Ever get a message from a friend on WhatsApp that seemed slightly off? Maybe they ask you for a quick favor, or they send you an unusual link. But because it’s coming from someone you know, you might just comply or click without thinking. This is one of the most common ways scammers can hijack your WhatsApp account.
With messaging app takeovers, encryption doesn’t usually need to be broken or complicated software flaws exploited. Most of the time, it’s a simple social engineering trick built around exploiting trust. And once a scammer has accessed your WhatsApp account, they can often access other accounts or successfully hijack your contacts, creating a snowball effect.
Read on to find out how WhatsApp hijacking often works and what you can do to protect yourself.
What is WhatsApp hijacking?
A WhatsApp account is considered hijacked if someone else has taken control of your account and is using it as if they were you. Once that happens, they can:
- Message your contacts
- Ask for money
- Send phishing links
- Join group chats
- Impersonate you
To your friends and family who also may not be so vigilant, they won’t question these messages, since they’re coming from someone they know.
How WhatsApp hijacking can snowball
Sometimes it can start with a contact asking you for a verification code, sending you a message like:
“Hey, I accidentally used your number for a code. Can you send it to me quickly?”
If you’re not thinking, you might just send that code right away. And it is, of course, the login code for your own WhatsApp account, locking you out once it’s shared.
Another recent tactic is known as GhostPairing. Here, a known contact again messages the victim, saying something like:
“Hey, I just found your photo!”
And with it a link. If the victim taps the link, it leads them to a page similar to Facebook. A phishing site. But instead of stealing your Facebook information, the victim is walked through WhatsApp’s device-linking process. This adds the scammer’s device as a known device on the victim’s WhatsApp account.
From then on, the scammer can pretend to be the victim and continue hijacking more and more WhatsApp accounts. The scam often works so well because it can appear like a friend asking for help or simply sending a link to a fun meme. However, it’s always worth being cautious when you receive an online message, no matter who it’s from, especially when they’re asking for something out of the ordinary or sending you to a page that requires logging in.
How to protect your WhatsApp account
The good news is that setting up a few basic protections can prevent you from becoming a victim.
Turn on Two-step verification
This is the most important step, and it only takes a couple of minutes to implement. WhatsApp’s Two-step verification adds a PIN you must enter when your number is registered on a new device. Even if someone gets your SMS code, they will still need your PIN. To enable it:
- Open WhatsApp
- Go to Settings
- Tap Account
- Tap Two-step verification
- Create your PIN
Protect your SIM card
Some hijacking attacks involve SIM swap fraud, where criminals convince a mobile provider to transfer your number to a new SIM card. You can reduce the risk by doing the following:
- Add a carrier PIN to your SIM card that’s required to switch mobile providers.
- Use your mobile provider’s account security features
- Avoid sharing personal details publicly
Learn more from the Federal Trade Commission’s SIM swap fraud and prevention.
Lock your phone properly
If someone can easily unlock your phone, they can access your apps and contacts. Safeguard your phone by adding a biometric lock, a strong passcode, or an automatic screen lock. You can also review WhatsApp’s general security recommendations.
Never share a WhatsApp verification code
Nobody else should ever need your WhatsApp verification code. Even if they claim to be a friend or customer support. If someone asks for it, their account is likely already compromised. And WhatsApp will never ask you to forward a verification code to another person.
What to do if your account is already hijacked
If you think you’ve lost access, it’s essential to act quickly and do the following:
- Try logging in again immediately – Open WhatsApp and re-register your number. If you still control your phone number, you may be able to lock the attacker out. Read WhatsApp’s official account recovery guidance.
- Secure your email and SIM – Change your email password, enable multi-factor authentication, and contact your mobile provider if you suspect SIM swap activity.
- Warn your contacts – This step stops the snowball. Use another channel and tell people your WhatsApp was compromised, to ignore suspicious messages, and not to send codes or money.
Quick 5-minute security checklist
Preventative measures aren’t complicated and can be carried out in just a few minutes.
- Enable Two-Step Verification
- Add a carrier PIN
- Lock your phone
- Never share verification codes
- Call contacts to verify suspicious messages
The takeaway
WhatsApp hijacking scams don’t need advanced hacking to work, but trust and human error. While implementing strong security is vital, so is thinking critically about the messages you receive. Even if a message seems urgent, always stop and think, especially if someone is requesting that you hand over sensitive information. And remember: nobody should ever have access to your personal verification codes.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.