According to data from India’s Ministry of Home Affairs, Indians lost 224.95 billion rupees (US$2.3 billion) to cyber fraud in 2025, with complaints rising by about 24 per cent year on year to 2.4 million.
More than three-quarters of these cyber-fraud losses came from investment scams, while fraudsters impersonating law enforcement and government authorities in so-called digital arrest scams to coerce victims into transferring money are the second-largest contributor.
“It could add more friction to the law enforcement process,” Andrei Skorobogatov, director of communications at the Global Anti-Scam Alliance (GASA) told CNA.
Although authorities can obtain the phone number linked to a username through legal requests, investigators would first need WhatsApp to identify the account, adding another step to an already time-sensitive process, he explained.
Unlike phone numbers, usernames can resemble trusted institutions or public figures, potentially making fraudulent messages appear more legitimate at first glance, said Vikas Kundu, threat intelligence researcher at CloudSEK, a digital risk monitoring platform.
“Right now, a suspicious phone number is often the victim’s first tripwire (an early-warning system),” Kundu told CNA.
“Hiding that number during the first interaction removes one of the easiest ways users currently verify who is contacting them.”
Kundu said usernames do not create new scam techniques, but could make existing approaches more persuasive.
He also pointed to what cybersecurity researchers call “namespace squatting”, where fraudsters register usernames resembling banks, government agencies or prominent individuals before legitimate entities can claim them.
“A phone number cannot impersonate a bank. A username can,” Kundu said.
Concerns over namespace squatting have already surfaced during WhatsApp’s early reservation phase.
Manish Sisodia, a senior leader of India’s opposition Aam Aadmi Party (AAP) and former deputy chief minister of Delhi, said multiple username combinations using his name and “AAP” had already been reserved.
In a post on X, he urged Meta to introduce verification and grievance mechanisms to prevent misuse of public identities and protect users from impersonation.
A TechCrunch report also found that usernames such as ‘rbi_verify’, which resembles a public institution like India’s central bank – the Reserve Bank of India (RBI) – could still be reserved.
Even usernames resembling prominent politicians, actors and businessmen in India were available to reserve, according to the report.
A preliminary check by CNA found that usernames such as ‘IndianCrimeOffice, ‘IndianOfficerCyberCriminal’ and ‘RBI_Inspector’ were available to reserve.
While these are not the exact official names of Indian law enforcement or regulatory authorities, they could potentially be used to deceive unsuspecting users.
“So the fairest framing is that researchers anticipated the threat, India’s fraud data made it urgent and the regulator simply intervened earlier in the product lifecycle than most of its peer countries would,” said Kundu.
EXPERTS DIVIDED ON INDIA’S MOVE
Other experts, however, argue the Indian government’s response risks going too far.
Independent tech policy researcher Prateek Waghre said usernames also solve a genuine privacy problem by allowing people to communicate without exposing their phone numbers.
Rather than preventing new features from launching, he said regulators should focus on improving digital literacy, strengthening cybercrime response and encouraging platforms to build effective safeguards.
