Telegram lets scammers connect directly with potential victims by way of stored contacts

Don’t want to be identified as Telegram user? Yeah, about that…

David Bisson
@DMBisson

Telegram lets scammers connect directly with potential victims by way of stored contacts

Scammers can use the Telegram mobile messaging app to connect with a potential victim if they already have their phone number in their contact list.

In a blog post, Fidelis Cybersecurity researcher John Bambenek discusses the ease with which scammers can reach out to Telegram users:

“Here’s the deal: If a scammer signs up for Telegram and already has your phone number in their contact list, it will also notify them that you also have Telegram. So in addition to connecting you to your friends and contacts, the app will also connect scammers directly to you. Likewise, if you have scammers’ numbers in your contact list for some reason, you will get push notifications when they join Telegram…”

What’s going on here? How is this even possible?

Telegram Most of us know there are there “Do Not Call” rules that help prevent unwanted (spam) calls. These records reflect the complaints users have filed on phone number reputation sites. Mobile applications that block unwanted calls build their registries off this reputation data.

There’s just one catch. “Do Not Call” rules don’t apply to encrypted messaging apps. Those include Telegram, which has versions for Android and iOS.

EmailSign up to our newsletter
Security news, advice, and tips.

That’s annoying, but surely there’s a way of blocking others from seeing you have Telegram installed, right?

Wrong!

Telegram privacy settings

You can block specific users. You can choose who can see when you were last active on Telegram. And you can choose whether everybody or just your existing contacts can join you to group chats. But you cannot block others from seeing if you have Telegram installed if they know your mobile number.

To make matters worse, Bambenek said it would be quite easy for someone to develop a method of determining whether a user has installed Telegram on their mobile device. Criminals could use such a service to target unsuspecting users. But so too could law enforcement and intelligence agencies looking to determine “risk factors” among the general population.

So what is to be done?

Users of encrypted messaging apps like Telegram, which has seen bugs both real and bogus, need to understand that these risks are out there. As such, they should be careful when approving new contacts, even if they’re a friend. Ideally, they should use an out-of-band means of verification.

They should also review the app’s default settings and check to see if they can prevent the app from capturing their address book.

Finally, they should be careful about answering calls from unknown users. A simple “hello” tells a scammer that their number is active. As such, they’ll find no reason to not spend months or even years trying to reconnect with that user. They just need a direct means of communication.

And with apps like Telegram, they’ve got that.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

14 comments on “Telegram lets scammers connect directly with potential victims by way of stored contacts”

  1. Freman

    Yeh so? I get at least 2 friend requests from scammers on Facebook per day. I don't see how this is worse, or even worth any extra concern beyond the usual level of vigilance. Don't be a fear monger

    1. Bob · in reply to Freman

      What he's saying is that Telegram is a bit different.

      If somebody has YOUR phone number in their address book and YOU join Telegram then that person will get an alert saying "Freman has joined Telegram".

      Facebook is a little different to an instant messaging application. Personally I think Telegram should give the end user an option NOT to proactively alert people to the fact that they're using the platform.

      You could argue that WhatsApp is very similar however their method requires you to look through your phonebook to find other WhatsApp users.

      The Telegram privacy options are far superior to those in WhatsApp and they also allow you to use a username so that you can contact people (or they can contact you) without providing your phone number. That's a major benefit.

    2. Carl L.D. · in reply to Freman

      The difference is in the topology. No matter what you do on Facebook, it's a website and you communicate with their server so as your contacts, that's how they keep control. End-to-end apps talk to each other directly meaning you both know the address of each other. When you pass through a server its like having a friend A making a conference call to let you talk to friend B. You'll both see the the number of friend A. So B cannot use your number to spam you after.

  2. bobbe mornee

    It is true some scammer already use telegram and registered as famous person, like Timothy Sykes, on his Bio, it is exactly like Timothy Sykes, and he will promise you that he can turn $1400 into $5000 within few hours and ask you to sent 0.128 BTC, worth $1500 to his BTC address! never do it! after you sent the BTC to him, he will tell you he already made $7000, now want to release to you, in order to do so, the scammer ask you to sent additional 0.1 BTC, worth $1100 to his different BTC wallet! I hope FBI do the investigation to arrest this scammer! I am one of the victimes!. not sure how many victims on the telegram! watch out!

    1. Hanny · in reply to bobbe mornee

      I didn't join any telegram but a scammer has a code sent to me by telegram. Could it be that my number is registered somewhere else

  3. Clave

    I am one of the victim too..I would to find justice and stop this evil doers to avoid another victims

    1. rohith · in reply to Clave

      Yes, even I am one of victim of telegram scammers. (A telegram channel named "carding ka baap" has scammed me).

      1. Rochelle McQueen · in reply to rohith

        How did they scam you, using which method? I was just added to one of those groups.

  4. Dwight

    How do you block the person once they would have secured your telegram code and phone number?

  5. Crystal Morrow

    I just got a scanm on Telegram. This person is using text only phone number from Iowa and using a person's name from New York city for a job with Morgan Stanley. I sent a message to the person in New York on Linledin and asked if this is really the same person. The scammer from Iowa not stop texting me.

  6. Yvonne sharpe

    I am sorry but telegram should deactivate these accounts when people complain they just continue all the time ??

  7. SALEPUTEONVATECLATER

    HEY JERK:

    You wor for twitter, facistbook or google gestapo?

    Telegram is just fine

  8. David wilson

    I was approached by a lad on Facebook dating he asked me to get telegram which I did two weeks of chatting he said he needed money I said no when I checked his phone number it was a scammers number from Denmark he even chatted on the phone he deleted him self after I said no to money

  9. John Jackal

    All these scams are awful I run global cybercrime investigations and cyber intelligence for a bit tech company. Remember you do not need to get people to invest crypto for you. The beauty of crypto is you can do it yourself. As a general rule if someone makes claims of unreasonable returns/profit the are probably a scammer. If they offer to match your funds probably a scammer.

    Same thing with people claiming to be military and overseas- They will say they do some kind of securet work and then they'll say they need money because they got arrested or something and need your help.

    Do not EVER give money to people you do not know a great deal about. Do not send money to strangers who claim to love you. Do not let anyone tell you that you have a computer virus and they need to upload a program to help you.

    Practice good cyber hygiene and research thing before it happens. All too often someone will get ripped off and THEN do the research.

What do you think? Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.