It started with a moment of confusion that felt almost trivial. A Mumbai-based accountant received a message from a colleague asking why he had sent her a strange photo link at a late hour. He hadn’t. A few hours later, his phone began ringing again, this time from family members. They were seeing odd links in messages he sent in their WhatsApp group, replies that didn’t sound like him and messages sent when he was actually sleeping.
The unsettling part was that nothing seemed wrong with his phone. WhatsApp was working. Messages were coming in and calls were going through. And yet, his WhatsApp account was behaving as if it had been possessed by some ‘ghost’!
In Coimbatore, a senior citizen noticed something equally strange. Bank-related conversations were appearing on his WhatsApp account. That too, when he never even initiated any of these conversations. It was only when his son checked the app settings days later that the problem became obvious. An unfamiliar browser was listed under ‘linked devices’ in his WhatsApp account. By then, private chats, family discussions and shared documents had already been exposed.
These are not isolated stories. Cybersecurity agencies, including India’s computer emergency response team (CERT-In), have flagged a fast-spreading WhatsApp account takeover campaign that does not rely on breaking passwords or hijacking SIM cards. It relies on something far simpler and more dangerous: deception.
The technique is known as GhostPairing and what makes it effective is how quietly it works. In many cases, victims don’t realise anything is wrong until days later.
The scam usually begins with a short, casual message from someone you already know. The wording is deliberately vague: “Hi, I found your photo” or “Check this picture.” There is a link, often with a Facebook-style preview that feels familiar and safe.
Most people click on the link.
It opens a page that looks convincingly like Facebook. Same colours. Similar layout. Familiar branding. It asks you to ‘verify’ yourself before viewing the photo. There is no sense of urgency, no obvious red flags. Just a routine-looking step that people complete without much thought.
That exactly is the trap!
The page has no connection to the original Facebook. What it is really doing is exploiting WhatsApp’s own device-linking feature, the same one people use for WhatsApp web or desktop access. You are asked for your phone number. WhatsApp then sends you a real pairing code. The bogus page instructs you to enter the code in WhatsApp to proceed.
By doing exactly what you are told, you end up linking the attacker’s browser as a trusted device.
No password is stolen. No SIM card is touched. From WhatsApp’s point of view, everything is legitimate because you approved the connection yourself.
Once that extra device is linked, the attacker gains almost full WhatsApp web-level access. They can read messages as they sync, see new chats in real-time, view photos, videos and voice notes and send messages pretending to be you. Meanwhile, your phone continues to work normally which is why the breach often goes unnoticed.
Many attackers do not act immediately. They sit quietly, reading conversations, learning how you write, understanding who you trust. Later, they use your account to send the same ‘photo’ message to your contacts, like your family members, colleagues and in your groups. Because the message comes from someone familiar (you, in this case), more people are likely to fall for it. The cycle repeats.
CERT-In has classified this campaign as high risk. What makes GhostPairing especially troubling is that it uses WhatsApp exactly as it was designed to work. There are no warning alerts. No sudden lockouts. And, unless you check manually, the attacker’s access stays active.
There is a bigger issue here. As apps increasingly rely on QR codes, pairing prompts and ‘approve on your phone’ flows for convenience, users are rarely informed of what they are actually authorising. In that gap between ease and understanding, social engineering thrives.
How To Protect Your WhatsApp Account
Protecting yourself is not complicated. It just requires awareness.
1. Start by checking ‘linked devices’ regularly. Open WhatsApp, go to Settings (three vertical dots on the top right-hand corner) → Linked Devices and review the list. If you see anything you do not recognise, log it out immediately. That single step cuts off hidden access.
2. Treat pairing codes the same way you treat passwords. Never scan a WhatsApp QR code or enter a numeric pairing code unless you are deliberately linking your own computer or tablet. Remember, no website requires access to your WhatsApp account to display photos or videos.
3. Be cautious even with messages from people you know. If someone sends an unexpected link claiming to show photos, documents or videos, verify it through a quick phone call (do not use WhatsApp calling). Their account may already be compromised.
4. Never enter your phone number on external pages claiming to be from Facebook or WhatsApp. Legitimate platforms do not work that way.
5. Turn on two-step verification in WhatsApp. It won’t stop every trick, but it adds a valuable layer of protection. Open WhatsApp, go to Settings → Account → Two-step Verification. Turn it on and create a six-digit unique personal identification number (PIN) that is easy to remember (for you) and hard to guess for everyone else. Avoid using the date of birth of you and your near and dear ones.
6. And talk about it. Scams like thess spread because people are unfamiliar with them. A simple warning in a family group or office chat can prevent multiple accounts from being compromised.
Do remember, GhostPairing does not defeat encryption or break WhatsApp’s security. It does something far more effective as it convinces people to open the door themselves.
In a digital world built for speed and convenience, awareness remains your strongest defence.
Stay Alert, Stay Safe!
