Chats, hacks and cyber traps: When WhatsApp groups become serious cyber-risk zones

In the ever-evolving landscape of workplace communication, the convenience and familiarity of informal messaging platforms like WhatsApp and Telegram have become indispensable tools for many organisations.

However, their widespread popularity among employees raises significant concerns related to cybersecurity, as highlighted by the 2025 KnowBe4 Africa Annual Cybersecurity Survey. The findings reveal that an overwhelming 93% of African respondents utilise WhatsApp for work communications, eclipsing traditional email and even Microsoft Teams.

But what can organisations do to safeguard themselves against potential data leakage and other evolving threats?

According to Anna Collard, Senior Vice President of Content Strategy and Evangelist at KnowBe4 Africa, the comfort of using these applications is a driving force behind their integration in workplaces.

“Particularly on the continent, many people prefer WhatsApp because it’s fast, familiar, and frictionless,” she explains.

In today's hybrid work environment, where collaboration is key, these platforms provide a quick and effective means for employees to connect.

“It feels natural to ping a colleague on WhatsApp, especially if you’re trying to get a fast answer,” she adds.

However, the convenience of informal platforms can lead to detrimental risks regarding control and compliance.

Informal messaging, formal risks

Recent incidents have illuminated the dangers associated with using these informal channels for professional communications. Notably, WhatsApp messages have been cited as evidence in employee tribunals, indicating the gravity of what can transpire in a seemingly harmless chat.

The British bank NatWest has taken the bold step of banning WhatsApp communications among its staff, signalling a growing recognition of the associated perils.

Furthermore, the alarming leak of a US military operation's details via Signal, an informal messaging app, underlines how these platforms can pose threats beyond the corporate realm.

Collard points out that informal messaging apps were not designed with corporate usage in mind and lack essential privacy and business-level controls found in more secure tools like Microsoft Teams or Slack.

“Organisations face multiple layers of risk,” she warns.

The spectre of data leakage stands at the forefront, with accidental or intentional sharing of sensitive information, such as client details and financial data, threatening to devastate corporate integrity and client trust.

“It’s also completely beyond the organisation’s control, creating a shadow IT problem,” she notes.

Alarmingly, the 2025 survey revealed that 80% of respondents rely on personal devices for work, many of which remain unmanaged, ultimately creating significant blind spots for organisations.

Additionally, the absence of an audit trail on these platforms can jeopardise compliance with industry-specific regulations. This is particularly relevant to sectors such as finance, where meticulous data handling is obligatory.

Coupled with vulnerabilities to phishing and identity theft—where criminals exploit weak identity verification on these platforms—organisations find themselves in precarious territory.

As Collard observes, numerous individuals have fallen prey to WhatsApp impersonation scams, with attackers capitalising on an unsuspecting user’s compromised account to manipulate their contacts.

This concern extends beyond mere security threats; the informal use of messaging platforms can also lead to inappropriate employee interactions and blur the boundaries between professional and personal life, contributing to workplace burnout.

“A constant stream of messages can disrupt focus and ultimately lower productivity,” claims Collard.

Having the right guardrails in place

To mitigate these risks, it is crucial for organisations to establish clear communication strategies. “First, provide secure alternatives,” Collard advises.

Rather than merely prohibiting the use of informal tools, businesses should make access to secure platforms like Teams or Slack simple and accessible.

Furthermore, employee education is paramount. This training should encompass the significance of secure communication, focusing on digital mindfulness principles—encouraging employees to pause and consider what they are sharing, their intended recipients, and to remain vigilant against emotional triggers such as urgency, which are often exploited in social engineering attacks.

Cultivating a culture of psychological safety is essential, allowing employees to feel empowered to question odd requests, even if they originate from higher-ups.

Introducing approved communication tools can also enhance security features, incorporating capabilities such as audit logs, data protection, and access control.

These secure platforms foster healthier communication practices, allowing employees to schedule messages and set availability statuses, thereby preserving work-life boundaries and enhancing overall digital wellbeing.

In conclusion, while informal messaging platforms provide enticing convenience, their unchecked utilisation can usher in significant cybersecurity risks.

As Collard underscores, organisations must transcend mere acknowledgment of the issue and proactively implement robust policies, offer secure alternatives, and empower employees with the digital mindfulness necessary to safely navigate these treacherous cyber landscapes.

IOL