WhatsApp's Username Rollout Hits Friction in India Over Fraud Concerns
Early reservations expose gaps in impersonation safeguards as regulators question whether handle-based messaging opens new attack vectors for scammers

Reservation Window Opens, Questions Follow
Meta began accepting username reservations for WhatsApp this week, a step toward letting users exchange messages through handles instead of phone numbers. Within days, the feature triggered regulatory intervention in India, where the app counts more than 500 million users and where scam operations routinely exploit messaging platforms to impersonate institutions and officials.
The Ministry of Electronics and Information Technology dispatched a notice to WhatsApp on Wednesday, asserting the username system could "materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks." The ministry directed the company to explain why regulatory action should not proceed under India's IT laws and to pause the rollout pending consultation.
Testing conducted during the early reservation phase found handles referencing prominent figures and institutions still available to claim. Examples included strings resembling the prime minister, Bollywood actors, a major telecom operator, and the central bank. Separately, Binance founder Changpeng Zhao noted he was unable to reserve "cz_binance," the handle he uses on other platforms.
Meta's Proactive Reserve List Lacks Clear Boundaries
Meta says it reserves usernames for public figures, government entities, and "some variations" of those names so only legitimate owners can claim them. The company did not detail how it determines which lookalike strings warrant preemptive blocking and which do not, leaving a gap between policy intent and on-the-ground availability.
That ambiguity matters in markets where scam operations are industrialized. India's cyber fraud landscape frequently features attackers posing as police, bank officials, or government departments to extract money or credentials. Usernames that obscure phone numbers remove one layer of verification that recipients often rely on to assess credibility.
A senior government official confirmed the ministry is engaging with WhatsApp over the feature. The notice reflects concern that handles lower the cost of first contact for bad actors, who can now reach users without revealing a traceable phone number.
Legal Basis and Platform Design Authority
The ministry's intervention has drawn pushback from the Internet Freedom Foundation, a New Delhi digital rights group that questioned the legal foundation for the directive. The group argued that impersonation and fraud are criminal matters best addressed through enforcement against perpetrators, not through executive letters that dictate product features in private.
"Impersonation and fraud are real risks, but they are met by enforcing the criminal law against those who commit them," the organization said. "They are not met by MeitY deciding, in private and by letter, what features Indians may use."
The debate echoes language from a Delhi High Court case involving Telegram, where the court observed that username-based systems can make it easier to conceal identity and accelerate the spread of illicit content. That ruling did not pertain to WhatsApp, but the reasoning has resurfaced as Meta prepares the broader launch.
Regulators building case-by-case precedent through letters and notices create planning risk for operators. Rules made in the open, through formal rulemaking, are easier to design around than interventions that arrive after a feature is already in market.
Privacy Gain, Impersonation Trade-Off
Rachel Tobac, chief executive of SocialProof Security, characterized usernames as a net privacy improvement because they reduce the need to share phone numbers, which can be leveraged in SIM-swap attacks, phishing, and account takeovers. At the same time, lookalike handles introduce impersonation risk that phone-number verification partially mitigated.
Tobac advised users to choose usernames that are not easily guessable, reducing the likelihood that attackers can locate, message, or spam them without prior consent. WhatsApp echoed that guidance in a frequently asked questions post, recommending most users select a handle unique to the platform.
The company also allows users to claim their existing Instagram or Facebook usernames by linking accounts, a feature aimed at creators, businesses, and organizations seeking consistent identity across Meta's ecosystem. That integration cuts both ways: it may reduce impersonation within Meta's walls, but it also demonstrates how easily the company can stitch identity together across properties, even as users remain unable to export that identity or their contact graph to rival platforms.
The Mozilla Foundation flagged this interoperability asymmetry. While usernames may reduce some harms, the foundation noted, the design choices that enable scams and impersonation are baked into platform architecture. Verification mechanisms exist, but they operate within boundaries set by the platform, not by users or third parties.
Gradual Rollout, Feedback Loop
Meta has signaled it will proceed slowly. "We're taking our time and listening to feedback so that when it rolls out later this year we get it right," the company said in its FAQ.
That timeline gives regulators and security researchers a window to surface edge cases and pressure the company to tighten safeguards. It also means the username system will debut in a policy environment where governments are increasingly willing to condition product launches on compliance with local risk profiles.
India's notice represents one data point in a broader pattern: platforms that lower friction for user-to-user contact must now account for the fraud externalities that follow. Whether those externalities are best managed through criminal enforcement, platform design rules, or some combination remains an open question. What is clear is that the reservation phase has already exposed gaps between Meta's stated protections and the handles users can actually claim.
The company's ability to scale username verification, particularly in markets where scam operations are sophisticated and high-volume, will determine whether the feature delivers on its privacy promise without creating new attack surface. For now, the evidence from early testing suggests the proactive reserve list is narrower than the threat model requires.


