Back to Back Issues Page
Watch For Scams Newsletter. WhatsApp Hijackers
February 06, 2023

WhatsApp Hijackers

Watch For Scams is dedicated to helping you avoid becoming a victim of fraud.

If you like this ezine, do a friend a big favor and forward this to them. If a friend forwarded this to you, and if you like what you read, please subscribe by visiting the link below:

Subscribe Here

WhatsApp Hijackers

The recent WhatsApp accounts takeover is simple and genius. This is how it works. You're sleeping. A "hacker" tries to login to your account via WhatsApp. You get a text message with a pincode that says "Do not share this". You don't share it, yet you still get hacked. How?

Attackers can take advantage of two things: a user's availability and how identity verification works on WhatsApp.

A user who is not available to respond to verification checks—whether they're asleep, in-flight, or have simply set their smartphone to "do not disturb" — may be at risk of losing their WhatsApp account. All an attacker needs is their target's phone number.

Here's how it works.

The attacker attempts to log in to a WhatsApp account. As part of the verification process, WhatsApp sends an SMS with a PIN to the phone number tied to the account.

The user is unavailable so doesn't realise there is a suspicious login. The attacker then tells WhatsApp that the SMS didn't arrive and asks for verification by phone call.

Since the account owner is still unavailable and cannot pick up the call, the call goes to the number's voicemail. Knowing the target's phone number, the attacker then attempts to access their voicemail by keying in the last four digits of the user's mobile number, which is usually the default PIN code to access the user's voicemail.

The attacker then has the WhatsApp verification code, and can use it to access the victim's WhatsApp account. They can then set up their own 2FA (two-factor authentication) on it, leaving the actual owner locked out of their own account.

Once the account has been hijacked, the attacker could use it to hijack accounts of the user's contacts, spread malware, or hold the account hostage until the owner pays up to get it back.

How to protect your own WhatsApp account

This isn't a new tactic, and has been around for a while, but there are two pretty simple things you can do to avoid it happening to you.

1. Change the default PIN of your voicemail.

2. Enable two-step verification on your WhatsApp account:

Open Settings.

Tap Account > Two-step verification > Enable.

Enter a six-digit PIN.

Enter an email address, or tap Skip if you don’t want to.

WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.

Tap Next.

Confirm the details and tap Save or Done. If you believe you have been a victim of this type of scam you should promptly report it to the IC3's website at The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.

Remember - always watch for scams!


Back to Back Issues Page