News analysis

WhatsApp’s latest privacy feature will not stop scams if users do not exercise scepticism

Sign up now: Get ST's newsletters delivered to your inbox

WhatsApp users should not be lulled into a false sense of security, says the writer, as scammers can still exploit the username system.

WhatsApp users should not be lulled into a false sense of security, says the writer, as scammers can still exploit the username system.

PHOTO: REUTERS

  • WhatsApp will let users hide phone numbers and use usernames, improving privacy but raising risks of impersonation scams despite new security measures.
  • Users must know exact usernames to message and can use a four-digit key for added protection, but lookalike usernames can still be exploited.
  • Users should remain sceptical, verify identities directly, and not rely solely on technology, as shown by a $4.9 million scam involving fake officials.

AI generated

SINGAPORE – Later in 2026, WhatsApp will be rolling out a new feature that lets users hide their phone numbers and show only their preferred usernames.

On June 29, WhatsApp started letting its three billion global users reserve a username ahead of the operational roll-out, a change meant to let people protect their privacy.

By making phone numbers less readily visible, it reduces the odds of them being stored in external databases, as commercial entities that have been contacted would not be able to view one’s number. These databases are often used by marketers to make unsolicited calls and even by scammers.

However, users should not be lulled into a false sense of security. Scammers can still exploit the username system.

For instance, a scammer looking to impersonate Singapore’s Health Minister Ong Ye Kung can still reserve @OngYeKung_PAP, The Straits Times found.

Even though WhatsApp has locked down @OngYeKung and @Ong_Ye_Kung, preventing them from being reserved, it may be impossible to lock down all permutations of his name.

Similarly, a scammer looking to impersonate Singapore’s Defence Minister can still reserve @ChanChunSing_PAP even though WhatsApp has locked down @ChanChunSing and @Chan_Chun_Sing.

A scammer looking to impersonate Singapore’s Defence Minister can still reserve  @ChanChunSing_PAP even though WhatsApp has locked down @ChanChunSing and @Chan_Chun_Sing.

A scammer looking to impersonate Singapore’s Defence Minister can still reserve @ChanChunSing_PAP even though WhatsApp has locked down @ChanChunSing and @Chan_Chun_Sing.

PHOTO: SCREENGRAB FROM WHATSAPP

A fraudster may also impersonate either of the ministers by pairing permutations of their usernames with their official portraits, which are readily available online.

The powers of generative artificial intelligence tools have also enabled scammers to create convincing lookalike images of well-known names with just a few simple prompts, allowing fraudsters to appear more convincing.

Andy Prakash, founder and chief executive of information technology security firm Privacy Ninja, said identity-based scams will not go away but will become more sophisticated even with phone-number masking. He said that user education is the best defence.

“As AI-generated impersonation becomes increasingly sophisticated, trust should be built through verification rather than appearance alone,” he said.

Awareness, verification and healthy scepticism are more important than ever, he added.

On its part, WhatsApp will be rolling out new features to help users be more discerning.

For instance, the platform will flag new WhatsApp account holders who are contacting users via their usernames for the first time. The notice will also include other information such as whether the WhatsApp account holder shares any groups with the message recipient, and whether the message sender is based overseas.

However, the effectiveness of these warning signs depends on whether users recognise the warning signs in the first place.

A message claiming to be from a government official with links to get users to click on and dubious message headers should raise alarm bells.

If the message involves the solicitation of money or sensitive information, or demands urgent action, then users should be even more alert and verify the requests, said Santiago Pontiroli, the threat intelligence research lead at cybersecurity company Acronis’ Threat Research Unit.

Verification is required whether the message comes from a phone number or a username.

Identity verification must be done independently, such as by calling an official phone number listed on official websites, or calling a family member for independent assessments. Scammers often impersonate a business such as a logistics firm, a bank or a tech helpdesk.

Usernames may change how people identify or look up one another on WhatsApp, but they do not change the psychology behind impersonation scams.

A recent case involving an individual who lost at least $4.9 million to scammers impersonating senior government officials shows the importance of a cognitive pause and verification.

In this case, the victim was invited to a Zoom video conference call that appeared to involve Prime Minister Lawrence Wong, along with other local and overseas government officials, the police said in an advisory on May 14.

The appearances of PM Wong and the officials were created using deepfake AI technology.

The scammers appear to target business professionals who have had prior interactions with government officials, police added.

A simple, independent check would be all it takes to stop scams in their tracks. It proves a timeless point: Technology can strengthen security, but it cannot replace the need to verify information.

See more on