The Meta-owned platform said on Monday that it had uncovered and stopped a series of spear-phishing attempts linked to NSO after receiving reports from users.

According to WhatsApp, the attackers tried to lure targets into clicking malicious links that directed them to websites outside the app.

“They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp,” the company wrote. “We also caught them creating test accounts and groups on WhatsApp, which we took down.”

WhatsApp said the operation shared similarities with another campaign uncovered in Jordan in 2024. In that case, victims who clicked malicious links were infected with Pegasus, NSO Group’s spyware.

Following its latest findings, Meta has asked a US federal court to hold NSO in contempt, arguing that the company breached a permanent injunction issued during a long-running case between both firms.

The court order stemmed from a 2019 hacking campaign in which more than 1,400 WhatsApp users were targeted through the platform. After discovering the breach, WhatsApp alerted affected users and filed a lawsuit against NSO.

A jury later ordered the spyware maker to pay $167 million in damages. That amount was subsequently reduced to $4 million.

The latest court filing is another chapter in an issue that has lasted several years and drawn attention to the high use of commercial spyware around the world.

NSO Group has been repeatedly cautioned over Pegasus, a surveillance tool capable of infiltrating mobile devices through so-called “zero-click” and “one-click” attacks. 

Investigations by journalists, security researchers and technology companies have linked the spyware to operations targeting journalists, activists, dissidents, human rights defenders and political opponents in several countries.

WhatsApp said it has continually exposed suspected spyware campaigns, notified victims and strengthened protections for users who may face a higher risk of digital surveillance.

Other technology companies, including Apple and Google, have also introduced additional security measures designed to help protect users from advanced spyware attacks.

Meta’s latest legal action has attracted support from civil society groups. A coalition of 12 civil rights organisations, privacy advocates and security researchers has filed court briefs backing the company’s position and urging the court to maintain pressure on NSO.

The spyware maker is also still under pressure from the US government. NSO is still listed on the US Commerce Department’s Entity List, a designation that restricts its access to American technology.

Washington has imposed similar measures on other spyware firms, including Intellexa and its founder.

In 2025, a group of US investors acquired NSO and began efforts to rebuild the company’s reputation while seeking the removal of US restrictions. However, the company remains on the Commerce Department blocklist.

The NSO Group did not respond to requests for comment on the latest allegations from WhatsApp.

Instead, attackers exploit simple, preventable security weaknesses that organisations repeatedly fail to fix.

Danny Mitchell, cybersecurity writer at Heimdal Security, examined high-profile breaches from the past decade and found that most began with stolen credentials, unpatched systems, or phishing attacks. 

When we examine the anatomy of major data breaches over the past decade, a clear pattern emerges,” Mitchell said. 

“Attackers consistently exploit the same entry points because organisations continue to leave these doors open. Understanding where breaches begin is the first step toward preventing them.”

1. Compromised Credentials

One of the most common vulnerabilities is stolen or weak credentials. In the 2013 Target breach, hackers accessed the network through a third-party HVAC vendor. 

Using these credentials, they moved across the system and stole 40 million credit card numbers and 70 million customer records. 

Mitchell says, “Organisations often grant excessive access to third-party vendors without implementing proper oversight or segmentation. Once attackers obtain valid credentials, they appear as legitimate users, making detection extremely difficult.”

2. Unpatched Systems

Equifax’s 2017 breach reveals another recurring issue, which is the failure to update systems. Attackers exploited a known vulnerability in Apache Struts, a patch that had existed for months. 

The breach exposed sensitive data of 147 million people. “Equifax was breached using a vulnerability that had a publicly available patch,” Mitchell notes. “This breach occurred not because the attack was unavoidable, but because basic patch management processes failed.”

3. Phishing and Email-Based Attacks

Email is an easy entry point for attackers. In 2011, Epsilon suffered a breach after phishing campaigns targeted client databases, affecting millions of customers from brands including JPMorgan Chase and Walgreens. 

Mitchell explains, “Email-based attacks work because they exploit human behaviour rather than technical vulnerabilities. Even with advanced security tools, a convincing phishing email can bypass technical defences if an employee clicks a malicious link or provides credentials on a fake login page.”

Why These Weaknesses Persist

Mitchell identifies three systemic reasons organisations remain vulnerable:

• Over-Privileged Accounts: Many employees and vendors retain access rights they no longer need.
• Poor Visibility: Security teams often lack tools to monitor unusual network activity.
• Tool Sprawl: Multiple disconnected security systems create blind spots that attackers exploit.

Steps to Reduce Risk

Mitchell suggests helpful measures to block attackers at the most common entry points:

• Enforce strict privileged access controls and multi-factor authentication.
• Use DNS filtering to block connections to malicious domains.
• Deploy endpoint detection and response systems for real-time monitoring.
• Implement automated patch management and prioritise critical vulnerabilities.

“Attackers will always choose the path of least resistance,” Mitchell concludes. “By closing these common entry points, organisations force attackers to use more sophisticated, and therefore more detectable, methods. While perfect security may be impossible, you can make your organisation a harder target than the alternatives.”

