News
MARKET SIGNAL:

WhatsApp Usernames Hide Phone Numbers But Scam Risk Remains

Newsroom brief

WhatsApp is rolling out usernames and optional keys to reduce phone-number exposure, but security researchers warn that impersonation and social-engineering scams can move to handles, profile images and trusted-looking accounts.

Verified against source materialEdited by SendTech Times Cybersecurity Desk
WhatsApp Usernames Hide Phone Numbers But Scam Risk Remains
Image source: The National

Usernames Reduce Phone-Number Exposure

WhatsApp is adding usernames so people can communicate without immediately exposing a phone number, but the change does not remove the main fraud risk on a platform used by more than three billion people.

The feature lets users choose a handle in account settings.

The National reported that WhatsApp will show whether the name is available, and that a username can be up to 35 characters.

Meta says the app is also adding an optional username key, which requires both the username and the key before someone can contact a user for the first time.

That design creates an extra gate for new conversations, but it does not authenticate the person behind an accepted handle.

Meta is using the change to reduce number harvesting and make it harder to tie a WhatsApp account to a person's wider online identity.

Some high-profile names appear unavailable or reserved for WhatsApp Business users, a measure intended to limit spoofing of public figures and brands.

The rollout is gradual.

WhatsApp usernames are expected to become available over the next few months, with beta versions already showing the setting to some users.

Security Researchers Expect Scammers To Adapt

Acronis senior security researcher Eliad Kimhy said usernames may reduce some abuse but will not significantly reduce scamming overall.

He said scams follow attention, trust and scale, and WhatsApp has all three.

Kimhy warned that fraud attempts could shift toward convincing handles, profile images and social engineering.

That means attackers may impersonate friends, executives, brands, customer-support teams or public figures even when phone numbers are hidden.

The practical security change is therefore narrower than anonymity.

Hiding numbers can reduce unsolicited contact and identity linking, but it does not prove that an account belongs to the person or company a scammer claims to represent.

Cybersecurity consultant Jake Moore said the move might create a false sense of security if users assume usernames make conversations inherently safer.

He said criminals can still exploit trust once a user accepts a contact or follows a link.

Business Accounts Still Need Verification Proof

The change also affects companies that use WhatsApp for customer service, sales and internal communication.

If users rely more on handles, businesses will need clearer ways to show that an account is legitimate before asking customers to share information or click links.

WhatsApp has business verification and profile tools, but the username feature does not by itself solve spoofing.

The risk is especially high for banks, airlines, delivery services, government agencies and payment providers, where a familiar-looking handle could push a user toward a fraudulent payment or credential request.

The safer operating model remains layered: users should verify unfamiliar contacts outside the chat, avoid sharing one-time codes, and treat urgent payment or login requests as suspicious.

Companies should publish official contact handles, educate support teams and avoid asking for sensitive data inside unverified conversations.

Meta has not disclosed a final global rollout date, detailed enforcement rules for reserved names, scam-detection results from the beta, or evidence that usernames reduce impersonation losses on WhatsApp.

Share this article
inXf

Related articles

More
WeedHack Malware Turns Minecraft Mods Into a 116,000-System Infostealer Campaign
Cybersecurity

WeedHack Malware Turns Minecraft Mods Into a 116,000-System Infostealer Campaign

WeedHack has infected more than 116,000 systems by targeting Minecraft players through malicious mods, clients, cheats and utilities. McAfee telemetry shows 116,464 affected systems, 2,000 to 3,000 infections a day, more than 240 distribution URLs and 3,820 malicious JAR files. The next signal is whether Minecraft mod communities can move users back toward official download sources before infostealer distribution expands further.

ChatGPT Lockdown Mode Narrows AI Data Exfiltration Paths
Cybersecurity

ChatGPT Lockdown Mode Narrows AI Data Exfiltration Paths

OpenAI is rolling out Lockdown Mode for eligible ChatGPT users to reduce data exfiltration risk from prompt injection. The optional setting limits outbound web and tool capabilities, trading some product flexibility for stronger containment around sensitive workflows.

Smart TV Proxy SDKs Turn Free Apps Into a Hidden AI Scraping Supply Chain
Cybersecurity

Smart TV Proxy SDKs Turn Free Apps Into a Hidden AI Scraping Supply Chain

Bright Data's SDK has been reverse-engineered in research showing how free apps can turn consumer devices, including smart TVs, into residential proxy nodes for web-scraping traffic. The issue matters because AI data harvesting is increasing demand for residential IPs, while consent screens and background network behavior may not be clear to users or IT teams.

UAE Sets a Social Media Age Gate. Enforcement Is the Hard Part.
Cybersecurity

UAE Sets a Social Media Age Gate. Enforcement Is the Hard Part.

The UAE Cabinet has barred children under 15 from social media accounts and full platform features. The rule puts age verification, child privacy, parental controls and platform compliance on a 12-month operating clock.

