WhatsApp code scam: how to spot it and protect yourself
For so many of us, messaging platforms like WhatsApp have become an integral part of keeping in touch with friends, family, and colleagues during the pandemic. Indeed, it may be hard for you to imagine life without this rapid form of communication.
Now, WhatsApp’s two billion users are facing a new security risk, with the discovery of a scam that can take over your phone via a malicious message from a friend in your contact list.
With this form of attack a hacker needs only to know your phone number to remotely deactivate WhatsApp on your phone and then stop you getting back in, permanently – even if you use two-factor authentication (2FA) on your account.
How does the attack work?
The scam uses two separate attack vectors. First an attacker who knows your phone number will request to activate WhatsApp on a different phone using your details. WhatsApp then try to verify this login attempt by asking you for confirmation of an SMS code. If you created your own WhatsApp account, you’ll be familiar with this process.
You will then receive texts from WhatsApp with the six-digit code you need to get back into the account. You’ll also see a WhatsApp app notification, telling you that a code has been requested, and warning you not to share it.
In the meantime, the attacker enters invalid confirmation codes at their end, with the aim to get you locked out of your account for 12 hours, once WhatsApp deem the login attempts too suspicious and block your number from entering any more codes.
Next, the malicious actor registers a new, fresh email address and sends an email to email@example.com – reporting that the phone has been lost or stolen and that the account must be deactivated immediately. They give WhatsApp your phone to deactivate, which means that an hour or so later WhatsApp suddenly stops working on your device.
To confirm this, you’ll receive the following notification: “Your phone number is no longer registered with WhatsApp on this phone. If you didn’t do this, verify your phone number to log back into your account.”
Then, WhatsApp asks for your phone number to send you a code, to verify yourself. However, when try to confirm your number, no text arrives. WhatsApp will tell you this is because you’ve tried to register the number recently, so now you need to wait before requesting an SMS code.
While you haven’t tried to register the device yourself, you might remember all the codes that came through to your phone earlier (as the attacker requested them on your behalf). Here, even if you retrieve the most recent SMS and enter the code into WhatsApp it still won’t work as the number has requested too many codes in the past day.
While after 12 hours you may be able to request a new SMS and verify your account using a new six-digit code, if the attacker waits to email WhatsApp support on the third of fourth 12-hour cycle, WhatsApp appears to break down.
If this is the case, you’ll see this notification. “You have guessed too many times,” their app will say, “try again after -1 seconds.” There is now no way for the attacker to request or enter new codes, there is no countdown as you can’t enter anything in-1 seconds. You’re stuck.
So, what can you do to prevent this?
As WhatsApp has not yet confirmed that it plans to fix this vulnerability, there are some key things you should do to protect your account:
- Enable 2FA to prevent other forms of account hijack and include an email address here to help WhatsApp spot a likely fake email account claiming to be you in the event that an attacker sets up an email address to contact WhatsApp support.
- Watch for warnings that someone has requested your verification codes, and if that persists, you should contact WhatsApp Support right away at firstname.lastname@example.org
- Educate your friends and family about this new form of attack, so that they can be prepared to take steps should it happen to them.
- If you are very concerned, switch to another messaging service, such as Signal or Telegram.
With so many people relying on WhatsApp as their primary communication tool for social and work purposes, it is important to always to be vigilant and report when something on your account seems suspicious.
For our other advice on how to handle online scams, see these posts: