WhatsApp: Account theft with a 6-digit code. Don't fall for it!

A dangerous scam is circulating on WhatsApp : criminals are trying to obtain your 6-digit verification code to hijack your account and access your information. We explain how they operate and the urgent measures to prevent it.

The 6-digit WhatsApp verification code is a fundamental security measure. It's sent to your number via SMS or call when you register your account on a new device to confirm your identity. However, this same tool is the target of a clever scam: cybercriminals try to trick you into revealing this code and then register your number on their device, hijacking your account.

The WhatsApp 6-digit code scam unfolds in three stages, combining technology and social engineering:

• Step 1: Fraudulent Registration Attempt: The scammer obtains your number (through leaks, directories, or randomly) and enters it into a new WhatsApp installation on their phone. This prompts WhatsApp to send an SMS with the 6-digit code to your device. You receive this code without having initiated anything.
• Step 2: The Deceptive Contact (Social Engineering): Using the code sent, the scammer contacts you via WhatsApp (from a compromised or new account), text message, or phone call. They'll pretend to be:
  • A friend or family member will claim an "error" when registering their WhatsApp, urgently asking you to resend them the code that "was sent to your phone."
  • WhatsApp Support: It will claim to have detected a security issue or suspicious activity, requesting a code to "verify your identity" or "secure your account."
  • Someone offering a prize or promotion: They will tell you that you won something or are eligible for an offer, and that you need to share the code received to “validate” your prize.
• The message will always seek to generate urgency, trust or authority.
• Step 3: Code Delivery and Account Hijacking: If you fall for the scam and share the code, the scammer enters it into their WhatsApp account. Since it's the correct code, your account is activated on their device. Your WhatsApp session on your phone will be instantly logged out, as only one active session per number is allowed. You've lost control.

"WhatsApp will never ask you to share your verification code. Treat it like a password and keep it confidential." – Key security tip.

Once a scammer gains control of your WhatsApp account, the consequences can be serious:

• Access to Messages and Contacts: They will be able to read your private and group chats (new messages) and will have full access to your contact list.
• Phishing: The scammer may send messages to your friends, family, and colleagues pretending to be you to:
  • Urgently asking for money, inventing emergencies.
  • Spreading fake news, rumors or malicious links (malware, phishing ).
  • Trying to obtain more codes or sensitive personal information from your contacts, using your credibility.
• Extortion: If your conversations contain compromising information, intimate photos, or sensitive data, the scammer may threaten to reveal them if you don't meet their demands (usually financial).
• Blocking Your Access: While the scammer controls the account, you won't be able to use your own WhatsApp.

Protecting your WhatsApp account is possible by following these security guidelines:

• NEVER share your 6-Digit Verification Code: This is the cornerstone of your defense. Neither WhatsApp nor any legitimate company will request it via text, email, or phone call. It's personal and non-transferable.
• Activate Two-Step Verification (URGENT): This is the most effective way to protect your account.
  • What is it?: Add an extra layer of security with a 6-digit PIN that you create. WhatsApp will periodically ask you for it, and crucially, every time you try to register your number on a new device, in addition to the SMS code.
  • How to activate it: Open WhatsApp, go to "Settings" > "Account" > "Two-Step Verification" > "Activate." Create your PIN and provide an email address to recover it if you forget it.
  • Why it's crucial: Even if a scammer gets your SMS code, they won't be able to activate your account without this PIN, which only you should know.
• Be Wary of Suspicious and Unsolicited Messages:
  • If you receive an unsolicited SMS with a WhatsApp verification code, ignore it. This is a clear sign of an attempted access attempt. Do not respond to any messages requesting this code.
  • If a so-called "friend" or "family member" asks you for a code that "was sent to your number by mistake," verify their identity through a different, secure channel before taking any action. Call their known number or contact them through another social network. Be especially cautious if the message comes from an unknown number, pressures you to act quickly, or the tone is unusually threatening or pleading.
• Check Linked Devices Regularly:
  • WhatsApp allows you to link your account to WhatsApp Web or Desktop. Check this list periodically: in WhatsApp, go to "Settings" > "Linked Devices." If you see anything you don't recognize, log out immediately.
• Set a Strong Voicemail Password: Some scammers may try to get WhatsApp to send the code via voice call, hoping it'll be saved in your voicemail. If your voicemail isn't protected or has a weak password (e.g., 0000, 1234), they could access the code. Set a strong and unique password.
• Educate Your Contacts: Share this information with your friends. The more people who know about this scam, the less likely they are to fall for it and, by extension, the lower the risk to you if someone tries to use a compromised account to scam you.

The effectiveness of this scam, despite its technical simplicity (it relies on social engineering, not complex hacks ), is enhanced by "verification fatigue." Users constantly receive and use codes for banking, social media, shopping, and so on, which can diminish caution. Social engineering exploits our predisposition to help friends or fulfill "official" or urgent requests. Although WhatsApp and other platforms warn against sharing codes, pressure, an elaborate deception, or distraction can cause these warnings to be ignored. This underscores that technical solutions, such as two-step verification (excellent and necessary), must be accompanied by ongoing education and reinforcement of healthy skepticism. It is vital that users develop the habit of proactively verifying their identity, even when faced with requests that appear legitimate or come from known contacts.

If, despite taking precautions, you believe you've been a victim of this scam and your WhatsApp account has been hijacked, it's crucial to act as quickly as possible:

• Try to Regain Control Immediately:
  • Open WhatsApp on your phone and try registering your number again. The system will send you a new code via SMS. If the scammer didn't enable two-step verification on the compromised account, entering this new code should give you back control and log you out of the scammer's account.
  • If the scammer did enable two-step verification with a PIN you don't know, the situation is more complicated. WhatsApp will ask for that PIN. If you don't have it, you'll generally have to wait 7 days before you can try to recover your account without it. During those 7 days, the scammer could continue to use it to send messages, although they shouldn't access your old chat history if it's stored locally on your device and not in a backup they have access to.