WhatsApp Screen-Sharing Scam Drains $700K in Minutes

A stranger pings you on WhatsApp with a video call. You pick up for a second. That is all the time a scammer needs. 

Researchers and law enforcement are tracking a rapidly expanding social engineering campaign that abuses WhatsApp’s screen‑sharing feature to seize one‑time passwords, compromise accounts, and drain funds. 

First added to WhatsApp in 2023, the feature is now being turned into a con. Fraudsters initiate unsolicited video calls, impersonate trusted authorities, then steer victims into sharing their screens or installing remote‑access tools under the guise of support. 

Confirmed cases span the U.K., India, Hong Kong, and Brazil, including a Hong Kong victim who lost roughly US $700,000, a stark sign of both scale and speed.

The core tradecraft is mostly malware‑agnostic, it relies on trust abuse and urgency, so purely technical controls fall short. 

Criminal groups are using the same messaging surface to distribute malware via WhatsApp Web, as seen in a Brazilian campaign that delivers self‑propagating payloads that automate contact abuse and target online banking. 

How the WhatsApp Scam Works

The attack often begins with an unsolicited WhatsApp video call from an unfamiliar number. 

The caller pretends to be a bank representative, a Meta or WhatsApp support agent, or a distressed acquaintance. 

To look legitimate, attackers spoof local numbers and keep video off or blurred. 

Then they manufacture urgency, citing unauthorized charges, suspicious account activity, pending verification, or imminent suspension, and push the victim to act now.

Victims are told to share their phone’s screen so the impersonated agent can resolve the issue, or to install legitimate remote‑access tools such as AnyDesk or TeamViewer. 

ESET security researchers called this remote‑access fraud powered by three levers: impersonated trust, time pressure, and device visibility or control via sharing or remote software. 

Once screen sharing starts, incoming messages, verification codes, and app interactions are visible in plain sight, enabling immediate account takeover and financial manipulation.

There is a second push during the call. 

Some victims are coaxed into opening banking applications or guided to install extra assistive software that functions as malware. 

Reports include cases where keyloggers capture credentials for later use, extending risk long after the call ends.

Brazil Malware Attacks

The core scam runs on social engineering, yet several campaigns show how the WhatsApp ecosystem also spreads malware at scale. 

In the Brazil attacks, researchers observed a self‑propagating chain delivered via WhatsApp Web. 

Victims receive a ZIP archive that, once extracted, launches an obfuscated VBS downloader, SORVEPOTEL, which executes a PowerShell script in memory. 

The script pulls down ChromeDriver and Selenium to hijack the active WhatsApp Web session, fetches message templates from command and control, exfiltrates contact lists, and spams all contacts with the same malicious ZIP. 

While it works, it may even show a deceptive WhatsApp Automation v6.0 banner to further trick users.

The associated payload, dubbed Maverick, adds defensive evasion and targeting. The ZIP includes a Windows LNK that invokes cmd.exe or PowerShell to reach an external server, zapgrande.com, to fetch first‑stage code. 

The loader checks for reverse‑engineering tools and quits if it finds them. It also validates the host locale by inspecting time zone, language, and date formats, and only installs the banker when the host appears Brazilian. 

Once active, Maverick watches browser tabs for URLs tied to a hard‑coded list of Latin American financial institutions, aligning with credential theft and session manipulation against regional banks.

Trend Micro previously documented a related WhatsApp Web propagation method that abuses active sessions to auto‑distribute the ZIP to all contacts, sometimes getting accounts banned for mass messaging. 

The payload in that campaign acted as an infostealer focused on Brazilian financial services and crypto exchanges, reinforcing how messaging‑based lures dovetail with financial fraud goals.

Who’s Behind These WhatsApp Scams?

The screen‑sharing fraud wave looks like widespread criminal activity that leans on social engineering, not a single advanced persistent threat. 

ESET researchers stressed the human‑centric nature of the model, trust, urgency, and control, not sophisticated exploits. The spread across regions and personas points to a broad scam network rather than a single operator.

The malware propagated via WhatsApp Web in Brazil shows stronger hints of organized activity. 

Maverick was first attributed to a threat actor tracked as Water Saci, with threat hunters noting overlaps with the Coyote banking malware and placing both in the Brazilian cybercriminal ecosystem. 

These assessments suggest shared infection methods and evolving tooling, with moderate confidence in the linkages rather than a firm attribution.

The Growing Threat of WhatsApp Fraud

The impact hits both individuals and financial institutions. For end users, a single call can end with instant loss of account control and substantial theft if OTPs and verification codes are visible on screen. 

Regions with heavy WhatsApp adoption face elevated risk because of sheer reach. 

Platform countermeasures are changing too. WhatsApp now shows a real‑time warning when users try to share screens with unknown callers, advising them to proceed only with trusted contacts. 

Meta is also testing AI‑based scam detection on Messenger to flag suspicious outreach and suggest blocking or reporting. 

Simple Steps to Avoid WhatsApp Scams

Mitigation is mostly behavioral. Never share your screen with unsolicited callers. Verify urgent claims through official channels. 

Decline requests to install remote‑access tools, do not disclose passwords or verification codes on calls, and stay skeptical of links that promise new features or quick fixes. 

Enabling WhatsApp’s two‑step verification adds a required passcode that can hinder account takeover even when verification codes are visible during a call.

The new WhatsApp warning that appears before screen sharing with unknown contacts is meant to interrupt the urgency loop, and pausing at this step helps reduce risk. 

Where available, leverage platform tools such as passkeys and privacy checkups that add resilience against account abuse. 

Reporting suspicious accounts and content helps broader enforcement against scam infrastructure as well.

If you suspect compromise, take quick action. 

Log out of active sessions, reset the account, notify contacts, and scan devices for malicious software, especially if any support apps were installed during the interaction.  

The WhatsApp screen‑sharing fraud shows how adversaries can turn legitimate features into high‑yield attack vectors with minimal technical overhead. 

By manipulating authority, urgency, and access, criminals achieve outcomes, account takeovers, financial theft, and onward social engineering that rival more complex malware campaigns. 

In addition, the Brazilian WhatsApp Web malware attack shows how the same surface can be weaponized for automated propagation and targeted financial crime.

These attacks underscore why core security fundamentals are essential for defending against social engineering attacks.