By Olúmáyòwá Akinkuehinmi
Small and Medium enterprises SMEs use WhatsApp as an indispensable business tool especially in West Africa. The app has over 191 million users across the continent that leverages the platform as a communication arm to fill infrastructure gaps and connect businesses to their clientele. Whether dealing with suppliers, customer inquiries or even taking digital payment; for many businesses WhatsApp is the backbone to day-to-day operations. Meanwhile the app has grown ever more popular, and with it the risk of WhatsApp hijacking — cybercriminals taking over accounts to defraud users.
It is neither just a cybersecurity issue nor a threat to West African businesses’ economies.
The Growing Threat of WhatsApp Hijacking
We tend to see WhatsApp hijacking when attackers manage to get into an account without the user’s permission by duping them into handing over their verification codes, or more complexly, via SIM swaps. After gaining control of the account, hackers use the victim’s profile to pretend to be them and defraud their contacts or steal sensitive business information. According to early 2024 reports, 187 cases of WhatsApp hijacking were reported in Ghana, the same as the number of incidents recorded the whole year 2023. With these attacks coming more often, the harms to business, especially SMEs, are steadily rising, and if they continue, will only grow exponentially.
Disruption to Business Operations
WhatsApp isn’t just a messaging app for many West African businesses. It’s a crucial tool for running the business. It is used by SMEs to manage orders and communicate with clients and even do payments using integrations with mobile money services. An immediate disruption to a business’s operation can occur when the WhatsApp account of that business is hijacked. Hackers can take over conversations with customers, orders may be delayed or lost entirely. Some businesses have discovered that cyber attackers have even posed as the companies, asking customers or suppliers to pay to regain access to their data or retrieve their stolen equipment.
In retail and logistics, for instance, real time communication is the most important parameter and sending these messages depends heavily on WhatsApp. Operations with hijacked accounts can bring these operations to a standstill, delays that trickle through and cost them revenue. Even a small disruption can have a long-lasting effect for smaller businesses operating on thin margins.
Erosion of Customer
The biggest harm of WhatsApp hijacking is the damage it does to customer trust. Impersonating a business when hackers take over an account and send fraudulent messages to customers, or demanding payments under false pretences. Even though the business that was scammed wasn’t directly at blame, customers could lose trust in the business. Since word of mouth is so important in the economy it can be destructive to lose trust from customers.
In addition, businesses dependent on WhatsApp for their customer service are particularly exposed to these risks. If customers can’t get in touch with a business because its account has been hijacked, they’ll often go elsewhere to competitor sites or leave bad reviews online. The rebuilding of trust after such an incident is a difficult and resource intensive process unlikely to be feasible for many SMEs.
Financial Losses
Hijacking WhatsApp can be a financially costly affair. Not only are businesses losing money directly from fraudulent transactions pulled off by hackers, but they are also facing a bill in the form of money spent to return their accounts and step up security. For example, some businesses unfortunately had to replace dropped SIMS with new SIM cards or changed telecom providers after being victims of SIM swap fraud, the name given to this typical tactic of hacking a target’s WhatsApp account.
There are further indirect financial loss of downtime and a damaging reputation. Any business that is put out of commission due to complete lack of communication will likely experience a fall of sales throughout the disruption. Recovering from a reputation may also be extremely costly with marketing campaigns or discounts to win back customers. Some businesses have noted that losing these kinds of clients have happened because of a data security concern made following an account takeover. Such losses are particularly damaging for SMEs that rely on repeat business from loyal customers.
Impact on Digital Payments and Financial Inclusion
Digital payments in West Africa are facilitated by WhatsApp. SME’s use the platform alongside mobile money services such as M-Pesa or MTN Mobile Money to process transactions quickly and easily. This hijacking disrupts the communication, but it also threatens the existence of these payment systems. Hackers who break into a business’s WhatsApp account might try to divert other payments or filch cash from a linked mobile money account.
That is of great concern to financial inclusion efforts in West Africa, where digital payment platforms are enabling the millions of unbanked people to access financial services for the first time.
If consumers lose confidence in these systems due to (security) concerns, then it could slow down the adoption of digital payments and impede other efforts at broader economic development.
The Need for Stronger Security Measures
Floating earlier at the docket was a case involving WhatsApp: attackers posing as a site’s owner would trick users into visiting a site controlled by the hacker and ‘hack’ the victim’s WhatsApp account, extracting device information, enabling the hacker to ‘spy’ on the victim, and making it possible to send messages from the compromised account as if originating from the site’s owner. Enabling two step verification (2SV) on WhatsApp accounts is one of the best ways to do this. This additional layer of security means when you set up WhatsApp on new device users are prompted to enter a six-digit PIN as well as your verification code. Businesses can significantly reduce the risk of unauthorized access through the provision of two step verification.
In addition to two-step verification, businesses should also teach their employees what kind of social engineering tactics hackers use to trick users — like phishing messages pretending to be from the company but asking the user to message their verification code. Cybersecurity best practices training is regular, so employees can learn to recognize anything suspicious before it causes harm. Preventing SIM swap fraud — a popular hacker tactic for duping access to WhatsApp accounts — falls in telecom providers’ roles too.
With just a few systems in place in this way telecom companies can minimize SIM swap and account takeover risks by enforcing tougher identity verification processes when distributing new SIM cards or transferring numbers to new devices.
Safeguarding Business Continuity
West Africa’s speedy digital transformation will continue and platforms like WhatsApp will continue to be instrumental means of communication and business. While, for now at least, relying on these platforms makes sense, the more reliance grows, especially for businesses to protect consumers from account hijacking, the more necessary it becomes to have robust security measures. Economic impact of WhatsApp hijacking can be devastating for SMEs, many of which don’t have an IT department to spare.
The consequences are extremely wide ranging, from operational disruptions, financial losses, damage to reputation and the erosion of customer trust. Risks of injection are best minimised by implementing stronger security measures, such as two-step verification, and educating employees about cybersecurity risks so business can remain strong in this increasingly digital economy.
Furthermore, there will be critical need for collaboration between telecom providers and regulators to address systemic vulnerabilities such as SIM swap fraud, as such is to WhatsApp hijacking incidents across West Africa. However, business continuity in this new digital landscaping is only achievable by all actors involved (whether a business owner, a larger telecom operator or government agencies) working harmoniously to improve the security of West Africa’s digital economy.
and then