Your brand is being impersonated in WhatsApp conversations you will never see. For two billion users, that channel is where trust lives.
In February 2026, the Singapore Police Force issued an advisory about a scam campaign targeting corporate finance departments through WhatsApp. Attackers created accounts using the names and photos of company CEOs, contacted employees directly, and instructed them to join Zoom calls where additional participants impersonated senior executives and regulators using deepfake video. Since January 2025, at least 10 reported cases produced total losses of $13.5 million.
The attacks did not exploit a vulnerability in the platform. They exploited something simpler: the message appeared on the same channel where the company’s real leadership actually communicates. A fraudulent request delivered in that context does not feel out of place. It feels routine.
For the brands being impersonated in these conversations, there was no alert, no domain to monitor, and no page to take down. The brand impersonation happened inside encrypted conversations between the attacker and the victim, invisible to every detection system the targeted organizations had in place.
Why WhatsApp became a brand impersonation channel
WhatsApp has more than two billion active users and serves as a primary communication channel for businesses and consumers across most of the world outside the United States. In many markets, customer service, payment confirmations, appointment scheduling, and account notifications run through WhatsApp by default. When a bank sends a legitimate message through WhatsApp, it trains its customers to trust messages from that channel. When an attacker impersonates that bank on the same channel, the message arrives in the same context as the real one.
Check Point researchers found that more than a dozen malicious domains impersonating WhatsApp itself are registered every day, using slight misspellings and variations to create phishing pages that harvest account credentials. Once an attacker controls a WhatsApp account, they inherit the trust that account has built: its contact list, its conversation history, and its position in group chats where business decisions are discussed.
The broader scale is significant. The FTC reported $470 million in text-based scam losses in 2024, and 19.2 billion spam messages were sent in December 2025 alone across messaging platforms. WhatsApp’s end-to-end encryption, the feature that makes it attractive for legitimate communication, also means that neither the platform nor the brand being impersonated can see the content of a fraudulent conversation while it is happening.
How attackers use WhatsApp to impersonate brands
The Singapore campaign illustrates the most sophisticated end of the spectrum, but the mechanics scale down to much simpler operations that run continuously.
Bank impersonation is the most common pattern. Attackers send messages claiming to be from the victim’s financial institution, warning of suspicious activity or requesting verification. The messages mimic the tone and format of legitimate bank communications on the platform. Because many banks genuinely use WhatsApp for customer communication, the impersonation does not require the victim to accept an unfamiliar premise. They are simply receiving what appears to be a routine message on a channel where they expect to hear from their bank.
Executive impersonation follows a similar logic. The Singapore cases involved attackers creating WhatsApp profiles using publicly available CEO photos and names, then contacting finance department staff with urgent payment instructions. The vishing element, deepfake video on Zoom calls initiated through WhatsApp, added a layer of confirmation that made the requests appear verified.
Customer support impersonation targets consumers who post complaints on social media. Attackers monitor public posts about banking or service issues, then contact the complainant via WhatsApp posing as the brand’s support team. The victim, who was already seeking help and had publicly identified themselves as a customer, is primed to engage. The conversation moves from a public platform where the brand might see it to an encrypted channel where the brand cannot.
Why encrypted messaging is brand protection's blind spot
The brand protection tools and processes that organizations have built over the past decade were designed for channels where impersonation is visible. Fraudulent websites can be detected through domain monitoring and content scanning. Social media impersonation can be identified through platform APIs and reported through enforcement channels. Even dark web exposure can be monitored through specialized crawlers.
Encrypted messaging operates outside all of these. The content of a WhatsApp conversation between an attacker and a victim is not visible to the brand, the platform, or any third-party monitoring service. The impersonation happens in a space where the tools that detect it on every other channel cannot operate. The brand learns about it only when the victim reports the fraud, if they report it at all.
The gap matters because WhatsApp is the primary digital communication channel for billions of people. For many of those users, a WhatsApp message from their bank feels more personal and more trustworthy than an email, precisely because the channel is associated with direct, person-to-person communication. The trust that makes WhatsApp effective for legitimate business communication is the same trust that makes it effective for impersonation.
The Bottom Line
WhatsApp scams are not a consumer awareness problem. They are a brand impersonation problem happening inside a channel that brand protection tools were not built to monitor. The $13.5 million Singapore CEO impersonation campaign, the continuous flow of bank impersonation messages, and the customer support scams that move victims from public platforms to encrypted conversations all exploit the same gap: the brand being impersonated has no visibility into the channel where the impersonation is happening. For organizations whose customers and employees communicate through WhatsApp, that blind spot is structural, and it is growing.
Key Takeaways
Attackers create WhatsApp accounts using CEO names and photos, impersonate bank customer service, and pose as support teams contacting consumers who posted complaints on social media. The Singapore Police Force documented $13.5 million in losses from WhatsApp CEO impersonation scams since January 2025.
WhatsApp has over two billion users and serves as a primary business communication channel in many markets. When banks and companies use WhatsApp for legitimate messages, they train customers to trust the channel, making impersonation messages indistinguishable from real ones.
Not directly. WhatsApp’s end-to-end encryption means the content of conversations is not visible to the brand, the platform, or third-party monitoring services. Existing brand protection tools were designed for visible channels like websites, social media, and email.
WhatsApp messages arrive on the same platform where real business communication happens, creating an implicit trust that email lacks. The channel is encrypted, so impersonation is invisible to detection systems. And there is no URL, domain, or page for brand protection teams to monitor, scan, or take down.
Organizations can monitor for the signals that precede WhatsApp impersonation: domain registrations mimicking WhatsApp itself, social media complaints that attract impersonators, and employee reports of suspicious messages. But the core challenge remains that impersonation inside encrypted messaging is a blind spot that current brand protection infrastructure was not designed to address.
