"How do I know it's really you?" The problem with messaging apps and usernames

11 hours ago 4
ARTICLE AD BOX

"How do I know it's really you?" The problem with messaging apps and usernames

The number always knew who you were. The username won't.

There are, at a conservative guess, several hundred thousand Abhinavs alive right now. Fewer Abhinav Kaustubhs, sure. But enough Abhinavs that if someone texts a stranger "Hey, it's Abhinav," they'd have questions. Which one? From where? How do I know it's really you?On Instagram, that question has never had a good answer. There are dozens of accounts using my name, some with an underscore, some with a stray number, a couple with a full stop dropped in where a space should be.

On X you can now buy a dead person's old handle in a marketplace that prices the good ones at seven figures. This is how social platforms have always worked: you are whatever string you managed to grab before someone else did, and the person you're claiming to be is a separate question the platform mostly leaves to you.Messaging was the one place this wasn't true. For the entire history of texting, "who are you" answered itself, because you were a phone number—a specific, verified, SIM-bound string of digits traceable to a person who once stood in a queue and handed over an ID to get it. The number was the identity, and nobody had to think very hard about the difference. WhatsApp inherited that certainty and never disturbed it; a chat was just texting with a nicer skin, and the number underneath still did the vouching.That's the thing WhatsApp is now quietly dismantling with a feature it describes as taking "just a few seconds" to set up. And the reason it matters more here than anywhere the idea has appeared before is simply arithmetic. Three billion people use WhatsApp; more than 850 million of them are in India, where it isn't one app among many but the default way the country talks to itself. A change to how identity works on WhatsApp isn't a product tweak.

It alters how hundreds of millions of people decide who to trust, and most of them won't notice it happening.

You're about to be @

The mechanics are almost dull to explain. Later this year, WhatsApp will let you pick a username—@something, three to 35 characters, unique to you, or spun up by its username generator—and hand that out instead of your phone number. Someone with only your username can message you for the first time; they never see your digits.

There's no searchable directory, so they need your exact handle. You can bolt on an optional "key," a short code that works as a second lock.

Signal shipped this in 2024. Telegram has had public usernames for years.So on paper, WhatsApp is late to a party everyone else left ages ago. Which is exactly why it's worth asking a question that mostly went unasked when the other platforms did it: what has letting anyone be any name actually done to us?

We've already run this experiment

The answer is sitting in plain sight on every platform that got here first, and it isn't reassuring.On Instagram, impersonation is not an edge case. It's a permanent tax on having a recognisable name. Scammers clone a business account down to the logo, bio and grid, change the handle by one character, and slide into the followers' DMs with a "support" message or a fake giveaway. The trick barely varies: an added underscore, an extra letter, a dash where the real account uses none—@StyxxOfficial standing in for @StyxOfficial.

The smaller the business, the harder it is for anyone to tell which account is real, and small businesses are precisely who can't afford a takedown team.The famous fare no better despite years of verification systems built specifically to protect them. Celebrity impersonation has run continuously on social platforms since the late 2000s, and the badges meant to stop it have repeatedly made things worse; every time a platform changes how verification works, the impersonators find the seam.

X made the point most bluntly when it turned the blue tick into a paid subscription: the mark that once certified "this is really who they say" became something anyone could buy for a few dollars, and impersonators bought it.The damage is not abstract. A woman lost a reported $850,000 to someone posing as a film star over a two-and-a-half-year "romance" conducted through a fake profile. In India, dozens of Bollywood actors went to court in 2025 seeking protection from fake accounts and deepfaked likenesses.

The identifier that was supposed to say "this is really me" has never reliably done so once it became a thing you choose rather than a thing you're assigned.Telegram is the case that should worry WhatsApp most, because it isn't a social feed, it's a messaging app, and it has run username-based contact for years. That head start is exactly what made it a workhorse for fraud. Because a Telegram handle lets a stranger reach you with no phone number and no mutual contact, the platform became a preferred channel for exam-paper leaks, investment-group scams and fake-customer-care rackets, the kind of operation that thrives on being reachable while staying unplaceable.

It is the closest thing to a preview of what a username-first WhatsApp could look like, and the preview is not flattering.And then there's the resale economy, which tells you what a username really is once you detach it from a person. X now runs an official marketplace for inactive handles, where "priority" names are handed to subscribers and "rare" ones, short, generic, culturally loaded, are sold in invitation-only drops that can run past a million dollars.

A username, on the open market, is not an identity at all. It's an asset. It can be bought, flipped, squatted on and impersonated, because nothing structurally ties it to the one specific human it appears to name.That is the model WhatsApp is now importing. Not inventing—importing, onto the one platform where, for a billion-odd Indians, "who is this" still had a dependable answer.

The number was doing a job nobody noticed

To see what's being traded away, you have to appreciate what a phone number was quietly doing all this time.

It wasn't just routing messages. It was a small, ambient piece of verification baked into every first contact. When an unknown number pinged you claiming to be your bank, some part of your brain registered it: a +91 you half-recognised, an area code, a string you could copy, paste into a search, forward to a cousin in IT and ask, "is this legit?" The number was ugly and impossible to remember, and that ugliness was load-bearing.Replace it with @hdfc_care_official and you've made the interaction cleaner, friendlier, more modern, and stripped out the one detail a wary user could grab onto. This matters more in India than almost anywhere, because the country logged nearly 2.3 million cybercrime cases in 2024, more than double the 2022 count, and a large share of them turn on exactly this: someone persuading you they are an institution you trust.

Take away the number, and you've removed a small friction that was quietly working in the victim's favour.The early evidence from WhatsApp's own reservation window rhymes with the Instagram experience. Within days, testers found handles resembling Shah Rukh Khan (shahrukh. actor), Amitabh Bachchan (teamamitabh), Ambani's Jio (ambanijio) and the Reserve Bank of India (rbi_verify) still sitting there, available to claim.

