The channel where filters don't reach — and how to spot, avoid, and recover from scams that arrive in your encrypted inbox
Published 7 May 2026 · ScamSupport research · ~14 minute read
Most of the defensive infrastructure that keeps obvious scams out of your email inbox doesn't work on WhatsApp or Telegram. Both platforms are end-to-end encrypted, which means the carriers physically cannot see message content to filter it. That's a feature for legitimate users — your conversations stay private — but it's also a structural advantage for criminals, because the spam-detection layers that catch most fraud at the email gateway never get a chance to look. The result is that the messages getting through are, on average, more polished and more dangerous than what arrives by email.
This article walks through the specific scam patterns operating on each platform in 2026, the warning signs that work across both, the sub-categories worth their own deep-dives (Telegram marketplace fraud, P2P crypto scams), and the exact recovery steps if you've already lost money. The goal is to give you a portable mental model: once you've seen the structure of a Telegram or WhatsApp scam, the variants stop surprising you.
Three structural features make WhatsApp and Telegram especially attractive to fraudsters.
Encryption blocks content filtering. Email providers (Gmail, Outlook, ProtonMail) score every incoming message against a model that has seen most of the world's email; that's how 95% of obvious phishing never reaches your inbox. WhatsApp and Telegram cannot do this because the message content is encrypted between sender and recipient. The platforms can detect spam by sender behaviour (sudden mass-sending, new accounts, repeated reports), but they cannot read what's being sent. This means the front-line defence is you, not the platform.
Implicit trust transfers from contact. If a message arrives from your sister's WhatsApp account, you read it differently than if it came from an unknown email address. Scammers exploit this with the "Hi Mum" pattern (a stranger pretending to be your child from a "new number") and with verification-code theft (a real friend's account that's been hijacked, now messaging you). The platform tells you the message is from a trusted contact, but the human at the other end may not be the trusted person any more.
Open public groups. Telegram in particular has a culture of large public groups around topics — crypto trading, freelance work, marketplace deals, fan communities. These groups are excellent for legitimate networking and equally excellent for criminals to mass-target a self-selected audience. Someone joining a "UK crypto signals" group has effectively volunteered themselves as a high-intent target for crypto scams.
Five patterns dominate WhatsApp fraud in 2026.
You receive a message from an unknown number: "Hi Mum, I've broken my phone and this is my new number. Can you save it? I'll call you later, but in the meantime can you help me with a quick payment? My banking app isn't working on this phone." The number is unfamiliar, the explanation is plausible, and the urgency is mild but real. By the time the actual emergency emerges (an "urgent" bill, a deposit due, a tradesman waiting), the conversational context has been built up enough to override scepticism.
The defence is simple: any time a "family member" contacts you from a new number with a money request, call the original number directly to verify. If they don't pick up, message them on the original number too. Don't action anything until you've heard their actual voice on a channel you initiated.
A message from someone you know — or a stranger pretending to be you — says: "I sent your verification code to your phone by mistake, can you forward it to me? It expires in two minutes." The code is in fact your WhatsApp registration code, and forwarding it lets the criminal complete the takeover of your account on a different device. Once they're in, they have access to all your group chats and can run the next round of scams from your identity.
WhatsApp's own published guidance is clear: never share a verification code with anyone. The codes exist precisely to prove that you are the account owner; if you forward one, you're handing the proof to someone else. Turn on two-step verification (Settings → Account → Two-step verification) so a takeover attempt also requires your chosen PIN, which a code-relay attack alone cannot bypass.
When a contact's account has been compromised, the criminal often uses it to forward a fake security alert to that contact's friends. The receiver sees a message from a known contact: "Saw this came in — thought you should check your account too" with a screenshot of a fake bank fraud notification and a link. Because the trust relationship is real but the human at the other end isn't, the message often gets opened and clicked.
The protection is procedural: never act on a banking, government, or courier link in a WhatsApp message, even if it appears to come from someone you trust. Open the institution's own app or website by typing the URL directly. The two-second cost of the fresh tab is the same defence that works for email.
