Two days ago, Nichola, a colleague, informed me that she had received a message from her friend on WhatsApp (WA) asking her to share a six-digit code sent to her mobile via SMS. The friend claimed the code was sent by mistake. Nichola called her friend on WA, but there was no response, so she ignored the message and code received in the SMS. When she informed me about the incident, I told her to check if her friend's WhatsApp account was hacked and tighten security measures on her own WhatsApp. Her friend's WhatsApp account was, indeed, hacked and the hackers were attempting to hack into her WhatsApp contacts, including Nichola's. The code she received came from an official number, that is, a header used by WhatsApp. But it was sent in order to set up her WA account on a new device. This is quite a scary situation and, unless you are careful, you may inadvertently end up handing over your WhatsApp account to fraudsters.
Social media platforms like WhatsApp have become integral to our daily lives. It is no wonder, then that cybercriminals are increasingly attacking WhatsApp accounts to perpetrate fraud.
A WhatsApp hacking scam involves fraudsters gaining unauthorised access to a user's WhatsApp account, typically, to impersonate them, access private messages, or steal sensitive information. These scams involve tactics such as social engineering, malware, or exploiting vulnerabilities.
A common method used by these criminals is to steal the verification code. This is how it happens: the scammer contacts you or someone close to you, pretending to be from WhatsApp or a friend and asks for the six-digit verification code sent to your phone. This code is necessary to set up the user's WhatsApp account on a new device, in this case, a device used by the fraudsters.
Once they have the code, they can log in to your WhatsApp account on their device, locking you out and gaining access to your messages and contacts. As my colleague witnessed, the fraudsters can repeat the process to gain access to WhatsApp accounts of all contacts stored in the hacked account.
Two other methods used by cybercriminals to hack into WhatsApp are: sharing phishing links or malicious apps and QR codes generated to enable the use of WhatsApp on the web. Scammers send phishing links urging the user to click them. Such links can install malware on your device and steal your WhatsApp credentials and personal information stored on the device. Similarly, fraudsters share a QR code to allow you to use WhatsApp on the web. However, the web portal, opened after scanning the QR code, resembles an authentic one, but is obviously fake and allows fraudsters to view and control your chats.
One more method used by fraudsters is SIM swapping. However, it takes time and effort to do this and, hence, is usually used to gain access to banking or financial accounts for stealing money. WhatsApp allows payment through unified payment interface (UPI), but not many people in India use it. In other words, it is not worth the time and effort of hackers to use SIM swapping and access WhatsApp accounts.
This brings us to the most important question: How can we protect our WhatsApp account from getting hacked? Here are a few suggestions...
1. Enable Two-step Verification
WhatsApp offers a two-step verification feature requiring a second PIN code (besides the 6-digit SMS code) to log in. Go to Settings > Account > Two-step verification > Turn on or Set up a PIN.
However, remember to set a PIN that is easy to remember because if you forget it, you will have to wait for seven days before WhatsApp allows you to reset the PIN.
You can also update the email address associated with two-step verification which allows you to reset two-step verification and helps safeguard the WhatsApp account.
This additional layer of security prevents scammers from accessing your account, even if they get your SMS code.
2. Never Share your Verification Code
To protect the account, WhatsApp sends a push notification when someone tries to register a WhatsApp account with your phone number. When you receive this notification, it means that someone has entered your phone number and requested the registration code. Sometimes, it may be a genuine mistake if another user mistyped your number while registering her own number on WhatsApp.
But in any case, never share your WhatsApp verification code with others.
WhatsApp never asks for your verification code, nor should anyone else. If someone asks for it, assume it's a scam.
3. Be Cautious of Phishing Links
Avoid clicking on suspicious links, even if they come from trusted contacts. Always double-check the URLs and ensure the source is legitimate before proceeding.
4. Secure Your SIM Card
You can set up a PIN to lock your SIM card. When this feature is enabled, you need to provide the PIN to unlock and use your SIM. You can get the default PIN from your mobile services-provider or create one from the device settings. For example, on Samsung Galaxy mobiles, you can go to Settings > Security & privacy > More security settings > SIM card lock and set up a PIN. SIM card PIN adds extra protection to protect your SIM, especially from swapping attacks.
5. Use Strong Device Security
Set up a strong lock screen password or biometric authentication (fingerprint or face recognition) to prevent unauthorised access to your phone.
6. Monitor Unusual Activity
If you receive notifications about WhatsApp activity you didn't initiate (like a new login attempt or code request), immediately log out of all sessions and secure your account.
7. Log out of WhatsApp Web
Regularly check your WhatsApp Web sessions to ensure no unauthorised devices are connected. Go to Settings > Linked Devices to view and log out of sessions that you do not recognise or have not started.
By following these precautions, you can significantly reduce the risk of falling victim to WhatsApp hacking scams. If you suspect your account has been compromised, immediately alert WhatsApp support and notify your contacts of the potential breach.
Also, beware of 'security' messages spread by some so-called experts. In one such message, 'a master expert' gives a 'tip' to 100% secure WhatsApp accounts from hackers by enabling 'protect internet protocol (IP) address in calls' and 'disabling link previews'.
Unfortunately, this is just a false sense of security. Your WhatsApp account can be hacked even after you have enabled these settings. This is because protecting IP addresses in calls and turning off link previews (when someone shares a link on a WA message, you can see its preview or small image) have nothing to do with the hacking of an account. If you are worried about your IP address, then you need to use a virtual private network or VPN and not the built-in settings of WhatsApp to protect it during calls.
Stay Alert, Stay Safe!