WhatsApp says it holds back "the highest-profile names" and their lookalike derivatives, but won't explain how it decides which lookalikes get reserved and which slip through.

The Abhinav problem

Here's where the famous-name defence quietly falls apart. WhatsApp can hold @iamsrk. It can, with effort, hold a hundred variations of it, and hand the real one a blue tick to prove it. What it cannot do is hold every plausible identity, because most impersonation doesn't target the famous.

It targets the specific.The truly dangerous handle was never the celebrity's anyway. It's the one that impersonates your building's electrician, your child's tuition teacher, the HR person from the company you interviewed with last week. There are thousands of Abhinavs, and WhatsApp is reserving none of them, because no Abhinav is famous enough to protect. You could pay for a tick, but that doesn't fix the problem, it prices it—splitting the world into names you can trust because someone paid, and everyone else, no help to the person staring at an unfamiliar handle, wondering whether to reply.Once a name is something you choose rather than something you're assigned, it becomes something you can approximate—and approximation is the whole engine of the scam, whether it's a fake Instagram store or a "digital arrest" call. The point was never to pass as somebody important, only to pass as the specific person you were already expecting to hear from.A phone number couldn't be approximated. You either had the right ten digits or you didn't.

A username sits on a spectrum—@abhinav. k, @abhinav_k, @abhinavk1, @abhinav. kaustubh—and somewhere on it is a version close enough to fool someone who isn't looking hard. That isn't a bug to be patched. It's the model working as designed, the way it already works on every other app you use.And here's the part that catches you even when no one is trying to scam anyone. With a billion people chasing the same finite pool of names, most of us won't get to be ourselves.

@abhinav is long gone, and so is every clean variant of it. I can still fall back on @abhinavkaustubh—my surname is uncommon enough to survive the scramble—but that only works because I happen to have a rare enough name, and most people don't. For them, what's left is a string invented on the spot because it was still free, which the person on the other end can't read "me" off at all.The real @abhinav, the handle that actually looks like my name, is now in a stranger's account, or unclaimed and waiting for whoever wants to wear it.

Scarcity doesn't just invite impersonation. It guarantees our real names end up out in the wild, detached from us, free for the taking.

Usernames are a good idea. That's the problem.

Everything so far points one way, so let me argue the other. Usernames are a good idea, and I'd struggle to talk anyone out of one.Think about how often you hand your number to someone you'll never trust with it. The dating match. The OLX buyer coming to see the sofa. The building group for a flat you haven't even rented yet.

Each time, you're not sharing a contact detail; you're surrendering a permanent key to your life, one that follows you across every app and feeds the databases the spam-callers mine. A username you can change, mute or delete is the better deal, and it isn't close.

On the narrow question of whether people should have to broadcast their digits to talk to a stranger, the privacy camp is right.WhatsApp's own answer to impersonation is the username key: switch it on, and a stranger needs a short code before they can reach you.

That shuts the door on cold approaches from a guessed handle. But a key only guards the door you thought to lock. It does nothing about the impostor who arrives the ordinary way—through a shared group, a forwarded contact, a handle a character off one you already trust. And the people most likely to be fooled are the least likely to have set a key at all.It's easy to overstate the danger, too. A username hides your number from the person you're messaging, but the account underneath is still bolted to a SIM and the same verification as always; WhatsApp still holds that link, and the fraud stays tied to a number and a KYC record.

A username changes what a stranger sees on first contact, not what the police can pull once they come asking. The danger is social, not forensic, which is exactly why it slips past everyone: it doesn't feel like a security hole, it feels like a convenience.The case for usernames doesn't collapse here, either, because there's an obvious rejoinder: we already live this way with email, and the sky hasn't fallen. Every email address is a username, anyone can register one that looks almost like yours, and phishing has worked that seam for thirty years.

We didn't abolish email; we built spam filters, domain checks and a reflex for hovering over a sender's name before we click.

But look at what that concedes. We never fixed email impersonation—we built an industry to contain a problem we'd accepted was permanent, and we still lose billions a year to it. That is the deal a username asks you to accept: not that impersonation gets solved, but that it becomes ambient, something you manage forever with better tools and more suspicion.

Every platform that took that deal is still living inside it.But the email comparison flatters the risk. Email is where the bank statement lands and the newsletter piles up. Instagram is where you perform for strangers. WhatsApp is neither. It's where your mother forwards good-morning messages, where your child's school sends the fee reminder, where your doctor shares a report and your closest friends say things they'd never post anywhere.

It is the most intimate address most Indians have, the one place we still answer without checking, because we've never had to.That reflex, the unguarded yes to whoever appears in the chat, is the thing a username puts up for grabs. Into that room WhatsApp is about to introduce doubt: the scam, yes, but also the impersonation, the near-miss handle, the half-second of confusion about whether the Abhinav messaging you is the one you know.

It is the one place in our digital lives we never learned to lock, precisely because it never had a lock worth learning.

So, which Abhinav is messaging you now

This is the trade, then, laid bare. You gain a way to talk to strangers without handing over the key to your life, and you lose the quiet certainty that the name in your chat belongs to the person you think it does. The phone number was invasive—and it was also the last thing standing between you and a stranger wearing a familiar name.

Take it away and something has to do that job instead, and nothing yet does.So when the stranger messages you "Hey, it's Abhinav," the answer that used to arrive with the number will soon arrive as a choice you have to make yourself. There'll be an @, and behind it either the person you're thinking of or someone who spelled the name a shade differently and is betting you won't check. WhatsApp is wagering it can catch that difference before it reaches you. A billion people, most of whom will never reserve a username or read a word of this, are the ones who find out whether the wager holds.

Read Entire Article