A recent report from cybersecurity firm Kaspersky reveals that scammers are using Google’s legitimate form submission system to create highly deceptive emails that appear to confirm receipt of a crypto transaction. 

But these messages are elaborate bait to trick victims into sending money under false pretences.

The scam starts with a simple form submission. The attacker enters the target’s email address into a pre-filled Google Form. This triggers an automated confirmation email from Google, containing the platform’s official logo and formatting, enough to convince many recipients it’s genuine. 

But the message is entirely fabricated, part of a scheme to coax users into believing they’ve received a large cryptocurrency transfer.

What happens next is where the trap is set. The email includes a message prompting the recipient to “claim” the crypto transfer before the offer expires. Clicking the embedded link redirects users to a fake website that impersonates a blockchain support page. There, they are told to pay a “commission” in cryptocurrency to unlock the so-called funds.

There are no funds. Once the fee is paid, the scammers disappear.

According to Kaspersky’s Email Threats Protection Group Manager, Andrey Kovtun, “This campaign demonstrates a cunning exploitation of a trusted and widely used platform to deliver scam attacks on cryptocurrency users.” 

He added, “By crafting fraudulent submission confirmation emails that mimic legitimate notifications from crypto exchanges, attackers used the platform’s credibility to bypass email filters and lure victims into divulging sensitive wallet credentials.”

It’s a disturbingly effective tactic. The use of Google Forms, a tool most people associate with harmless surveys and registration sheets, gives the scam a veneer of legitimacy. 

Most spam filters don’t catch the emails because they come directly from Google’s servers and include authentic links like forms.gle, which email systems recognise as trustworthy.

And it’s not just the delivery method that’s clever, the language used in these emails is designed to create urgency. Victims are told the transaction will “expire,” pushing them to act quickly without thinking critically. It’s a psychological tactic commonly used in phishing, but now reinforced with the trust many have in Google.

Reports indicate that this form-based scam has surged by over 60% since last year, and with the rising adoption of digital currencies globally, the trend shows no sign of slowing.

For users, the advice is not to click on unexpected links, no matter how authentic the source looks. Never send crypto payments or personal details in response to unsolicited messages. And most importantly, confirm any financial communication via official platforms or apps, not through email links.

In addition to basic digital hygiene, users are urged to educate family and friends, especially those new to crypto, about emerging scams. Setting up email filters to catch keywords such as “Create your own Google Form” might help, but it’s not foolproof, especially since legitimate services also use the same infrastructure.

With universities becoming more concerned about their networks’ cybersecurity, attackers find ways to breach these systems by targeting inattentive students, staff and professors.

Kaspersky experts highlight intensified phishing campaigns with fraudsters exploiting the names of some of the worlds’ biggest universities.

University-specific phishing pages are usually well-crafted and mimic official university webpages or online learning management systems.

Once users visit false pages, they are duped into sharing personal information like account credentials, IP addresses or location data.

The importance of universities’ corporate account safety is often underrated when referring to organisations’ data protection.

Famous educational institution names, some with critical research centers operating in various fields from political economy to nuclear physics, are used as a lure to distribute phishing pages.  

And with governments and large corporations often purchasing research studies from these universities, it makes the sensitive data they possess extremely valuable for attackers.

By accessing students’ or employees’ accounts, the attacker may access personal information of their victims but also their educational plans, payment information and timetable of classes. This carries the risks of online threats transitioning to real life stalking and abuse.

“Education becoming more digitalised is a beneficial shift. Not only do learning management systems allow students to maximise their academic progress in the most efficient way, but also more people across the world get a chance to learn from the best professors at the biggest universities. This also widens the spectrum of threats student face. Scammers are luring students to give away their personal credentials to access data containing not only unique expertise but also private and potentially compromising information,” comments Olga Svistunova, security expert at Kaspersky.

Kaspersky recommends the following measures to safeguard systems and young people against education fraud:

• Check before clicking: It’s always advisable to hover over the link to preview the URL,and look for misspellings or other irregularities. 
• Introduce some form of two-factor authentication for information systems, especially web-based ones, and particularly for access to student records, grades and assessments. Set strong and appropriate access controls, so that it is not easy for a hacker to move laterally through the system.
• On campus, have two separate and secure wireless networks, one for staff and one for students, and if possible, a third for visitors.
• Introduce and enforce a robust staff password policy and encourage everyone to keep their access credentials confidential at all times. Never use the same password for several websites or services, because if one is stolen, all your accounts are under risk. To create strong hack proof passwords without having to face the struggle of remembering them, use password managers, such as Kaspersky Password Manager. It’s available for purchasing on its own, but it’s also included as part of Kaspersky Total Security. To celebrate the beginning of the school year, users purchasing consumer solutions will get a discount of up to 30%. The special offer is running in Nigeria till September 12^th.
• Use a reliable security solution for comprehensive protection from a wide range of threats, such as Kaspersky Endpoint Security for Business.