WhatsApp just opened reservations for usernames. The change sounds simple. Users will soon message each other with handles instead of phone numbers. Yet within days the move triggered sharp pushback. Regulators in India, the app’s biggest market, sent notices demanding answers. Security researchers flagged fresh risks. And scammers already appear to be testing the waters.
The feature promises privacy gains. No longer must people hand out their personal digits to strangers, colleagues or potential dates. Accounts still require a phone number to register. But that detail stays hidden during first contact. WhatsApp described the usernames as a long-requested upgrade for its more than three billion users worldwide. Early testing began this week. Full launch comes later in 2026.
But the rollout hit immediate turbulence. TechCrunch reported that usernames resembling prominent Indian figures quickly surfaced in tests. Handles such as “indiamodi,” variations on Shah Rukh Khan and Amitabh Bachchan, and even approximations of Reliance’s Jio and the Reserve Bank of India appeared available. The pattern raised alarms. In a country where cyber fraud often involves impostors posing as police, bankers or officials, the shift from traceable numbers to catchy handles looked like an invitation.
India’s Ministry of Electronics and Information Technology moved fast. It issued a notice to Meta, WhatsApp’s parent company, citing potential spikes in online fraud, phishing, digital arrest scams and impersonation attacks. The government gave the company three days to explain its safeguards. Officials warned that platforms would face strict legal consequences if new features opened doors to deception. One senior source told reporters the ministry remained engaged with WhatsApp but expected clear answers before any further deployment.
Meta pushed back with details on its defenses. The company reserves high-profile usernames for legitimate owners, including celebrities, public figures and government entities. It withholds lookalike variations to block copycats. Systems limit how many new people an account can contact via username. Repeated guessing attempts get blocked. Patterns tied to abuse or impersonation trigger detection and removal. A spokesperson told CNBC these steps address the concerns directly. “We have built safeguards to detect impersonation and abuse,” the statement read.
Yet experts question whether those measures will hold once millions start claiming handles.
Rachel Tobac, CEO of SocialProof Security, called the usernames a net positive for privacy. They reduce exposure to SIM-swap attacks and phishing tied to visible phone numbers. Still, she warned of lookalike risks. “Ultimately, usernames are a great idea to avoid leaking your phone number to folks you don’t know, but it’s important to verify identity with the username function too,” Tobac told TechCrunch. She advised users to pick non-obvious handles that resist guessing.
The Mozilla Foundation struck a more skeptical note. It highlighted new trade-offs. Increased scams and impersonation from fake handles stood out as a major worry. The group also pointed to interoperability challenges. Allowing users to claim existing Facebook or Instagram usernames might reduce some confusion inside Meta’s apps. But it reinforces the company’s closed ecosystem. Users cannot easily carry their identity to rival services.
Concerns run deeper in India. Cybercrime reports there have surged. Government data showed cases doubling to 2.3 million in 2024. Fraudsters routinely exploit messaging apps to impersonate authorities and demand money. Digital arrest scams, where victims are told they face legal trouble unless they pay immediately, have become common. Removing the phone number as an obvious red flag could make those tactics more convincing. Neil Shah, vice president of research at Counterpoint Research, told CNBC that WhatsApp’s reach combined with usernames might let misinformation and scams spread even faster. Scammers could copy photos and names, then use similar handles to build trust quickly.
Public reaction on X reflected the tension. Users warned of fake founders, fake bank representatives, fake recruiters and crypto admins. One post noted that suspicious numbers once served as warnings. Usernames could erase that cue. Others reported difficulty claiming simple handles, speculating that popular ones had already been taken or reserved. Some predicted paid tiers for premium names. Government notices extended beyond WhatsApp. Reports indicated similar queries went to Telegram and Signal, which already offer username features. The pattern suggests regulators want a broader accounting of how these tools affect traceability and enforcement.
WhatsApp has tried to calm nerves. It stresses the feature remains optional. Users can still rely on phone numbers if they prefer. A username key adds another control. New contacts must supply the correct key before messaging begins, at least in some configurations. The company says it listens to feedback and proceeds gradually. “We’re taking our time and listening to feedback so that when it rolls out later this year we get it right,” the FAQ states.
That measured language has not satisfied everyone. The Internet Freedom Foundation questioned the legal basis of the Indian notice. It argued that impersonation and fraud should be tackled through criminal enforcement rather than preemptive product design dictates from officials. Yet the government’s position is clear. Cybersecurity cannot come as an afterthought. Platforms carry responsibility for harms enabled by their architecture. Past actions against Telegram during exam cheating scandals showed officials stand ready to block services when risks appear acute.
The debate exposes larger frictions. Privacy advocates celebrate reduced phone number sharing. It protects activists, journalists and ordinary users from doxxing or targeted attacks. Security professionals counter that phone numbers once offered a crude but effective verification signal. Replacing them with editable text strings invites mimicry. Brands worry about trademark squatting. Banks and agencies fear official-looking handles that fool customers. Even without a public directory, determined attackers can guess common patterns or buy leaked data to target specific users.
Early evidence suggests the risks are not theoretical. OpIndia detailed how fraudsters could create near-identical usernames for public figures, pair them with stolen photos, and pitch fake investments or loans. Similar tactics already succeed on other platforms. WhatsApp’s massive scale in India, where many users have limited digital literacy, amplifies the stakes. Verification badges exist but many ignore them. Behavioral signals and rate limits help. They do not eliminate human error.
So what happens next? Meta must respond to India’s notice with concrete plans. Further pauses or modifications could follow in that market. Global rollout might proceed unevenly, with tighter restrictions where regulators demand them. Security researchers will watch closely for the first wave of username-based scams. Users, meanwhile, face practical advice. Choose obscure handles. Verify contacts through multiple channels. Treat unsolicited messages from official-sounding names with extreme caution. Even with safeguards, the burden of vigilance shifts.
The episode reveals how one seemingly straightforward privacy improvement can ripple across fraud patterns, regulatory oversight and user behavior. WhatsApp built its reputation on end-to-end encryption and simplicity. Adding usernames tests that balance anew. The company insists it can deliver both safety and privacy. Indian authorities, burned by years of messaging-app abuse, demand proof. The coming months will show which side holds the stronger case. And whether everyday users pay the price for any miscalculation.


WebProNews is an iEntry Publication