You're added to a WhatsApp group with a name like "UK Top Crypto Signals" or "Forex Pro Mentor". You didn't ask to join. Inside, half the participants are scammers playing different roles — the "successful trader" sharing screenshots, the "happy member" reporting profits, the "admin" promoting an exclusive trading platform. Within days, you're invited to invest. The platform is fake; the deposits work, but withdrawals never complete.
The defence: leave any group you didn't ask to join. Go to the group info, click "Exit group", and report it. If you ever feel tempted by trading "signals", check the FCA's ScamSmart warning list for the platform name — almost every WhatsApp investment scam is a clone of one already on it.
Initial contact often happens on a dating app, but the conversation is moved to WhatsApp within days. The reasons given are always plausible (privacy, the dating app being annoying, the scammer "barely uses it"); the real reason is that WhatsApp has no scam-detection on the chat itself, while the dating apps are introducing tools to flag suspicious patterns. Once on WhatsApp, the relationship intensifies, and the eventual money request becomes the scam.
The general romance-scam advice applies: slow down, insist on a real video call (not pre-recorded video), don't send money to anyone you haven't met, and read the romance scam warning signs guide if any of the patterns feel familiar.
Telegram's open-group culture and bot ecosystem produce a different scam mix than WhatsApp's contact-driven patterns.
UK consumer publication Which? has documented a wave of Telegram-based fake job offers, with scammers contacting prospective workers cold and pushing them to pay money or share sensitive details. The most common variant is the "task" scam: you're offered £200 a day for "completing simple tasks" — usually clicking links, leaving fake reviews, or "rating" products. The first day or two, small payments do arrive (sometimes the operator's own money), to build credibility. Then the "premium task" appears, requiring a deposit. Once you pay, the operator disappears or asks for a larger deposit before any release.
Real employers don't recruit through cold Telegram DMs and don't ask you to deposit money before earning it. Any job pitch that begins with "we found your profile" and ends with a payment request is fraud, regardless of how convincing the early stages were.
The same investment-group pattern from WhatsApp runs at much larger scale on Telegram. Public groups with thousands of members, a few "experts" promoting trades, fake screenshots of profits, and an exclusive platform that's actually a withdrawal trap. Some variants offer "VIP" tiers requiring a paid subscription to a Telegram channel before the "real signals" are shared.
Two protections: assume any unsolicited "investment opportunity" message on Telegram is a scam (the false-positive rate on this assumption is very low), and check anything that genuinely interests you against the FCA ScamSmart warning list before depositing a penny.
Telegram has dedicated marketplace groups for second-hand goods, services, and digital items. The pattern is straightforward: a too-good-to-be-true listing draws you in, the seller pushes you to private DM, refuses any escrow protection, demands an irreversible payment method (bank transfer or cryptocurrency), and disappears once the money lands. The next section covers the specific tells worth memorising.
Real platform support is never delivered through Telegram DMs. If you've used an exchange, an NFT platform, or a cryptocurrency project, criminals harvest the public list of users (or victims who've publicly complained about lost funds) and contact them as "support" from a Telegram account using the platform's logo. The "admin" then asks for wallet credentials, KYC documents, or "verification fees" to "release" the disputed funds. None of this is real.
Block these immediately. No legitimate exchange or platform contacts users via Telegram first, ever. If you genuinely have a support issue, find the official channel from the platform's website (typed in directly), not from a search result, and certainly not from an unsolicited DM.
Telegram's bot ecosystem allows automated chat agents, which is useful for legitimate notifications and rapidly weaponised by criminals. The pattern: a bot DMs you "claim your free airdrop" or "your Binance account has been flagged, verify here". The bot asks you to share your seed phrase or private key "to verify ownership". Sharing those is equivalent to handing over the money in the wallet. No legitimate platform asks for a seed phrase, ever.
If you do use Telegram for buying or selling, the early warning signs of a scam listing are almost always visible if you know to look for them.
Two or more of those signals together means the listing is almost certainly a scam. Don't proceed even if a single signal seems explainable; the scam patterns cluster, and a single suspicious factor is rarely the only one.
If you're trading peer-to-peer — especially crypto-for-fiat — Telegram is fine for chat but should never be the trust layer. The protection has to come from a proper escrow system that holds the asset until payment is confirmed.
