WhatsApp: How the supermarket voucher scam works

Reuters WhatsApp logo on a phoneReuters

Scammers have used WhatsApp to trick people into handing over personal information by tempting them with bogus supermarket vouchers.

The messenger app was used to send fake vouchers to people, purporting to be from trusted chains such as Asda, Tesco and Aldi.

The messages claimed to offer hundreds of pounds in savings so long as the user followed a link to an online survey asking for personal details.

The scam is a form of phishing, where fraudsters pose as reputable organisations to gain personal details.

Action Fraud, the UK's national reporting centre for fraud and cyber crime, suggests anyone who has fallen victim to this scam to report it online or call 0300 123 2040.

So far, 33 people have come forward to report falling victim to the scam, although it is unclear how many people have received the message.

How does it work?

A screenshot from WhatsApp showing the scam which reads ALDI is giving away £150 Free Voucher to celebrate 27th anniversary
This message was sent to the WhatsApp number used by the public to contact the BBC

The scam works by using a link which appears almost identical to a supermarket chain's legitimate website, but with one small difference.

For example, in the screenshot above, the d in Aldi is actually a ḍ - a Latin character with a small dot underneath the recognisable letter.

In the tweet below, the d in Asda has been replaced with đ - another character known as a crossed D.

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read  and  before accepting. To view this content choose ‘accept and continue’.

People who clicked the links contained in the WhatsApp messages are sent to a survey.

According to Action Fraud, the survey urges victims to hand over their financial information.

If, however, a person tries to visit the homepages for Aldi misspelled with the dotted character it sends them to an error page from a website which is not the supermarket's.

An error page pops up when the user tries to visit the fake Aldi homepage
Attempting to visit the fake 'Alḍi' homepage sends the user to an error page for this website

Meanwhile, at time of writing, attempting to access the misspelled Asda site brings up a warning in some browsers.

Warning of 'Deceptive site ahead'

Why did I get it?

Upon completing the survey, the victim is urged to send the message to 20 other contacts in order to receive a £250 voucher.

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read  and  before accepting. To view this content choose ‘accept and continue’.

This helps legitimise the scam, says Action Fraud, as rather than being sent from a random number, the WhatsApp message comes from a trusted contact.

However, it is unclear whether users may have been compromised simply by clicking on the link, as some on social media claimed that the message was shared without their contact's consent.

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read  and  before accepting. To view this content choose ‘accept and continue’.

A spokesperson for Action Fraud told the BBC, "from what we can see, you would have to put certain details in to be in trouble, but it would depend on the device as all the scams are different, and some can download malware on your device."

Action Fraud advises people to avoid unsolicited links in messages, even if they appear to come from a trusted contact.

By Tom Gerken, UGC and Social News