Riding on WhatsApp, scam sites soar in wake of COVID-19


We need your support to produce excellent journalism at all times.

Troubling misinformation around COVID-19 and its vaccines have hit Nigeria. The country also has to bother about cyber insecurity riding on the cottail of the pandemic.

In March 2021, an alum posted on her alumni WhatsApp group, “Hurry up and get N30,000 survival fund” along with a URL obscured by a link shortener.

Nigeria was at the start of lockdown brought on by the COVID-19 pandemic.

A month later, another woman posted in the same WhatsApp group, “Apply for the COVID-19 relief fund provided by the Federal Government.”

Both women had simply forwarded the message as received, without verification.

The messages shared in a school alumni group
The messages shared in a school alumni group

The first forwarded it after she heard some people got credited with money from the government’s COVID-19 relief fund.

“It was forwarded to me, so I had to forward it too. One of the persons I forwarded it to said it was a scam,” she said.


READ ALSO: 

Fact-checking claim that mRNA COVID-19 vaccine causes genetic mutation 

Fact-checking comments on religion, Boko Haram, Abacha attributed to President Buhari

Rising above COVID-19: Resilience, successes amidst pandemic in Niger Delta


She never returned to tell her recipients it was a scam; they continued to share the message.

To mitigate the effect of the lockdown, the Nigerian government set up some relief programmes [here & here]. They are the programmes malicious actors rode on to carry out their nefarious activities.

This report tracked down 15 such posts in circulation between March 2020 when the lockdown went to effect to March 2021. Three of them are not directly related to COVID-19 but operate in the same format. Thirteen operate by directing people to websites, two to mobile numbers.

Spike in reports

The Central Bank of Nigeria, the country’s financial regulatory institution, notes that the Economic and Financial Crimes Commission (EFCC) and the Nigerian Police are to be reached in the case of fraudulent activities.

In April 2020, the EFCC, which  is empowered to  investigate, prosecute and penalise economic and financial crimes in the country, reported a spike in complaints for online scams as a result of the lockdown.

According to the commission’s boss, many of the fraudulent online messages require recipients to click and fill out an online survey and forward same to 10 Whatsapp users.

“The messages are embedded with malwares and other malicious codes which when clicked, trigger a program that steals and compromises mails, banking logins passwords, credit- related information and other critical data contained on the recipient’s devices,”   the statement read.

How it works

A message is circulated posing as one of the government interventions, and asking people to apply for the intervention via a link.

The link is often masked by using a URL shortener like ‘Bitly.’ This allows the link preview to be customised to have the key words. For instance, this is the customised link ‘https://bit.ly/fg-10500-weekly’  but the actual site it redirects to is ‘naijarealityview.com’.

The website is masked using link shortener
The website is masked using link shortener

Sometimes a url will mimic the legitimate website by changing some characters. For instance, the Humanitarian and Social Development Ministry’s website ‘npower.fmhds.gov.ng’ was replicated by changing the dots to dash ‘npower-fmhds-gov-ng’.

One or two character in the url is changed, in this instance dots are changed to dash
One or two characters in the url is changed, in this instance dots are changed to dash

The link directs to a website that would have some attributes of a government website like logo, name, and colour.

Then a form asking for age, mobile number, location, email, name and so on will appear.

After filling the form, you are asked to share the link to people in your network at least 10 times. The generated link is to be shared on WhatsApp.

A call to action button ask for the link to be shared multiple times on WhatsApp before you can access the purported benefit.
A call to action button asks for the link to be shared multiple times on WhatsApp before you can access the purported benefit.

One similarity cuts across these sites: a call to action to invite your friend until the bar is full. The invite button only redirects to WhatsApp.

A fact-checker and investigations editor at HumAngle ‘Kúnlé Adébàjò, who has spent time debunking such claims since the pandemic, has insight as to why WhatsApp is the preferred platform.

“These kinds of information are best shared on WhatsApp because of the instant messaging app’s end-to-end encryption feature that makes it difficult to track the source of a piece of information, unlike what we have with Twitter, Facebook, and so on,” he says.

The websites have a testimonial section designed to look like a comment made on a Facebook plugin. It is false and a dummy, a manipulated image, and not clickable.

