WhatsApp just opened username reservations. The move promises privacy gains. It also hands fraudsters new tools. And regulators in India took notice immediately.
The Meta-owned messaging service began letting users claim handles this week ahead of a wider rollout later in 2026. Phone numbers still anchor accounts. Yet conversations can now start through @usernames instead of revealing digits. That shift changes everything about first contact.
Security researchers spotted problems within hours. Handles resembling public figures and institutions sat available for anyone to grab. Think “indiamodi,” “shahrukh.actor,” “teamamitabh,” “ambanijio” or “rbi_verify.” Binance founder Changpeng Zhao failed to reserve “cz_binance.” The pattern raised immediate questions about who controls what.
Rachel Tobac, founder of SocialProof Security, captured the tension. “Ultimately, usernames are a great idea to avoid leaking your phone number to folks you don’t know, but it’s important to verify identity with the username function too,” she told TechCrunch. “Pick a username that isn’t easily guessable and don’t share it with people you don’t want to talk to.”
Short. Direct. Yet the risks run deeper. A minor tweak—an extra letter, underscore or number—creates convincing lookalikes. Malcolm Gomes, chief operating officer at Privy by IDfy, explained the mechanics in The Hindu BusinessLine. “While a phone number is difficult to fake convincingly, a username is not. A minor tweak such as an extra letter, number or underscore can make a fake username appear legitimate, especially on smaller devices.”
India, home to more than 550 million WhatsApp users, sits at the center of this storm. The app serves as default channel for families, small businesses, banks and government offices. Apar Gupta, founder of the Internet Freedom Foundation, laid out the danger there. “WhatsApp is the default channel for families, small shops, delivery, and now banks and government offices. A handle made to look like your bank, or a government department, is a useful tool for a fraudster. A clean, number-free way to reach a target behind a believable name only helps them.”
But the government moved faster than most expected. On July 1, India’s Ministry of Electronics and Information Technology issued a notice to Meta. Officials warned the username feature could fuel phishing, digital arrest scams and impersonation of public authorities. Platforms face legal liability if updates open new loopholes for fraud. Sources familiar with the matter told The Times of India that authorities will assess risks before any launch proceeds.
Meta pushed back with specifics. Usernames remain optional. No public directory exists. An optional username key adds another barrier—recipients must know both the handle and the key before messages arrive. Rate limits cap how many new contacts any account can reach. Repeated guessing attempts get blocked. Existing detection systems hunt for impersonation patterns. And first messages from strangers carry context: whether the account is new, shares mutual groups or sits in the recipient’s contacts.
WhatsApp laid this out plainly on X. “We’ve built multiple layers of defense against scams into usernames: the optional username key limits who can reach you with your username and unlike Telegram, they need to know the exact username to message you. We will rate limit how many new people any account can contact, block repeated attempts to guess someone’s username key, and have systems to detect and remove activity showing common impersonation and abuse patterns.”
The company also reserves certain handles. Public figures, celebrities, government entities and Meta-verified accounts can only be claimed by legitimate owners. Variations get protected too. Yet experts question enforcement speed and scale. Akshayy S. Nanda, partner at Saraf and Partners, noted in The Hindu BusinessLine that the feature reduces phone-number exposure while still leaving room for abuse.
Recent coverage shows the debate intensified overnight. Analytics Insight reported yesterday that popular usernames could vanish quickly, heightening squatting risks. Deccan Herald detailed how crooks might target ex-partners or celebrities with fake profiles for harassment or fraud. And government sources signaled a three-day window for Meta to justify the rollout or face delays.
WhatsApp insists the backend link to verified phone numbers preserves traceability under India’s IT Rules. Namita Viswanath, partner at CMS INDUSLAW, pointed out this structural difference from Telegram, whose username system drew Delhi High Court scrutiny earlier this month for enabling concealment of identifiers.
Still, trust hangs in the balance. Fraudsters already impersonate police, banks and family members on the platform. Removing the phone number red flag removes one verification layer. Scammers gain plausible deniability and easier cold outreach. Users must now scrutinize handles, context clues and verification badges more carefully than ever.
Meta says it listens to feedback and will refine before full launch. Indian officials demand proof that safeguards work at population scale. The coming weeks will test whether those multiple layers hold or whether usernames simply become the next vector for the scams already plaguing millions of users daily.
One thing looks clear. The privacy benefit comes with visible trade-offs. And both companies and regulators will spend the next months trying to balance them.


WebProNews is an iEntry Publication