Everything you need to know about the WhatsApp phishing scam

With over two billion users, WhatsApp is one of the world’s most popular means of communication. While in the past it was mainly used for private purposes, WhatsApp use in the workplace has increased significantly in recent years. It makes sense because you can send messages quickly, easily, (reasonably) safely due to the end-to-end encryption using both your smartphone and a PC.

Whatsapp phishing is interesting for cybercriminals because of its popularity

There’s one downside: it is precisely because of this popularity that WhatsApp is increasingly becoming a favorite tool for fraudsters. The Fraud Help Desk currently receives about a thousand reports per month about this. Previously, WhatsApp phishing methods were a bit simpler in nature and therefore easier to see through. But since 2019, a more advanced method has taken over, with the phishers taking over your account. This significantly increased the success rate of these phishing scams.

How does the WhatsApp phishing scam work?

Scammers make use of the WhatsApp feature that allows you to use the same account on several devices. To activate another device, a six-digit verification code is required. Fraudsters use various tricks to get this but typically, the scammer will befriend you, gain your trust and then ask you for the code stating that it was sent to you by mistake.

Another trick: voicemail

Instead of asking you for the code personally, the scammer can also use your voicemail. After multiple code requests at WhatsApp, the scammer can indicate that WhatsApp must call to pass on the code. If you do not answer this automated phone call, the code will be sent to your voicemail. If you use a standard PIN for your voicemail, the scammer can listen to your voicemail and get the code.

How do you know that your WhatsApp account has been taken over and what happens then?

The fact that you’ve been hacked becomes clear when contacts notify you that they are getting crazy messages from your name and phone number, you no longer have access to WhatsApp yourself or you get a notification that WhatsApp is being used on another device. If the scammer has set up two-step verification themselves, it can take up to a week for you to regain access to your own WhatsApp account.

In addition to sending messages to your contacts, a scammer can see which groups you are in and send messages in these groups to steal money from people. Fortunately, there is also good news: the criminal cannot read your messages. All conversations are stored on your device and are encrypted end-to-end. Therefore, if someone has access to your WhatsApp on another device, they cannot view your messages.

Step-by-step plan: what to do if your WhatsApp account has been taken over

Have you determined that your account has been hacked? Then follow the next steps:

  1. Restore access to your account. Delete the WhatsApp app, restart your phone and download the app again. Log in to your account with your phone number and request a verification code. Once you have entered the code, the scammer will be automatically logged out.
  2. Are you now being asked for the two-step verification code even though you have not set it yourself? This means that the hacker has set up two-step verification and you now have to wait a week before you can log in without the code.
  3. If you can access your WhatsApp, set up two-step verification yourself. Go to Settings> Account and choose Two-step verification.
  4. Do you have access to your account and suspect someone else is using your account via WhatsApp Web or Desktop? Then log out from your phone on all computers.
  5. Are you having trouble with the steps above? Then contact WhatsApp via their site or via Settings> Help> Contact us.
  6. Change the PIN code for your voicemail.

Talk to an Expert

1. We will review your request within 2 hours and contact you.

2. We will check your company and describe the workflow.

3. We will start cybersecurity check.

    Privacy Policy

    Vitaly is a principal consultant at Hackcontrol as wall as aa business and IT thought leader. He has over 15 years of experience in consulting, account management and is a specialist in cybersecurity.