WhatsApp Business account takeover at a 47-employee textile exporter · recovered in 22 minutes
On Monday morning at 08:14 a 47-employee textile exporter in the Marmara region lost its WhatsApp Business account to a social-engineering OTP transfer attack. "IBAN has changed" messages were sent to 280 customers and 12 frauds were completed. With Meta Business support DSET recovered the account in 22 minutes and the forensic investigation laid the groundwork for the indictment of 4 perpetrators.
01 The Challenge
On Monday at 08:14 the CFO called saying "customers are expecting an IBAN change." The WhatsApp Business account was open on an unknown Android device and fake IBAN messages had been sent to 280 customers in the last 24 hours. The first confirmed fraud was 87,000 TL, the attacker was still active and pressuring with "negotiate with us." Brand reputation was eroding by the minute.
02 DSET's Approach
T+0 · First response
The DSET incident response team connected in 4 minutes. The official revoke flow was started by filing Meta Business's "account compromised" self-service form.
T+22min · Account recovered
Meta terminated the attacker's session and 2FA + business verification were enabled. No new messages could be sent.
T+2h · Customer notification
The real IBAN information was shared with 280 customers via SMS + e-mail + a dealer phone chain. A transparent statement was published on social media.