WhatsApp hacking: the new method hackers are using and how to protect your WhatsApp account

In recent weeks we have seen a surge in the number of phishing and hack attempts on people’s emails, computers, social media, and even WhatsApp. The global statistics for cybercrime are frighteningly high and it is clear that the unprecedented public health emergency we are living through has seen a surge in cyber crime. Every imaginable scam, from phishing to malware, and from delivery hijacks to counterfeits, has grown exponentially in recent weeks. It’s a trend that sadly shows no signs of abating. 

We have been sharing tips on how to prevent email phishing scams for many years, and so here, we are going to focus on the increasing number of WhatsApp hacks as it is one you can easily protect against, but, chances are you have left yourself exposed. It takes 30 seconds to fix this so take action and protect yourself now – here’s how.

This hack is scarily very simple: Your WhatsApp account is linked to your phone number. When you install WhatsApp onto a new phone, the app does not know the number of the phone it has been installed on. Instead, it asks you for your phone number, then texts you a code – this simple process can leave you highly vulnerable and open up a massive opportunity for fraudsters. The WhatsApp Hack is a socially engineered theft of these SMS authentication codes, enabling attackers to hijack accounts and then use those accounts to target the victim’s contacts with requests for money or malware-laced attachments and this is how it works:

How it works

  1. An attacker gets holds of your number from the compromised account of a friend. They install WhatsApp on a device and enter your number as the account—the system then texts you the SMS code.
  2. The attacker sends you SMS or messages you on Facebook, pretending to be your friend and claiming to be locked out of their phone. They say they’ve asked the network to text you their unlock code—please forward it to them.
  3. That code is actually a WhatsApp authentication code for your account. As soon as you send the attacker the code, your WhatsApp is hijacked. It is as simple as that.

The attacker won’t have your contacts or message history, but they will receive your new messages and see those contacts and other members of groups you belong to. With your account under their control, the attacker can message your contacts and subsequently hijack more accounts…


What next?

The usual intent of the attack is to use a hijacked WhatsApp account to ask for money, to claim an emergency or an account lock-up, and to ask friends to help out, to phish for banking details, email passwords, you name it! It’s a concerning invasion of privacy too as the attacker will see the groups you are in and all of the new messages you receive. It is a crude attack, but it has proven exceptionally effective. This is social engineering at its best—we are coded to trust and help out our friends.


How to protect yourself

The most obvious advice is NEVER to send any verification code to anyone unless you are 100% sure it is legitimate – always a good idea to drop them a call to check. A much quicker and more secure fix is to set up two-step authentication on your WhatsApp. This can be accessed under the Settings-Account from within the app. It takes less than a minute to set up. The PIN is for you to select, and even has the option of a backup email address.  WhatsApp will periodically ask you to enter the code when using the app, this is part security and part to help you remember the code, given how rarely you change device. WhatsApp will ALWAYS ask you for the PIN when you change phones and so it will secure you properly from this particular hack.


How to recover hacked WhatsApp account

In order to get back your hacked WhatsApp account, you need to log-in again to WhatsApp with your phone number. You will receive a six-digit verification code via SMS that WhatsApp reads and logs you in automatically. Once you log-in, the hacker will be automatically logged out of your account.

Unfortunately, there is a nasty new twist to this hijack. Attackers are setting up PINs in hijacked accounts to make it more difficult to recover stolen accounts. So when you reinstall the app, you’re asked for a PIN number you don’t have. WhatsApp has got wise to this, and as soon as you enter the SMS code it locks out the attacker, but you, the account owner still need to wait seven days to reclaim the account. Notably, while you wait for account recovery, the hacker can no longer access your account.

WhatsApp is unlikely to respond to support requests to help restore a stolen account, but you can find full details on its support site explaining what you should do, or you can contact us at Tekkie Help.

Key take away

To save your WhatsApp account from scams, never share your activation code with anyone. Also, do not forget to activate the two-step verification for a safer experience, it only takes about 30 seconds – the security and the use of your WhatsApp account depends on it!

If you need advice in securing your email, devices and social media from cyber attacks, or are actually a victim of cybercrime and need help in securing your accounts and ensuring the hackers no longer have access, give us a call on 811838682 and we can send a Tekkie Specialist to assist.

Leave a Reply

Your email address will not be published. Required fields are marked *