What real escrow looks like: a regulated exchange (Bybit, OKX, Binance P2P) takes the seller's cryptocurrency into custody, releases it only when the buyer has confirmed the fiat payment has cleared in their bank account, and provides a dispute process if either party claims the trade was completed when it wasn't. The platform stakes its reputation on the escrow working; criminals can't replicate that without the platform's involvement.
Common scams targeting P2P traders:
Practical rules if you genuinely need to trade P2P:
If you've already lost money through a Telegram or WhatsApp scam, the first half-hour matters disproportionately. The exact same recovery sequence works for both platforms.
Since October 2024, UK banks must refund victims of authorised push payment (APP) scams in most cases, up to £85,000 per claim. The system isn't automatic, but the burden has shifted toward banks. Ask your bank explicitly about the APP scam reimbursement process. If they refuse the claim at first, ask for the decision in writing and escalate to the Financial Ombudsman Service, which can review the case independently and order reimbursement. There's no fee to use the Ombudsman.
Within days of being scammed, most victims receive a follow-up offer from a "recovery agency", "ex-FBI investigator", or "Bitcoin recovery specialist". These are almost universally the same criminal group hoping for a second payment. No legitimate recovery service charges an upfront fee. Recovery, where possible, is done by your bank, the Ombudsman, and the police — not by anyone who slid into your DMs.
Five settings, configured once, eliminate most Telegram and WhatsApp scam vectors before they reach you.
WhatsApp two-step verification. Settings → Account → Two-step verification. Pick a six-digit PIN you'll remember. This protects against verification-code theft attacks — even if someone gets your SMS code, they still can't take over your account without your PIN.
WhatsApp privacy settings. Settings → Privacy. Set "Last seen", "Profile photo", and "About" to "My contacts" rather than "Everyone". Set "Groups" to "My contacts except…" so strangers can't add you to spam groups without your contacts being able to. These settings reduce your discoverability to scammers running mass-add operations.
Telegram two-step verification. Settings → Privacy and Security → Two-step verification. Same logic as WhatsApp's: an additional password protects your account if your SMS code is intercepted.
Telegram privacy settings. Settings → Privacy and Security. Set "Phone number" to "Nobody" or "My contacts" so strangers can't find you by number. Disable "Calls" and "Voice messages" from non-contacts. Set "Groups & channels" to "My contacts" to prevent strangers adding you to scam groups.
Educate the family members at highest risk. The "Hi Mum" scam is overwhelmingly successful against parents. A 15-minute conversation explaining the pattern — "if I ever message you from a new number, call me on my old number first" — saves more grief than any technical setting. The same goes for grandparents on the other end of voice-cloning scams. Awareness is the single most effective defence at the population level.
Don't share it with anyone, even people who claim they sent it to you by mistake. The code is proof that you control the account; sharing it transfers that proof. If the code arrived because someone is trying to take over your account, change your password on the relevant service immediately and review active sessions to make sure they haven't already succeeded.
You can't, on Telegram alone. The username, profile photo, and account name can all be copied from the real platform. The only safe approach is to find the platform's official support channel from their actual website (typed into your browser) and verify any "admin" by sending them a message through that channel and asking them to confirm the Telegram account is theirs. Most legitimate platforms don't run support over Telegram at all.
Profile age and activity look established are easy to fake or buy. The protection isn't about the profile; it's about the trade structure. If the trade is happening through a regulated escrow on a known exchange, you're protected regardless of who the counterparty is. If the trade is happening via Telegram DM with no escrow, you're not protected even if the counterparty is genuine, because there's no recourse if they change their mind.
Assume your account has been hijacked and act fast. Change your WhatsApp or Telegram password immediately, log out of all sessions (Settings → Linked devices → Log out from all), and re-register your account if you can't regain access. Warn anyone in your contact list that messages from your account in the past 24 hours may not be from you, especially any money requests. Then contact the friend through a different channel (a phone call, a different messaging app) to confirm whether they really sent that "I sent the code by mistake" request — usually they didn't, and their account has been hijacked too.
It's the same underlying platform, so the encryption properties are identical. WhatsApp Business adds verified-business badges (the green tick) to genuine company accounts, which helps you distinguish a real Amazon support message from an impersonator — but only if you remember to look for the tick. Most scams target personal WhatsApp because it has more users; Business is no more or less susceptible to the same patterns.