Sending personal data, copies of documents, and payment details through popular instant messengers like WhatsApp and Telegram can pose real risks. This concern was raised to socialbites.ca by Pavel Korostelev, head of the product promotion department at Security Code, highlighting how attackers can exploit unsecured chats. When an account on these platforms is compromised, the attackers gain access to everything exchanged in chats, including sensitive documents and messages, which can be used to target the victim in future attacks.
As an example, someone could open a microloan based on a single document such as a passport, since many lenders do not verify every detail of the applicant. With enough information, fraudsters could retrieve missing data like a Tax Identification Number and use it to mount another attack against the user. They might craft a convincing message claiming that penalties from a tax agency are due, including a link that leads to a fraudulent payment page.
Korostelev notes that scammers do not even need to search for shared documents manually; automation can scan chats for file types and extract sensitive information. Modern software can be configured to recognize and target documents of common formats such as PDF, enabling opportunistic theft with minimal effort.
From this perspective, using instant messengers to send personal data or copies of documents is not recommended. If there is no safer alternative, individuals should rely on trusted services that offer stronger privacy controls and end-to-end encryption, and that have a track record of safeguarding user data.
Among the options cited by information security professionals, Signal, Threema, and Wickr are often considered reliable choices based on recent assessments. WhatsApp, by contrast, has frequently been described as less secure in comparative reviews, underscoring the importance of understanding the security trade-offs of each platform.
When the use of WhatsApp or Telegram remains unavoidable, it is prudent to minimize the amount of personal data shared and to consider removing such content from ongoing conversations. It is also important to note that data may be stored beyond the device itself, in cloud services like iCloud or Google Cloud, tied to Apple or Google accounts. If this is overlooked, attackers could potentially restore message history even after it has been deleted from the messaging app.
Previous discussions on the site suggested practical steps, such as using two phone numbers to reduce exposure to fraudulent calls. This approach can help separate personal and work communications and reduce risk exposure from compromised accounts.