact me , but my point ,as regards this convo is —- my BT email service was hacked , not by one but by 15 and counting emails with the same layout as BT emails welcoming me to this new BT Plus service. On checking back I found they originate in the USA –guess where BT Mail comes from ? -yes America and BT dont own it. They were letting third parties through who are lax in their protection . Now you ask me -how could this happen to me with my apps on my browsers — one problem, I have to stop them working on BT,s website to be able to use it –trusting on BT,s protection –BT you let me down . On informing them all of a sudden all those virus emails vanished from both BT.Mail and Thunderbird. On the other hand its a big plus that I now speak directly to gentlemen in various parts of England whom I understand implicitly and know what they are talking about and not the India desk as the new service automatically puts me through to England .

You should be able to claim under the Distance Selling Regulations, Duncan: https://www.which.co.uk/consumer-rights/regulation/distance-selling-regulations

Your familiar avatar is not appearing.

Thank you for that URL Wavechange ,although had to click on a link as its changed its name and regulations now . Your right I should have been informed under the “off-premises ” selling regulations as it distinctly states I should be told its not compatible . On phoning BT I was told they have to wait to listen to the recorded call to determine if I told the sales lady that I had Linux . They will call me next week.

Just as a matter of interest, Duncan, I decided not to go ahead with BT Plus because my speed and capacity requirements do not justify the extra cost and I do not want the ‘Plus’ features. I am quite happy to continue with the present speed and slightly higher monthly price. Now that so many people are switching to fibre I find the copper transmission becoming faster and increasing reliable!

Your right John one of the “benefits ” of people getting fibre is the reduction in load on copper resulting from an overhearing and noise reduction due to inductive transmission . They are re-routed to fibre leaving the original street cabinet with less connections and therefore “quieter “. As I posted above BT Plus cost me by allowing viruses to download via my email service , it was “laughable” to see a whole webpage on Thunderbird full of “welcome to BT Plus ” showing me somebody slipped up in BT by allowing it . Funnily enough my Russian email service with virus control built in spotted them right away and put them in junk. I think the UK call-centre service is marvelous–its- hello this is James from Newcastle etc etc you get the intuitive feeling you are dealing with somebody who can help you and they dont talk fast with a heavy foreign accent and they certainly dont read off a script. Its supposed to be rolled out nationwide eventually . I did not say I now get priority maintenance service as part of the contractual conditions as well -IE- fast response .

As a matter of interest John, I have the latest broadband speed figures for July -2018 for all the UK major operators. They are median averaged for 6 pm to 11.59pm (peak period). Leaving aside VM BT comes out in top also having the highest quality of line which is very much not made known to the general public -one test download=27.8Mbps/32Mbps -8 downloads but more to the point a good low rating of -0.5 Grade A -37ms latency. VM has 49.4Mbps -one download and 77Mbps -8 downloads BUT the quality is not up to BT standards -1.1 -Grade B- 38ms latency (higher is worse). While gamers etc like VM higher speeds when it comes to playing games they judder. this is a result of VM policy of cramming too many customers onto the same cable for a bigger profit. I am sorry I am not able at present to post URL, s.

Thank you, Duncan. I have complete satisfaction with BT which is why I stick with the company.

Since doing what I do on the computer is really my hobby the cost is lower than many other activities.

I prefer comments that contain summaries rather than links as they are more like real conversations, although I have noticed when chatting among friends it’s usually not long before someone whips their phone out to prove or illustrate a point. I can’t work out whether they are just showing off or are unable to explain themselves.

Are there any WhatsApp users out there, who’d like to join this Conversation?

I have received three or four of these scams over the last year or so from someone in my contacts list. They are all savvy people and have suprised me how gullible they have been. Although the ‘Offer’ changes ie Sainsbury, Costa Coffee etc, the scam wording is the same. Remind your friends nothing is for free

Some regulars here use emoji,s and enjoy doing it but do they know that Twitter has been using Unicode for years to determine what ads they hit you with ? In any case I noticed that any emoji that appeared on my email client automatically blocked Which ? emails and stuck them in junk , not only that they blocked remote content gathering . I began to wonder why and guess what ? yes — malware can and is being hidden in Unicode emoji,s . Now some wont believe me and think – there goes “pessimistic Lucas ” not so , better people than me have proved thats the case , so for those who are highly proficient at writing code here is information on using them on Windows , this will be of no use to your ordinary guy but to a software engineering level , while this is some years old the basic principles still apply and now hackers have “improved ” versions to overcome the blocking mechanisms used now by MS. “Enjoy ” your emoji,s ! https://www.secureworks.com/blog/how-to-hide-malware-in-unicode

I have been informed of the latest scams making big money for the scammers –
sextortion scams ,either by visiting porn websites or your webcam has been hacked or you have published it on Facebook-Twitter etc .
The porn Blackmail virus has been active since July -2018 breaching porn websites OR using a Remote Access Trojan injected into the computer and videos taken while the user was watching porn .
The money paid out so far is $147,377 , some of the data was taken from LInkedin – the business website -read- quote-

Cisco Talos group examined two spam campaigns (which are still active to this day), on starting on August 30, 2018, while another one beginning on October 5, 2018. Most of these contained a From address From =~ /Aarond{3}Smith@yahoo.jp/ or From =~ /Aaron@ Smithd{3}.edu/.

SpamCop, the service for scam reports, reported 233,236 sextortion emails sent from 37,606 unique IP addresses. The IP addresses are connected to multiple countries, including:

Vietnam 15.9%
Russia 15.7%
India 8.5%
Indonesia 4.9%
Kazakhstan 4.7%, etc.