WhatsApp has become one of the most widely used communication platforms in the world, with more than 2 billion users exchanging messages daily. But that same ubiquity makes it a prime target for threat actors. Over the past year, Doppel has observed an alarming rise in WhatsApp cyber threats that affect not only large enterprises but also small and medium-sized businesses.
In the past quarter alone, Doppel observed a 210% increase in WhatsApp-based threats discovered.
This trend is not isolated. In September, WhatsApp itself issued a security advisory tied to CVE-2025-43300. The flaw — an incomplete authorization issue in iOS device synchronization — could have allowed an unrelated user to trigger content processing from an arbitrary URL on a target’s device. While quickly patched, it highlighted a critical truth: adversaries are targeting WhatsApp at both the platform and user level.
The WhatsApp trend highlights attackers shift from single channel business email compromise (BEC) campaigns to multi-channel attacks on personal messaging apps and beyond, signaling to security leaders that their attack surfaces have stretched past what legacy vendors cover.
Just last year, Microsoft researchers uncovered a campaign by Star Blizzard, a group linked to Russia’s FSB, attempting to compromise the WhatsApp accounts of dozens of civil society organizations through spear phishing. The group’s goal was to exfiltrate sensitive data under the guise of legitimate communications source. Together, these incidents underscore how quickly WhatsApp has become part of the global threat surface.
How Social Engineering Attacks Are Evolving on WhatsApp
Through Doppel’s monitoring across customer environments, we have detected thousands of WhatsApp-related alerts over the past year. The tactics, techniques, and procedures (TTPs) used by adversaries vary, but the trendline is clear: Attackers are leaning on WhatsApp to establish initial access, build trust, and then pivot into broader campaigns.
Some of the most common social engineering attacks include:
- Executive Impersonation: Threat actors pose as senior leaders, often using WhatsApp’s profile features to mimic a legitimate executive. Targets are pressured to share sensitive information, approve fraudulent payments, or click malicious links.
- Fake Recruitment Campaigns: Doppel has observed adversaries setting up WhatsApp accounts that impersonate HR teams or recruiters. Victims are lured with job opportunities and asked to share personal details, resumes, or other personally identifiable information (PII). In some cases, that PII is later used to impersonate the victim when engaging with legitimate recruiters at target organizations.
- Customer Support Masquerading: Attackers create accounts that look like official customer service lines for banks, fintech apps, or e-commerce platforms. Victims are tricked into handing over credentials or payment card details under the false impression of receiving support.
- Sale of Verified Accounts: Doppel has also tracked WhatsApp channels advertising “verified” access to financial platforms. These accounts may be compromised via stolen credentials purchased on the dark web, then resold to buyers seeking instant credibility and reach.
The thread running through each of these methods is simple: trust. WhatsApp’s design — direct, personal, and mobile-first — creates an environment where impersonation is highly effective. Once attackers gain an initial foothold, they often shift the multi-channel interaction to other platforms such as Telegram, newly registered domains, or even corporate email.
From WhatsApp Cyber Threats to Multi-Channel Campaigns
What begins as a single WhatsApp message rarely ends there. Doppel’s threat monitoring has identified multiple cases where adversaries use WhatsApp only as a springboard. A fake recruitment account, for example, may direct victims to a spoofed corporate website. A fraudulent executive profile may send a malicious document via email after establishing trust on WhatsApp.
This pivoting behavior makes WhatsApp cyber threats particularly dangerous. It allows attackers to blend social engineering with multi-platform infrastructure, extending the campaign’s lifespan and complicating detection. Worse, the initial interaction and the channel itself get past legacy tools that don’t protect against attacks on messaging apps.
Why This Matters for CISOs
For CISOs, WhatsApp’s growing role in threat actor operations raises three pressing challenges:
- Visibility: Most enterprise defenses are designed to monitor corporate email, networks, and SaaS applications—not personal messaging apps like WhatsApp. That gap leaves attackers free to operate in the shadows.
- Brand Risk: When adversaries impersonate executives, recruiters, or customer service teams, they leverage your brand equity. Victims often blame the organization whose identity was stolen, eroding trust even if the company was not technically breached.
- Escalation Potential: Because WhatsApp attacks often serve as the first step in broader campaigns, a missed alert can quickly escalate into credential theft, account takeover, or even supply chain compromise.
The result is an urgent need for digital risk protection strategies that extend beyond traditional perimeters and into the platforms where adversaries are most active.
Doppel’s Approach to Digital Risk Protection
At Doppel, we specialize in uncovering the full infrastructure behind digital threats. Our mutli-channel platform continuously monitors for signs of impersonation and malicious campaigns across social apps, messaging platforms, and the open and dark web.
What sets Doppel apart is our ability to pivot from one indicator of compromise (IOC) to the full attacker ecosystem. If we detect a suspicious WhatsApp account, we can trace it to related domains, Telegram channels, or other social media profiles. From there, we assist with takedown efforts to dismantle not just the visible account but the larger campaign infrastructure supporting it.
This infrastructure-level visibility is critical when dealing with fast-moving WhatsApp cyber threats. By mapping how attackers operate across multiple channels, Doppel helps organizations stay ahead of social engineering attacks before they escalate.
The Bottom Line
Threat actors are exploiting WhatsApp because it works. The combination of global reach, personal communication, and limited enterprise oversight makes it fertile ground for impersonation and fraud. What looks like a casual chat can be the opening move in a sophisticated campaign targeting your organization, your employees, and your customers.
Proactive monitoring is no longer optional. CISOs must assume that adversaries are already experimenting with WhatsApp and similar platforms to compromise trust. Doppel’s intelligence and takedown capabilities offer a way to neutralize these campaigns before they cause brand damage or financial loss.
The threat is growing, but it is not unstoppable. With the right visibility and digital risk protection, enterprises can safeguard their brands and reduce risk even as adversaries adapt.
Shut down WhatsApp impersonation at scale — book a demo with Doppel.
