With more than two billion monthly users worldwide, WhatsApp is the most popular messaging app. Unfortunately, since its creation 12 years ago, the app has been no stranger to convincing scams and SMS phishing attacks.
What is the WhatsApp hijack scam?
The scam itself is pretty simple and has been around for years. When you first install WhatsApp on a new device, the platform will ask for the account phone number. When you enter the phone number, you will receive a text message giving you a one-time code.
Once the correct code is entered, the phone will receive WhatsApp messages. With this hack, the attacker uses an already hijacked account to contact a victim’s friend or family. In their message, the attacker commonly tells the victim’s contact that they are having issues receiving a six-digit code and, as a result, had it sent to them instead and to please send it back.
That six-digit code is the WhatsApp verification code for the new victim. By sending it to their friend or family, they send it to the attacker. Once they have done this, their own WhatsApp is hijacked!
Read More: 16 Tips for Improving Your Business Cybersecurity
What do the scammers do with stolen accounts?
The hijacker can message your friends/family and pretend to be you with your stolen account. A common trick is pretending to be in a crisis and asking your contacts to send money. It also gives the hijacker your contacts’ phone numbers so they can continue trying the six-digit code trick with new victims. By hijacking your account, the scammer will also remain in any group chats you are included in, where they could potentially see sensitive information.
How can you protect yourself?
WhatsApp says users must remain vigilant and never share the One-Time Password (OTP) or SMS security code with anybody. For extra protection, users can also enable two-step verification to ensure complete safety. Finally, users must contact their friends or family if they have received suspicious messages on WhatsApp.
WhatsApp has asked users to report any messages received from an unknown number in a guide available on its website.
Lets Talk!
If you have additional comments or questions about this article, you can share them in this section.