The sites have dummy comment section.
The sites have dummy comment section.

A common feature: they do not have a contact number, email and social media accounts. Any account on the site does not redirect to any social media handle.

Who is, a query and response web tool that stores information regarding websites, shows that all 12 sites were new, only registered between 2020 and 2021— after the coronavirus outbreak morphed into a pandemic.

“It looks like the sort of web platforms they create are also temporary such that it’ll be hard to unravel who registered them,” Adébàjò says. “All this is deliberate.”

Adébàjò is not far off the mark. Scam bunkers, a webtool that rates the legitimacy of websites, also notes that “most scam websites use domain names that are less than 6 months old.”

A collage of the date of registration of some sites, showing they were registered after COVID-19 became a pandemic.
A collage of the date of registration of some sites, showing they were registered after COVID-19 became a pandemic.

A pattern was observed that websites were tailored and registered immediately after an intervention is announced.  In October, the government began an intervention for small businesses to register with  (Corporate Affairs Commission) CAC for free. By January, linked sites were registered and phishing claims were in circulation, throwing a free trip to the UK into the pot.

A civil servant, Model Chris, shared one such tailored message on a WhatsApp chat: that a mobile network was giving out free internet data for people who had completed registration for their National Identity Number (NIN). Ten minutes later, she sent a follow up: “Please disregard this information.”

The government had earlier mandated mobile number registrations be linked to NINs.

The message from Chris.
The message from Chris.

Chris decided the site was a scam because after filling the form and sharing to multiple persons as prompted, she was not given the data promised.

She was asked whether she felt safe sharing her information with the site. “I did not share my information with them,” she replied.

Really? Didn’t she? A look at the site shows that you must provide name, mobile number, email address and country/location before you get to the stage where you are prompted to share.  Chris, like four other people interviewed, did not feel the information shared exposed them to risk.

But “It’s phishing,” says Igbanam Ogbuluijah, a software development engineer with Amazon.

It’s “basically gathering enough information to initiate an attack. You gather information, you gain trust, then you attack based on trust.”

A pattern is noticeable on such posts: first, the links are obscure; second, they change the characters in the domain name of the site they are masquerading as.

“The one I saw for a bank, the character ‘A’ was not Ascii 65 for the standard English alphabets which the bank uses but an extended character [A with an accent, grave circumflex Diaeresis or tilde] that looks like it. But it is not the same.”

The essence of this is because “their job as a malicious actor is to create something that your cognitive window will not catch,” Ogbuluijah notes.

This makes it easy for distribution, as people tend to forward the messages without verifying it.

“Eventually, someone will share it to someone who will share it to someone’s grandmother who doesn’t know and then she would click the link. When the malicious actors have an in, in a network, they can then infiltrate,” says Ogbuluijah.

That was the case for Umar Hamza, who comes from a large family that operates a WhatsApp group comprising people of all ages and educational background living in different locations.

The elderly in the family tend to engage more with such posts, and it might be because “they are more trusting of things shared on the internet,” says Hamza.

He says It is common for an account on the group to be compromised—whereby a person’s account is taken over by malicious actors after they click on scam links.

The number changes and the WhatsApp group is spammed with numerous suspicious messages.

A senior partner at the IT firm, e86 Limited, Olugbenga Odeyemi says WhatsApp is preferred because “these kinds of messages are targeted towards the older generation who generally believe that whatever is on ‘Whatsup,’ as they call it, is authentic. If you put that kind of message on Twitter, it would not fly as we have a lot of young people there who can fact-check it and they will come to the comment to tell you this is fraudulent.”

Running these websites through scam bunkers for legitimacy shows their trust score rating as very bad, with most scoring zero percent.

The sites after subjected to tests on Scam bunkers had low trust scores with some getting zero.
The sites after subjected to tests on Scam bunkers had low trust scores with some getting zero.

How is WhatsApp tackling the spread of misinformation?

The end-to-end encryption of WhatsApp makes it difficult to trace the origin of a message. Recently, WhatsApp took steps to curb misinformation by implementing icons tagging posts as ‘forwarded multiple times’ and limiting the number of persons that ‘highly forwarded messages’ can be sent to.

