This phishing campaign targets WhatsApp users by exploiting social engineering and the WhatsApp Web login mechanism. Attackers create convincing fake voting websites that appear legitimate, often themed around contests or polls, and available in multiple languages including English, German, Spanish, Turkish, Danish, and Bulgarian. Victims receive personalized messages, often from compromised contacts, urging them to vote by visiting these fake sites. Upon clicking 'Vote,' users are prompted to enter their phone number linked to WhatsApp and then a one-time verification code generated by WhatsApp. This code is displayed on the phishing site with instructions to enter it into the WhatsApp app to 'authorize' voting. When victims comply, attackers gain full access to the WhatsApp account, enabling them to read messages, send and delete messages, and impersonate the user. This access can be used to defraud contacts or propagate the phishing campaign further. The attack bypasses WhatsApp’s two-factor authentication because the one-time code is treated as a second factor by the system. The campaign uses AI and phishing kits to produce multilingual phishing pages, increasing its reach. Victims are advised to disconnect unknown linked devices immediately and follow detailed recovery guides. Preventive measures include avoiding suspicious polls, not clicking unknown links, enabling two-factor authentication, using passkeys, and employing advanced anti-phishing protections like Kaspersky’s multi-layered technology. The campaign highlights the risks of social engineering combined with messenger platform features and the importance of user awareness and technical safeguards.

For European organizations, this phishing threat can lead to significant security and privacy breaches. Employees’ WhatsApp accounts can be hijacked, allowing attackers to access sensitive communications, impersonate users, and spread phishing links internally and externally. This can facilitate further social engineering attacks, fraud, and potential data leakage. Organizations relying on WhatsApp for business communications risk operational disruption and reputational damage if attackers misuse compromised accounts. The multilingual nature of the phishing pages increases the likelihood of successful attacks across diverse European countries. Additionally, the attack can undermine trust in communication platforms and complicate incident response efforts. While the attack requires user interaction, the widespread use of WhatsApp in Europe, including for informal and some business communications, amplifies the threat. The campaign may also indirectly affect organizations by targeting employees’ personal devices that connect to corporate networks, increasing the risk of lateral movement or credential theft.

European organizations should implement targeted awareness campaigns educating employees about this specific phishing tactic, emphasizing skepticism toward unsolicited voting requests and the dangers of entering verification codes. Technical controls should include deploying advanced anti-phishing solutions capable of detecting and blocking malicious URLs in emails, social media, and messaging apps. Encourage employees to enable WhatsApp’s two-factor authentication and use passkeys where supported. Regularly audit and monitor linked devices in WhatsApp accounts to detect unauthorized sessions promptly. Organizations should establish clear policies restricting the use of personal messaging apps for sensitive communications and promote secure alternatives with enterprise-grade protections. IT teams can leverage mobile device management (MDM) solutions to enforce security configurations and monitor for suspicious app behavior. Additionally, integrating phishing simulation exercises that mimic this attack vector can improve user resilience. Finally, ensure that endpoint protection solutions include multi-layered phishing detection and that users are trained to verify URLs carefully and avoid entering personal data on untrusted sites.