You receive a WhatsApp message containing a seemingly harmless image from a stranger. There is no suspicious-looking link attached to the message, and you think it could have been sent by accident. Next, your curiosity leads you to download the file.
We’ve been repeatedly warned not to tap on any malicious links sent by unknown numbers, but now scammers are targeting individuals using image files.
What may appear to be a simple image could be powerful enough to install corrupting files on your device, granting access to your sensitive data. What’s next? Your bank accounts are compromised. We explain how this scam unfolds so that you can stay ahead of these threat actors' games.
Modus Operandi
Message Alert: You receive a WhatsApp message from an unknown sender with an image that might be disguised as a meme, a photo of an individual, a poster, or an invitation. It may or may not be accompanied by a text message.
Urgent: You may ignore this message, but you will soon receive calls from scammers asking you to help identify the person in a photo they’ve shared.
Sneaky Installation: Once you hit download, the malware installs on your device, allowing a scammer to extract your personal information. This includes your banking credentials, passwords, photos, stored documents and even OTPs.
Remote Access: In some cases, scammers gain control of your device, enabling them to access your folders, files, and banking applications.
Steganography in Action: The image utilises steganography—a technique that allows scammers to hide malicious code or malware within the image, and it can effectively bypass security software.
Red Flags
Calling victims to instil urgency while triggering empathy and curiosity, which will prompt them to click the download button.
What To Do
Stop: Do not download any random image received on your WhatsApp from unknown senders.
Pause Downloads: Disable the auto-download feature on WhatsApp.
Follow these steps:
WhatsApp > Settings > Storage and data > Media auto-download
For iPhone users, tap on Photos/Audio/Video/Documents and select ‘Never’. If you have an Android phone, uncheck the boxes next to the same options.
Ignore: Avoid picking up calls from unknown numbers and block them on messaging apps as well.
Update: Apart from adding new features, regular phone updates also help fix security loopholes.
Report: If you were scammed or were able to spot this scam, then report the incident as soon as possible through a government portal such as Chakshu (https://sancharsaathi.gov.in/sfc/) and the national cybercrime helpline number—1930. You can also lodge a complaint with the local police station.
The Quint's Scamguard initiative aims to keep up with emerging digital scams to help you stay informed and vigilant. If you've been scammed or successfully thwarted one, then tell us your story. Contact us via WhatsApp at +919999008335 or email us at myreport@thequint.com. You can also fill out the Google form and help us take your story forward.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)