In Engadget they tell us about a new deception to steal your WhatsApp account in which one of your own contacts will be the vector of the attack. If someone asks you for a six-digit code that you just received in a chat, don’t give it to them, because that’s all it takes to get your account.
This is the verification code that WhatsApp sends as a push notification to your mobile when someone tries to register a WhatsApp account with your phone number. It is a security measure that exists just for prevent someone from registering an account with someone else’s number by mistake, or to prevent a third party from taking over your account.
How to protect yourself from phishing or spoofing scams
The scam is effective because the message you receive will come from a known contact and will appear harmless, when in reality your contact has been a victim of phishing and has ended up losing their account. Someone else is impersonating that person to do the exact same thing to you.
If you have registered your WhatsApp account on some other phone, you probably remember this process, but as many of us are clueless and we have no reason to believe that Uncle Juan Carlos is going to want to steal our account, it is easy to drop in and paste the code going from good people.
The most important thing in this type of scam is to ask yourself why the hell someone would need a code that is reaching your own mobile and how is it that they sent it by mistake if they are sending it to you via SMS WhatsApp.
Phishing scams are based on impersonating someone you trust to lower our defenses and prevent the light bulb of suspicion from turning on.
Enabling WhatsApp 2-Step Verification is the simplest way to avoid losing your account even if you are tricked by this scam
WhatsApp does not allow you to use an account on more than one mobile phone at the same time, so if you hand over this code and the other person manages to verify the registration of your number on that other phone, you will be left without access to your account and the attacker will now have access to all your conversations.
An extra layer of security that you can activate to make this scam useless in your case even if you hand over the code that came to you via SMS, is to have activated the verification in two steps of WhatsApp. If you have done this, that code will not be enough but WhatsApp will also ask for the six-digit PIN that you registered when you activated the two-step verification.
What to do if you lose access to your WhatsApp account
If unfortunately you fell for this scam, you have a few options to try to recover your account. The first may be the most effective, try to register your account again by receiving a new WhatsApp verification code via SMS.
It is the only way to verify a phone number, WhatsApp only sends the codes via SMS. Once you enter the six-digit code, the session of the person with access to your account will be automatically closed.
The only way for this to fail is if the attacker was extra smart and turned on WhatsApp’s two-step verification before you managed to re-register your account. Then, you must wait seven days to be able to verify your number without the two-step verification code.
Regardless of whether you know the two-step verification code or not, the session of the person with access to your account will be closed as soon as you enter the six-digit code sent by SMS message.
This is a WhatsApp security measure to deal with stolen accounts, unfortunately there are seven days without access to your account and another snooping in it. The next thing you should do is close all sessions on computers as an additional precaution.
If none of this works, you can opt for send an email to firstname.lastname@example.org including the phrase “Lost / stolen phone: Please deactivate my account” in your message and your phone number in the full international format, so that WhatsApp deactivates your account.