WhatsApp rolled out usernames on June 29, letting you share your profile without exposing your phone number. Users can pick a handle between 3 to 35 characters through Settings > Account > Username. The feature is simple. The security implications are complicated.
Only people who know your exact username can reach you. You can also set a username key—an additional password others need to know before they can message you. But security researchers and India’s Ministry of Electronics have already flagged impersonation risks. In early testing, TechCrunch found usernames mimicking celebrities, politicians, and institutions—”indiamodi,” “shahrukh.actor,” “teamamitabh,” “ambanijio,” “rbi_verify”—were still available to grab.
The Impersonation Problem
India’s government warned that usernames could “materially increase the incidence of online fraud, phishing, digital arrest scams and impersonation attacks.” Bad actors can now contact people without exposing themselves through phone number leaks. That’s powerful for scammers. Someone pretending to be the Reserve Bank of India, a Bollywood star, or your bank suddenly has an easy vector to deceive you.
WhatsApp says it will monitor abuse and remove fake accounts. That’s reactive. By then, scammers will have already harvested victims. The 500 million WhatsApp users in India—WhatsApp’s largest market—are particularly vulnerable because scam culture there is already entrenched.
What Changes For Users
You don’t have to create a username. It’s optional. But if you want to share your contact without giving out your phone number—useful for business, security, or just privacy—you now can. Existing phone-number-based chats continue working normally. This is additive, not replacement.
The username system doesn’t auto-populate with your name. You have to actively choose one. That’s good for security but bad for convenience. Many users will ignore the feature entirely, which also means scammers won’t find as many targets as you’d fear.
What Comes Next
WhatsApp will face pressure from India’s government and regulators worldwide to add stronger verification systems. Look for features like identity verification badges similar to Twitter’s old blue checkmark. Verified badges cost money or require identity proof. That raises barriers for scammers but also creates new business models.
Usernames are live now. Security researchers are watching. Scammers are testing. The next few weeks will tell whether this feature is a genuine privacy win or a new headache for vulnerable users.




