WhatsApp’s Shift to Usernames Sparks Impersonation Fears and Regulatory Clash in India

Table of Contents
A Departure from the Phone Number Paradigm
For nearly two decades, WhatsApp has been anchored to the SIM card. Your phone number was your identity, your address, and your primary key for connection. However, Meta is currently dismantling that requirement, rolling out a username reservation system that allows users to find and message one another via handles. While the move is framed as a privacy win—shielding users from exposing their personal digits to strangers—it has inadvertently opened a Pandora’s box of identity theft and regulatory friction.
The shift is not merely a convenience update; it is a fundamental change in the platform’s trust model. By decoupling the account from a verified phone number in the user-facing interface, Meta is introducing a layer of abstraction that security experts warn could be weaponized by bad actors to conduct large-scale social engineering attacks.
The ‘Lookalike’ Problem
The vulnerability is already apparent. In early testing, it was discovered that high-value usernames—those mimicking world leaders, celebrities, and financial institutions—were available for the taking. Handles such as “indiamodi” (referencing Indian PM Narendra Modi) and “rbi_verify” (mimicking the Reserve Bank of India) were open for reservation, providing a blueprint for scammers to create convincing facades of authority.
Meta claims it has a system in place to proactively reserve usernames for public figures and government entities to prevent this exact scenario. However, the company has remained vague on the criteria used to determine which variations are protected and which are left open. This gap in transparency is particularly concerning for figures like Binance founder Changpeng Zhao, who noted on X that he was unable to reserve his established platform handle, “cz_binance,” despite his prominence in the industry.
Regulatory Pushback in India
Nowhere is this tension more acute than in India, WhatsApp’s largest market with over 500 million users. The Ministry of Electronics and Information Technology (MeitY) has already issued a formal notice to WhatsApp, warning that the feature could “materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks.”
In a region where “digital arrest” scams—where fraudsters pose as law enforcement to extort money—are already rampant, the ability to contact a victim without revealing a traceable phone number is a significant force multiplier for criminals. MeitY has directed WhatsApp to pause the rollout until consultations are complete, effectively challenging Meta’s product roadmap on the grounds of national security and consumer protection.
The Privacy Paradox
Despite the risks, some security specialists argue that the transition is a necessary evil. Rachel Tobac, CEO of SocialProof Security, suggests that removing the phone number as the primary identifier mitigates risks like SIM-swapping and targeted phishing attacks that rely on known digits. The trade-off, however, is a shift from technical vulnerabilities (SIM swaps) to psychological ones (impersonation).
The Mozilla Foundation has also raised a flag regarding Meta’s broader ecosystem strategy. By allowing users to port usernames from Instagram and Facebook to WhatsApp, Meta is further tightening its grip on cross-platform identity. While this may help verified creators maintain a consistent brand, it reinforces a “walled garden” where identity is portable within Meta’s apps but remains locked away from any potential interoperable competitors.
As WhatsApp continues its gradual rollout, the company maintains it is listening to feedback to “get it right” before the full launch later this year. But for regulators in New Delhi and security researchers globally, the question isn’t just about the feature’s utility—it’s about whether Meta can actually police a naming system at the scale of a billion users.