The U.S. FBI has issued a warning about a large-scale phishing campaign targeting WhatsApp and Signal users. It is reported that Russian-linked hackers are posing as support staff inside the app, tricking people into handing over verification codes or scanning QR codes. Thousands of accounts have been compromised so far.
In relation to this, a study by CNC Intelligence warns of a different kind of WhatsApp phishing – fake websites. The company tracked every newly registered domain containing “whatsapp” or common misspellings – known as typosquats – then scanned them against multiple independent security engines to confirm malicious activity.
Over a 3-month period, the firm examined every newly registered domain impersonating WhatsApp and found 1,216 confirmed malicious sites. This means every day there is an average of 13 new malicious WhatsApp sites going live.
Key findings included:
- From Dec 10 2025 – March 10 2026, 1,216 malicious domains impersonating WhatsApp were flagged.
- 1,079 were flagged as confirmed phishing, while 137 were flagged as very likely phishing.
- 70% of the domains used the exact brand name ‘whatsapp’, while 30% used common typosquats like “whatsap”.
- 46% of malicious domains used hyphens to mimic real subpages (think: whatsapp-support, whatsapp-login).
In terms of how these scams work: a victim receives a link – by text, email, group chat, or social media post – that looks like a legitimate WhatsApp page. If you were to click on one of these links (e.g. from a message in a WhatsApp group chat) you will be asked to enter a verification code, scan a QR code, or download an “enhanced” version of WhatsApp.
Once you have done this, the scammer has access to your account – where they can send messages to your contacts asking for money, scan your conversations for banking and personal information, or use what they find to run further targeted scams.
How to spot a fake WhatsApp site:
- Double check any URL before you click. Look for hyphens, extra words, or subtle misspellings like “whatsap”.
- Never log in via a link. If a message asks you to verify your account or log in, go directly to the official site or app and log in from there.
- Treat urgency as a red flag. Phishing sites often pressure you to act fast – if a message feels urgent, slow down.
- Check who sent the link. These links arrive via text, email, group chats and social media. Even if it looks like it came from someone you know, verify before clicking.
Matthew Stern, CEO of CNC Intelligence, tells Digital Journal: “With AI tools, cybercriminals no longer need a skilled developer to clone a professional-looking site. And the sites don’t need to fool you for long – they just need your credentials once. After that, the attacker has what they need and the site has done its job. If the site gets flagged and taken down, cybercriminals can quickly replace the site, enabling the scam to continue.”
