A recent warning issued by An Garda Síochána about a callback scam targeting Irish users of WhatsApp should serve as a reminder to company owners that their business networks, including their mobile messaging platforms, face a variety of risks.
In early March 2018, a news story published by the Mirror explained that Gardai received many complaints from WhatsApp users who received a message from an unknown number and the subject line “Martineilli.” Users who opened the message were later targeted by missed VoIP calls from numbers starting with the 087 country code, which would suggest calls originated within Ireland. The idea is to ensnare WhatsApp users into a callback scam.
Gardai detectives have determined that the 087 numbers are spoofed, and that the calls are actually made from Bosnia. When the callers return the call, they unknowingly activate a special charge to their monthly bill. Some callers report that this has happened to them various times in a single month.
The lesson for business owners to learn in this case is that their mobile messaging apps can be vulnerable to external attacks. Even dedicated business messaging networks such as Slack are not as safe as many people wish for; furthermore, micro-companies that decide to use WhatsApp for business use just because it is already installed in the personal smartphones of most employees are opening their companies to greater risk.
In the past, information security researchers combing through code posted on the popular online development platform known as GitHub have discovered Slack tokens with login credentials that could be used to spy on corporate chats, projects and conversation threads.
Companies that choose to implement mobile messaging apps as part of their networks should first conduct a security audit. Even though apps such as Telegram offer strong end-to-end data encryption, company owners should not assume that they will be impervious to phishing attacks or social engineering.
A mobile messaging app can only be as secure as the business network and security policies of the company. Any digital communications solution can be hacked; the idea is to enact preventive measures to avoid data breaches and network intrusion situations.