It was to help notification and slow down the spread of messages. After being forwarded five times, messages tagged can only be forwarded to one person or group at a time.

Currently, fact-checking anything on WhatsApp is extremely labour intensive.  Newsrooms with fact-checking arms and fact-checking organisations like the FactCheckhub have set up ways for the public to send in what they suspect to be misinformation. Fact-checkers then check the claim manually. This helps, but it is not a practical solution.

What else…?

Adébàjò has laboriously debunked such claims and still gets new ones. That people are still sharing the messages suggests a change in ‘orientation’ may be the way forward.

“The government needs to improve its communication mechanism so that people know exactly where to visit and whom to call for accurate information about new programmes and government-approved opportunities,” says Adébàjò.

He adds that there is a need to work towards improving media literacy.

“The truth is: the red flags are there,” he says. “The general populace should be taught how to easily recognise and call them out or at least refuse to share them to others.”

The strategy of Nigerian banks—repeatedly warning their customers not to reveal their PINs or debit card details to strangers—can be adopted, Adébàjò adds.

A number circulating in one of the claims has been reported multiple times as spam.
A number circulating in one of the claims has been reported multiple times as spam.

Phishing through direct calls

Banks in Nigeria have persistently pushed for banking literacy, to stop customers sharing their account details.

Some customers get calls from people claiming to be ‘customer care’ asking for card details. This tactic features in the claims under review.

Ezeogu Uchechukwu encountered that in April 2020. He got a call from a number claiming to be his bank’s ‘customer care.’

A search of the number on Truecaller—a smartphone application for identifying phone numbers—showed ‘Eunice Floxy’ even though the caller’s voice was male. The caller told Ezeogu he was one of the beneficiaries of government palliatives of N45,000 but he would need to provide his bank card details.

It is not an isolated incident. In other cases, a number is circulated for users to dial. One of the circulated phishing posts claimed the Nigeria Centre for Disease Control (NCDC) was doling out palliatives to mitigate the impact of the lockdown and provided ‘07042835643’ as contact number.

When put through Truecaller, the number showed ”Access bank Scammer’ and had been reported 36 times as scam. The use of ‘Access bank’ suggests the user might have impersonated the bank to defraud or attempt to defraud people.

This time around the message came with a mobile number instead of website links.
This time around the message came with a mobile number instead of website links.

For those phishing websites that do not directly ask for your banking details, what is their motivation?

Aside generating advertising revenue – some of the websites had adverts – they redirect you to a totally different site.

Chris experienced it. That was also the case after filling the form for small business name registration.

Olugbenga, a senior partner at IT firm e86, says in the case of the COVID-19 messages, the motivation is to harvest names, phone numbers, email addresses and age range. These could be used for different things.

“They can sell this information to those who do broadcast emails and bulk SMS,” Olugbenga says. “These things are targeted, for the most part, as they already know your locations, name age and so on. So, they know the kind of things that will interest you.”

Innocuous enough, but it can also be harmful

“In this era of using the same email and phone numbers for multiple registrations. It can become a foundation to profiling a person -an average person has one email address that they use for all registrations including banking and school; this also applies to phone numbers,” says the expert.

“With this information and working with compromised persons in the bank they can easily defraud you.

“They can also call you and impersonate an organisation. You will never know where they got your number and they may come across as credible because they have your details.”

Scam Rate, a tool that rates legitimacy of sites, advises users to treat with suspicion, domain names that end with “.top, .club, .online, .co, .cc.”

In reference to shopping platforms, Scam Rate advises users to beware when a website sells all products with high discounts (e.g. 70 per cent or 90 per cent; the ‘contacts’ page should show also an email address or telephone number and not just a form; trust seals like McAfee SECURE or Verisign must be clickable; and a legit shopping site should have a Facebook or Instagram profile.

Scamrate-recommendation

This publication was produced as part of IWPR’s Africa Resilience Network (ARN) programme, administered in partnership with the Centre for Information Resilience (CIR), the International Centre for Investigative Reporting  (ICIR), and Africa Uncensored



Menu