Approximately one fifth of the entire global population uses WhatsApp. The messaging platform is a behemoth, and it’s fast becoming central to successful business communication. Companies that want to succeed need to meet potential customers in their preferred medium. For many people, that is WhatsApp – especially in emerging markets.
However, WhatsApp security issues pose challenges to enterprise risk teams, spanning information security to compliance. The big three digital risks here are malware, account compromise, and regulatory compliance concerns. Using WhatsApp for business can be safe, but only if organizations understand the digital risks on the channel, and recruit the right solutions to protect themselves.
Why WhatsApp is Becoming Mission-Critical for Global Business
The benefits of WhatsApp for business relate to the channel’s reach and user base. Though Facebook messenger leads the way in the US market, WhatsApp is the main communication channel in all of Central and South America and most of Europe, Africa, and especially Southeast Asia. In many industries, and in all emerging markets, communicating with customers on their channel of choice means messaging them on WhatsApp.
WhatsApp is already at the stage where many companies have no choice but to leverage the platform. Businesses in the pharmaceutical sector that don’t include WhatsApp as part of their digital transformation strategies are guaranteed to lose out in vital markets. The same goes for healthcare. KLM, Hellman’s, and Netflix are examples of brands using WhatsApp for business with great success. Adidas, The Financial Times and other companies using WhatsApp for business are getting ahead of their competitors by ditching legacy forms of communication.
All well and good. But what are the WhatsApp security concerns that CISOs need to guard against?
WhatsApp Security Issues and Threats
WhatsApp is vulnerable for a variety of reasons. There is the lack of encryption with backups, which raises the risk of files escaping into other channels. Like its parent company, Facebook, WhatsApp is also prone to the scourge of mis- and disinformation. Then there are concerns about the viability of WhatsApp for business GDPR compliance.
However, the big three WhatsApp worries for risk teams are malware, account compromise, and compliance risks.
In 2018, Kaspersky Labs discovered that WhatsApp users in Italy had been infected with a trojan spyware called SkyGoFree. The malware turned Android phones into surreptitious listening devices, allowing the hackers to secretly listen into conversations and steal private messages, location details, and call records. Kaspersky Labs described it as “one of the most powerful spyware tools that we have ever seen”.
Similarly, Labyrinth Chollima, a North Korean threat actor, has recently leveraged WhatsApp to deliver malicious payloads to victims. With its last detected attack as recent as June 2020, Labyrinth Chollima profiles and connects with enterprise employees on LinkedIn, and lures them to WhatsApp, where they are hit with malware-laced messages and content.
Another common attack sees attackers create phishing websites to trick WhatsApp users into handing over personal information. Websites that masquerade as WhatsApp’s web platform ask users to enter phone numbers to connect to the service. Then, they use this number to bombard unsuspecting victims with spam, or correlate the number with other leaked data on the internet.
As these two examples illustrate, the nature of WhatsApp malware attacks vary. Sometimes other platforms are looped into a multi-vector attack, sometimes they aren’t; sometimes phishing is required, sometimes it isn’t. But WhatsApp is so ubiquitous that it’s easily looped into bad actors’ attempts to compromise targets with malware. A lack of visibility into communications continues to be one of the key WhatsApp security issues for security teams.
Account Hacking and Compromise
The richest man in the world was compromised via WhatsApp. In January of 2020, reports emerged describing how Amazon founder Jeff Bezos’s WhatsApp account had been hacked, mostly likely by nation state actors. Bezos was sent a video in a WhatsApp conversation, which he played. The video contained NSO Group spyware that penetrated Bezos’s cellphone and exfiltrated a large amount of data. The allegations were that the sender of the video was someone Bezos knew: Mohammed bin Salman, the crown prince of Saudi Arabia.
Bezos suffered a classic spear-phishing attack. But the vector for that attack shows why account compromise will also be one of the key WhatsApp security concerns. People are highly active in their WhatsApp, and they tend to be trusting of what they receive. However, the application’s proximity to the rest of a device, and all the other apps on that device, make it a potential entry-point for serious trouble.
WhatsApp is also vulnerable to SMS authentication code theft. An attacker installs WhatsApp on a device and uses your phone number to register. When the app texts you the code, the attacker will then pretend to be someone you know, and request the code. Since the code is actually for your number, you inadvertently allow them access to your WhatsApp. This socially engineered hack enables attackers to hijack accounts and use them to target the victim’s contacts, either to request money or send malicious attachments.
Regulatory & Compliance Risks
One of the most serious risks of using WhatsApp for business relates to security and compliance. Many industries have strict regulations around how companies can communicate with customers and individuals. A good example is pharmaceuticals.
A Global100 Pharmaceutical Leader’s large Brazilian field force was generating over 100,000 WhatsApp messages every month. However, the pharmaceutical industry has strict guidelines around how reps can and cannot discuss adverse events, off-label usage, and other topics. Until they implemented the right protection, the company couldn’t ensure their WhatsApp communications were compliant. Manual review would never be able to keep up. Just a handful of troublesome messages amongst 100,000 could present a serious potential risk.
There are many other industries where the content of WhatsApp communications risk breaching compliance laws: healthcare, life sciences, finance, government, energy and more. Without the right tools, security teams have no way to guarantee that compliance and regulatory risks aren’t appearing in WhatsApp correspondence.
The Foundations of Enterprise WhatsApp Security
Protecting companies and employees from these WhatsApp security issues requires four key steps:
- Employees must recognize the need for – and opt-in to – oversight. Securing WhatsApp requires visibility. Security and compliance teams need to begin with full transparency. Enterprises should explain to employees why their WhatsApp communications need to be monitored, and how the security teams will go about it. Employees need to be kept in the loop, and they need to be aware that their WhatsApp messages are scanned for malicious links and policy violations.
- 100% visibility is a must. Once you have your employees’ buy-in, the next step is to get full visibility into all your WhatsApp communications. Because this involves hundreds, thousands or even tens of thousands of messages per day, CISOs need to recognize that manual review won’t cut it. The days of sampling are over. You need 100% visibility, and automated surfacing of policy violations.
To gain this visibility, you need an AI-powered digital risk protection solution. A single, unified platform, with total oversight, is what will empower businesses to truly secure WhatsApp communications.
- Policies must be customizable. Every enterprise and every industry experiences different forms of digital risk pressures. Each company also has its own set of internal policies and standards that they need to meet. When establishing WhatsApp security protocols, companies need risk management solutions that will allow them to customize their policies, and quickly apply those policies across an entire channel. The capacity for fast updates, tweaks, and renewals is also a must.
- Employ scalable technologies. A WhatsApp security solution needs to be truly scalable. Enterprises are only going to have to use WhatsApp more and more in the coming years. As you grow, the volume and velocity of WhatsApp communications will increase. You need a robust WhatsApp security stance that can scale as you go, with no ceiling.
WhatsApp security issues are very real, and CISOs need to be alert to them. However, using WhatsApp for business is fast becoming a requirement for companies that want to stay competitive. The advantages of WhatsApp for business growth are simply too great to ignore. For this reason, understanding the risks, and establishing a WhatsApp enterprise security model, cannot be put on hold.