WhatsApp usernames are already raising impersonation red flags
WhatsApp Usernames Already Raising Impersonation Red Flags
Meta says usernames improve privacy, but critics question whether its safeguards can prevent impersonation.
WhatsApp this week started rolling out username reservations ahead of the broader launch planned later this year. The feature - which lets people find and message each other by handle instead of phone number - is already raising impersonation concerns, drawing scrutiny from security experts and regulators in India, the appās largest market, with more than 500 million users.
The rollout marks a shift in how people identify one another on WhatsApp. Instead of relying on phone numbers as the primary identifier, users will increasingly interact through platform-managed usernames, a change that Meta says improves privacy but that critics argue could create new opportunities for impersonation.
In early testing, TechCrunch found usernames resembling prominent politicians, celebrities, business figures, and public institutions - including indiamodi, shahrukh.actor, teamamitabh, ambanijio, and rbi_verify - were still available to reserve. These reference Indian Prime Minister Narendra Modi, Bollywood actors Shah Rukh Khan and Amitabh Bachchan, billionaire Mukesh Ambaniās telecom company Jio, and the Reserve Bank of India, respectively.
Separately, Binance founder Changpeng Zhao said on X that he couldnāt reserve cz_binance, the handle he already uses on that platform.
Asked about how it protects against impersonation, Meta told TechCrunch it reserves usernames for public figures, government entities, and āsome variationsā of those names so only the legitimate owner can claim them. The company did not explain, however, how it decides which lookalike usernames get proactively reserved and which donāt.
Regulatory Concerns in India
The concerns have already reached regulators in India, where cyber fraud schemes frequently exploit messaging platforms to impersonate police, banks, and government officials.
In a notice sent to WhatsApp on Wednesday and reviewed by TechCrunch, the Ministry of Electronics and Information Technology (MeitY) said the feature could āmaterially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacksā by enabling bad actors to contact users without exposing their phone numbers.
The ministry also warned that usernames could facilitate impersonation of āindividuals, public authorities, financial institutions, and government agenciesā by allowing usernames closely resembling those of genuine people or organizations. It directed WhatsApp to explain why regulatory action should not be initiated under Indiaās IT laws and asked the company not to roll out the feature until consultations were completed.
A senior government official separately told TechCrunch that the Indian IT ministry is cognizant of the issue and is engaging with WhatsApp over the feature.
That intervention has drawn its own pushback from New Delhi-based digital rights group Internet Freedom Foundation (IFF), which said the notice lacked a clear legal basis and risked giving the executive broad powers to dictate product design. (Itās a dilemma that operators building in regulated markets know well: Rules made case-by-case, by letter, are harder to plan around than rules made in the open.)
āImpersonation and fraud are real risks, but they are met by enforcing the criminal law against those who commit them,ā the group said in a statement. āThey are not met by MeitY deciding, in private and by letter, what features Indians may use.ā
The debate echoes a similar observation the Delhi High Court made in a case involving Telegram, where the court said that using usernames instead of phone numbers could make it easier to conceal user identity and spread illicit content faster. That case wasnāt about WhatsApp, but the parallel has been resurfacing in public discussion as WhatsApp prepares its own launch.
Privacy, Trust, and Platform Power
Rachel Tobac, chief executive of SocialProof Security, called usernames a net privacy gain because they reduce the need to share phone numbers, which can expose users to SIM-swap attacks, phishing, and account takeovers. Still, she said, lookalike usernames still create opportunities for impersonation.
āUltimately, usernames are a great idea to avoid leaking your phone number to folks you donāt know, but itās important to verify identity with the username function too,ā Tobac told TechCrunch.
Her advice for most users: Pick a username that isnāt easily guessable, so itās harder for attackers to find you, message you cold, or harass and spam you.
Even WhatsApp acknowledges usernames wonāt be one-size-fits-all. In an FAQ posted on X on Wednesday, the company said most users should choose a username unique to WhatsApp. However, it also lets users claim their existing Instagram or Facebook usernames by linking their accounts, saying the option is intended to help creators, businesses, and organizations maintain a consistent identity across Metaās platforms while reducing impersonation.
The Mozilla Foundation said the introduction of usernames is likely to bring new tradeoffs. āIncreased scams and impersonation from fake handles are potentially a big one,ā it told TechCrunch. āChecking a phone number can be a useful verification tool, but these harms are also permitted by the platformās fundamental design choices.ā
Mozilla also flagged a broader interoperability question - one worth logging if youāre building on top of, or competing with, Metaās ecosystem. While letting users claim their existing Facebook and Instagram usernames may cut down on impersonation, it also shows how easily Meta can stitch identity together across its own apps, even as users still canāt take that identity, or their contacts, to a rival platform.
For now, WhatsApp says it is taking a gradual approach to the rollout. āWeāre taking our time and listening to feedback so that when it rolls out later this year we get it right,ā the company said in its FAQ.
Comments
No comments yet. Start the discussion.