With the seemingly innocent hook of “vote for my son,” a social engineering campaign is taking advantage of the trust between contacts to steal WhatsApp accounts. This scam doesn't use malware or dangerous attachments: it relies on manipulating empathy, urgency and familiarity so that the user lowers his guard.
According to recent research by Bitdefender, the operation is rapidly expanding across Europe and is already affecting thousands of usersThe dynamic is simple but effective: a message that seems to be from someone known asks for a vote for a supposed contest and directs to a fake website where, step by step, control of the account is captured.
How deception develops
It all starts with a text that comes from an account that the user recognizes, which transmits confidence. It asks you to vote for a friend's son or daughter in a competition, often with an emotional tone (for example, to apply for a scholarship), and includes a link to do it "fast".
By clicking the link, the victim lands on a portal controlled by the attackers that simulates a voting system. There they are asked to enter their phone number and, immediately afterwards, the six-digit WhatsApp verification code that you receive via SMS. This code should be secret: if it is provided, criminals they take the bill Instantly.
With the profile already hijacked, the scammers continue the chain: they send more messages fraudulent to the affected person's contacts to request new "votes" or even money, multiplying the scope of deception with each victim involved.
Scope and verified figures
Bitdefender has tracked the infrastructure after this campaign and has identified 177 domains fraudulent and 554 URLs unique ones linked to fraud. The attacks are still active and, according to the data collected, they mainly impact Poland, Romania and Germany, with reports also in Spain, the United Kingdom, and the United States.
The volume and geographical distribution show an operation in expansionThe absence of malware and the use of psychological resources make this scheme a threat that is especially difficult to detect, even for users with a certain technical level.
Why so many people fall
This scam exploits three classic triggers of the social engineering: familiarity (the message comes from a real contact), urgencia (vote “now”) and emotion (help a child). With that combination, critical reasoning is relaxed and emotions are overlooked. warning signs such as suspicious URLs or requests for private codes.
Even tech-savvy users can fall victim if trust prevails. Cybercriminals design the flow so that the user "collaborates" by providing the key information: the Verification code that WhatsApp sends via SMS and should never be shared.
How to protect your WhatsApp
Strengthening your account and adopting verification habits drastically reduces your risk. Here are concrete steps that, when combined, can boost your protection level:
- Activate the two step verification on WhatsApp and set a strong PIN, different from the one on your mobile.
- don't share verification codes under no circumstances, not even with family or friends.
- Confirm unusual requests by a call directly before clicking or giving data.
- Explain these scams to vulnerable people (e.g., seniors) with a simple language.
- Report strange messages within the app using the option "Report".
If your account has already been removed
If you suspect that your profile has been taken, act without wasting time to regain access and limit damage:
- Request a new code verification to log back in to your device.
- contact him WhatsApp support for assistance and check recent activity.
- If there were transfers, notify your booth immediately and check movements.
- Inform your Contact of what happened to stop the domino effect.
This fraud evolves rapidly, relying on trust between contacts and emotional requests that seek to rush decisions; taking extreme measures caution, activating barriers such as two-step verification and verifying any request outside of the chat are today the most effective defenses against the scam of “Vote for my son”.
