‘WhatsApp Hijack Scam’

Published: 08 June 2021

The ‘WhatsApp Hijack Scam’ seems to be doing the rounds again..

The BBC has a very good article on it, which I have provided the link to.

https://www.bbc.co.uk/news/technology-57357301

WhatsApp hijack scam continues to spread

WhatsApp logos with the word scam written on top

Scammers are continuing to target WhatsApp users and hijack their accounts, by posing as a friend and asking for SMS security codes.

The scam has existed for years but has continued to catch people out, with victims sharing their stories on social media.

WhatsApp says users should never hand over their security codes to anybody, even if they appear to be a friend.

One victim said he was embarrassed to have fallen for the "simple" scam.

What should you look out for?

You may be a target of the scam if you receive an SMS text message with a six-digit WhatsApp code that you were not expecting.

Usually you would need this code when setting up a new account, or logging in to your existing account on a new device.

However, if you have not initiated this request, it could be a scammer trying to log in to your account.

In the next step, the scammer sends you a WhatsApp message asking for the six-digit code.

It appears to come from a genuine friend because that account has already been hijacked.

"I got a WhatsApp message from my good friend Michelle, saying she was locked out of her account," one victim, called Charlie, told the BBC.

"She said she accidentally sent the access code to my phone instead of hers, and could I just screenshot it and send it over."

In reality, Charlie had sent the access code for his own account to the scammer.

"I think I fell for it because we all know how frustrating tech can be and I was eager to help," he told the BBC.

"It took me a day to realise what had happened."

Charlie said he had deleted WhatsApp and would not be using it again. He has switched to Apple's iMessage instead.

What do the scammers do with stolen accounts?

With a stolen account, the hijacker can message your friends and family, and pretend to be you.

They may pretend you're having a crisis and ask your contacts for money.

It also gives them your contacts' phone numbers so they can try the six-digit code trick with new victims.

By hijacking your account, the scammer will also remain in your group chats, where they could see sensitive information.

How can you protect yourself?

In a statement, WhatsApp said: "The safety and security of our users and their messages are really important to us. However, just like regular SMS or phone calls, it's possible for other WhatsApp users who have your phone number to contact you."

It said users should:

  • never give a password or SMS security code to anybody - not even friends or family
  • enable two-step verification for an extra layer of protection
  • be vigilant if you receive a message asking you for money. If in doubt, call your friend or family member to check

WhatsApp has a guide on its website to help people keep their accounts safe.