Keep Reading

More Stories

Latest
Memory Prices Push US PC Shipments Down 7%Chips & SemiconductorsJul 2, 2026Memory Prices Push US PC Shipments Down 7%Omdia data cited by Tom Hardware showed US PC shipments fell to 15.8 million units in the first quarter of 2026, as memory and storage chip shortages hit entry-level laptops and pushed the market toward a forecast 14.4% contraction.Cloudflare Sets September Deadline For Mixed-Use AI CrawlersAIJul 2, 2026Cloudflare Sets September Deadline For Mixed-Use AI CrawlersCloudflare plans to block mixed-use crawlers from ad-supported pages by default from September 15, 2026, unless site owners change the setting. The policy pushes AI companies to separate search access from agent and training uses while Cloudflare expands publisher payment tools.Starlink Discounts Memphis Plans Around xAI Data Centre DisputeCloud & Data CentersJul 2, 2026Starlink Discounts Memphis Plans Around xAI Data Centre DisputeSpaceX is offering Starlink discounts near xAI’s Colossus data centres in Memphis and Southaven, while lawsuits and permit disputes keep attention on power, noise and pollution claims around the AI site.AMD Drops HBM For LPDDR5X In Versal Memory Package ShiftChips & SemiconductorsJul 2, 2026AMD Drops HBM For LPDDR5X In Versal Memory Package ShiftAMD is moving its Versal Premium Gen 2 memory-on-package adaptive SoCs from HBM to LPDDR5X after HBM2e supply limits forced the earlier Versal HBM family toward discontinuation.MiCA Deadline Forces EU Crypto Firms To Choose Licences Or ExitCrypto/Web3Jul 2, 2026MiCA Deadline Forces EU Crypto Firms To Choose Licences Or ExitCoinDesk reported that the EU’s MiCA framework is now fully in force, requiring crypto firms serving the 27-nation bloc to hold a licence or stop operating. Industry lawyers and executives said the rulebook improves clarity, but warned that compliance costs could shrink roughly 3,000 registered providers to 300 or 400 licensed firms.UAE Gives Social Platforms 12 Months To Enforce Under-15 RulesCapital & PolicyJul 2, 2026UAE Gives Social Platforms 12 Months To Enforce Under-15 RulesThe UAE says social media platforms must build effective age-verification controls after a Cabinet resolution restricting under-15 access. Technology companies have 12 months before penalties apply, and officials said age-verification data must be deleted immediately rather than stored by platforms.Robinhood Opens Arbitrum Chain As Stock Tokens Go Live In 120 CountriesFintech & Digital PaymentsJul 2, 2026Robinhood Opens Arbitrum Chain As Stock Tokens Go Live In 120 CountriesRobinhood has launched the public mainnet for Robinhood Chain, a Layer 2 blockchain built on Arbitrum, and made Stock Tokens available through Robinhood Wallet in more than 120 countries. The company also introduced Robinhood Earn with an estimated 7% yield on USDG, but jurisdictional availability and control settings remain central limits.Nvidia Names $500 Billion US AI Infrastructure Plan But Leaves Timing OpenCloud & Data CentersJul 2, 2026Nvidia Names $500 Billion US AI Infrastructure Plan But Leaves Timing OpenNvidia says it and partners including TSMC, Foxconn, Wistron, Corning, Lumentum, Coherent and Amkor plan up to $500 billion of US AI infrastructure production. The account comes from Nvidia's own company blog; it names factories, suppliers and job figures, but gives no full production timetable for the programme.Springboards Tests Qwen 3 Model Against Repetitive LLM AnswersAIJul 2, 2026Springboards Tests Qwen 3 Model Against Repetitive LLM AnswersAustralian startup Springboards has built Flint on Alibaba’s Qwen 3 to produce more varied answers to open-ended prompts. MIT Technology Review’s article pairs the company’s claim with a NeurIPS-winning homogeneity paper and user cautions that the prototype still fails under pressure.AWS Announces $1 Billion Forward-Deployed AI Engineering UnitAIJul 2, 2026AWS Announces $1 Billion Forward-Deployed AI Engineering UnitAWS has announced a $1 billion Forward Deployed Engineering organisation that will send small engineering pods into customer environments for about 45 days. TheStreet reported that early users include the Allen Institute, Cox Automotive, the NBA, the NFL, Ricoh and Southwest Airlines.Meta Board Weighs Iran Influence Posts Left OnlinePoliticsJul 2, 2026Meta Board Weighs Iran Influence Posts Left OnlineMeta’s Oversight Board may examine whether Facebook and Instagram should have removed two pro-Iran posts that users flagged as possible co-ordinated inauthentic behaviour tied to state-sponsored influence operations.OCC Public Denials Raise Charter Risk For Fintech ApplicantsFintech & Digital PaymentsJul 2, 2026OCC Public Denials Raise Charter Risk For Fintech ApplicantsThe OCC plans to publish charter denial decisions, giving fintech and digital-banking applicants clearer examples of why filings fail. The guidance also raises the reputational cost of applying before governance, compliance and risk systems are ready.