Header Banner
Gadget Hacks Logo
Gadget Hacks
Apple
gadgethacks.mark.png
Gadget Hacks Shop Apple Guides Android Guides iPhone Guides Mac Guides Pixel Guides Samsung Guides Tweaks & Hacks Privacy & Security Productivity Hacks Movies & TV Smartphone Gaming Music & Audio Travel Tips Videography Tips Chat Apps
Home
Apple

WhatsApp Username Feature Rollout: Privacy Gains and Scam Risks Explained

WhatsApp Username Feature Rollout: Privacy Gains and Scam Risks Explained

A feature years in the making crossed a concrete threshold this week: WhatsApp usernames are now active for a select group of users on both iOS and Android, marking the first live phase of the rollout. For those users, two people can connect on WhatsApp without either one ever seeing the other's phone number. That is a meaningful shift in how identity works at the moment of first contact and India's government is already trying to stop it.

Select users who reserved a handle during the reservation window are receiving in-app notifications confirming their username is live, WABetaInfo reported this week. WhatsApp opened that reservation window on June 29 and says it will roll out usernames gradually over the coming months, per the company's own blog. Most people who reserved a handle are still waiting.

India's Ministry of Electronics and Information Technology formally directed Meta to halt the feature and explain its fraud-prevention approach, citing specific provisions of the IT Act, before a single username went active, The Hindu reported earlier this month. Whether India has legal authority to compel a stop is, by The Hindu's own assessment, unsettled. The rollout is continuing while that question remains unresolved.


How WhatsApp usernames work without a phone number

When a user enables their username and messages a new contact for the first time, that contact sees only the chosen handle. The phone number stays hidden entirely, WhatsApp stated in its June 29 launch post. The practical cases where this matters are specific: selling through online marketplaces, joining community groups, contacting a business situations where handing over a personal number creates risk with little benefit.

There is no searchable directory of usernames inside WhatsApp. The design is closer to a private access code than a public profile. A handle only works if you deliberately share it, The Hindu noted. WhatsApp's own framing frames usernames as something "only people you want to contact you will know" a design choice worth taking at face value.

An optional PIN adds a second layer. Even someone who already has your username cannot initiate contact without the accompanying code, The Hindu reported. That protection matters most for anyone sharing a handle in a semi-public context. Hive Security also recommends keeping two-step verification enabled, and WhatsApp advises treating a username with the same caution you'd apply to any new contact because a plausible handle is not proof of identity.

That last point is what makes the fraud concern more than theoretical, and nowhere more so than India.


Why the fraud risk is unusually acute starting with India

Before usernames, a phone number carried rough identity information. A suspicious country code or unfamiliar prefix was an early warning that was simple and automatic. Security researcher Kundu put the shift plainly to CNA: "A phone number cannot impersonate a bank. A username can." Usernames don't require new scam techniques. They make existing approaches more convincing.

Indians lost the equivalent of roughly $2.3 billion to cyber fraud in 2025, with complaints rising approximately 24 percent year over year to 2.4 million, according to India's Ministry of Home Affairs data reported by CNA. More than three-quarters of those losses came from investment scams. Fraudsters impersonating law enforcement, the so-called "digital arrest" scams, in which victims are pressured into transferring money to fake officials, were the second-largest category.

India's Ministry of Electronics and Information Technology told Meta directly that hiding phone numbers while showing only usernames may increase phishing, digital arrest scams, impersonation attacks, and identity spoofing, specifically including impersonation of financial institutions and government agencies, per The Hindu's review of the notice. The ministry cited Sections 66C and 66D of India's IT Act, covering identity theft and cheating by personation, alongside Section 79, which governs intermediary liability.

The concern became concrete before any username went live. During the reservation phase, CNA's own checks found handles including "RBI_Inspector," "IndianCrimeOffice," and "IndianOfficerCyberCriminal" available to claim. A separate TechCrunch report cited by CNA found that "rbi_verify," evoking India's central bank, could still be reserved. Handles resembling prominent politicians and public figures were reportedly available as well.

Finland's National Cyber Security Centre warned that usernames may improve privacy while also enabling more believable scams, and that neither outcome cancels the other, as summarized by Hive Security. That India is the first government to formally act reflects scale as much as anything else. India had an estimated 853.8 million WhatsApp users in 2026, making it the platform's largest market, per World Population Review figures reported by CNA.


What Meta built to contain the risk and where the gaps are

Meta has listed its protections publicly. According to CNA's reporting, the company says it has pre-reserved usernames for public figures, government entities, and verified Meta accounts; blocked attempts to probe usernames through repeated guessing; limited the rate at which new accounts can contact strangers; and deployed automated systems to detect impersonating or abusive handles. Creators and businesses with existing Instagram or Facebook accounts were given early access to claim their established handles on WhatsApp, per the WhatsApp blog. Meta also disabled roughly 150,000 accounts connected to Southeast Asian scam operations in March, signaling active enforcement infrastructure, according to CNA.

The problem with that safeguard list is what reporters found before activation began. "Well-known public figure" is not the same category as "any name resembling a government institution or regulatory body." The reservation-phase evidence "RBI_Inspector" available, handles mimicking politicians available suggests that gap is real, per CNA. Hive Security put it plainly: reserving names for public figures is not enough.

Usernames also create friction for investigators even when enforcement is eventually successful. Authorities can obtain the underlying phone number linked to a username through a legal request, but that adds a step. Andrei Skorobogatov of the Global Anti-Scam Alliance told CNA that the process "could add more friction to the law enforcement process," and in time-sensitive fraud cases, that extra step carries real cost.

India sent parallel notices to Telegram, Signal, and Arattai, platforms that have offered phone-number-concealment features for years, which raises its own question about why those systems haven't attracted equivalent regulatory pressure, The Hindu reported. WhatsApp's scale is likely part of the answer. Whether its safeguards are proportionally stronger is the part that remains untested.

WhatsApp officials met with India's ministry on July 3; a written response was due July 4. No public resolution has emerged since.


What comes next

The rollout is real and expanding on iPhone and Android through individual in-app notifications, with broader access expected over the coming months, WABetaInfo confirmed. For users who gain access, the privacy benefit at first contact is genuine. So is the trust gap the feature creates.

The namespace evidence from the reservation phase is the clearest signal of where Meta's enforcement needs to improve. Those gaps existed before activation began. They will carry more consequence as the user base grows.

Two things are within Meta's control: whether abuse detection performs at scale and whether the namespace problems get closed. One thing isn't how India's unresolved regulatory standoff ultimately lands, as The Hindu's analysis makes clear. The central question now is whether the safeguards grow proportionally to the rollout or whether the fraud-risk cases regulators flagged before launch become the stories that define how this feature is remembered.

Apple's iOS 26 and iPadOS 26 updates are packed with new features, and you can try them before almost everyone else. First, check our list of supported iPhone and iPad models, then follow our step-by-step guide to install the iOS/iPadOS 26 beta — no paid developer account required.

Sponsored

Related Articles

Comments

No Comments Exist

Be the first, drop a comment!