• Home
  • |
  • Blog
  • |
  • New WhatsApp Verification Code Scam: How to Protect WhatsApp Account From Hackers?
New WhatsApp verification code scam and how to protect WhatsApp account from hackers

Who is not familiar with this Facebook-owned messenger app: WhatsApp? WhatsApp is a primary communication channel for 2 billion users. We feel sad to share about the new WhatsApp verification code scam reported by thousands of users. Please be aware of this WhatsApp verification code scam and let others know how to protect your WhatsApp accounts from hackers.

Who Can Be the Victim of This ‘WhatsApp Verification Code Scam’?

This attack could be targeted at any of the 2 billion WhatsApp users. It could be a random user or a potentially targeted user. We urge you to be aware and make others aware of this WhatsApp verification code scam and protect your WhatsApp account from hackers.

Symptoms of the ‘WhatsApp Account Suspension Attack’:

Before we jump into how it works, let’s allow us to tell you about the symptoms of the WhatsApp account suspension attack.
No technical knowledge is required to understand this attack. You will start receiving multiple verification messages to your phone number with a six-digit verification code. You could get more than 5 to 6 verification messages within a very short amount of time. Although, you can’t do anything to stop those messages. But you can totally ignore them all and report to the WhatsApp support team about this. Ignorance and reporting are the two best possible ways that you can follow to be safe from this attack.

How Do Attackers Hijack WhatsApp Accounts in This New ‘WhatsApp Verification Code Scam’?

Now it’s time to know how an attacker uses your phone number to deactivate your WhatsApp account on your phone and stops you from getting back in. You will say you have two-factor authentication (2FA) enabled on your WhatsApp account. And you may not believe WhatsApp’s two-factor authentication does not prevent the attack. We are here to share the story of how this WhatsApp attack works.

  1. First, the attacker will get your phone number. The attacker has multiple ways to get your phone number and other information: 1. Dark Web 2. Social media sites 3. Social engineering attacks 4. Phishing, and 5. On the WhatsApp app itself. You might be aware of what security researchers recently revealed about the Facebook data breach, which lets 533 million Facebook users’ phone numbers and personal data be leaked online.
  2. You might know that whenever you install the WhatsApp app on your phone, it asks you to enter your phone number. In the next step, it sends a six-digit verification code to your phone number for verification. Attackers use this verification process as a weakness. The attacker will install the WhatsApp app on his phone and enter your phone number. Then you will receive a six-digit verification code or a call from WhatsApp.
  3. The attacker repeatedly enters an incorrect verification code. You will repeatedly receive verification codes from WhatsApp when the attacker attempts with the wrong codes on this WhatsApp.
  4. WhatsApp has a limitation policy to stop brute-forcing it. Under this policy, WhatsApp limits the attacker. After a few attempts, the attacker’s WhatsApp says: “Resend SMS/Call me in 12 hours,” and stops generating new codes to your phone number and blocks the code entry on the app for the next 12 hours. However, there is no change in your WhatsApp function. It will continue to work as before. Nothing much you can do to stop all this.
  5. The real game starts now. Anything will happen in these 12 hours of time. It purely depends on your action. If you report these verification messages to WhatsApp support and ignore all those messages, then you are safe. If you ever try reinstalling and reverifying WhatsApp on your phone, there is a high chance of losing your WhatsApp account.
  6. By the time you complete your re-verification process on your phone. The attacker will use his email ID (stolen or compromised) to write a complaint to [email protected], saying to deactivate your number.
  7. WhatsApp will send an auto-generated email to the attacker’s email ID asking to enter a new phone number. WhatsApp doesn’t have any mechanism to confirm that it wasn’t you who requested the deactivation request and completed the deactivation process. All these happen with the automatic process without your knowledge.
  8. After a couple of hours, your WhatsApp stops working on your phone, and you see a notification: “Your phone number is no longer registered with WhatsApp on this phone. This might be because you registered it on another phone. If you didn’t do this, verify your phone number to log into your account.”
  9. At this point in time, if you try reactivating your phone number, your app will say, “You’ve tried to register your number recently. Wait before requesting an SMS or a call.”. However, you will not receive the verification code or call your phone number as your phone is subjected to 12 hours of restriction. You can’t request a new code until the completion of 12 hours, and your recent code will also not work. Your account is frozen.
  10. After 12 hours of freeze, you can reverify your account with the six-digit verification code. But there is a twist at this point in time. The attacker, rather than writing to WhatsApp to deactivate, could repeat the process after elapsing 12 hours. You will receive a few more verification messages again if the attacker does so.
  11. The attacker tries repeating the process for the third time, and WhatsApp will breaks down this time and says”, You have guessed too many times; try again after -1 seconds”. The app blocks both the attacker and you from requesting and entering the new code.
  12. In this race, if the attacker reaches WhatsApp before you, you are too late. You don’t have any stone left to hit the attacker. You will have to contact WhatsApp and find someone who can help.
See Also  A Critical RCE PowerShell Vulnerability - Upgrade PowerShell At The Earliest

How WhatsApp Can Address This ‘WhatsApp Verification Code Scam’?

This auto-verification system with 12 hours of freeze time triggers the issue. We recommend WhatsApp to address this issue. Blocking someone from his account shouldn’t be this easy. It is not difficult for WhatsApp to address this using a trusted device system as Apple does to manage multi-device login.
Whenever WhatsApp finds multidevice access, 2FA verified app on the first device can only authorize the app on the second device instead of using the same 2FA authentication on the second device. This solution could fix this vulnerability.

How You Can Protect Your WhatsApp Account From Hackers?

Hackers always discover new ways to hijack your WhatsApp account. As an owner of the account, it’s your’s prime responsibility to be protected from all such attacks. In this WhatsApp verification code scam, as a user, nothing you can do. But you can’t sit silent, leaving all the responsibility on WhatsApp. There are a few things in your hand which helps to protect your WhatsApp account from being hacked.

  1. Report to WhatsApp support: If you start getting multiple verification messages in a short amount of time, please report to WhatsApp support. Don’t react to those messages. This is a clear indicator that someone is attempting to register using your phone number.
  2. Don’t try reinstalling the app: This is the common mistake most make. Please don’t try to reinstall and reverify your account. If an attacker reaches the maximum number of attempts, WhatsApp will block you from the re-verification process for 12 hours. You are going to lose your account for at least 12 hours. Don’t commit the mistake of reinstalling the app.
  3. Enable two-step verification: Enabling two-step verification is one of the best ways to protect. The key factors for securing your account are the six-digit PIN and email address. Using your email address to set up two-step verification helps the WhatsApp support team to identify that it was you.
  4. Set a lock on WhatsApp: When you set up a six-digit PIN, WhatsApp will ask you to enter the PIN when your account is tried to set up on another device. This will work as a shield against the attack.
  5. Export chats and delete: It is always to export your chats data to your email or cloud storage and protect with a password, as the default export option will not be encrypted. Then delete the complete chat history.
  6. Move the backups to external storage: This option is only for Android users. Android users can export the backup to external storage and delete the backup. This would protect your data from being accessed by the attacker.
  7. Install WhatsApp updates: Always upgrade your WhatsApp app without fail whenever there is a new version available. This ensured many bugs and vulnerabilities got fixed, which existed in old versions.

Please read this article and share it with your friends and family so that you protect them from being victimized by this WhatsApp verification code scam and protect their WhatsApp account from hackers.

Thanks for reading this article. Please visit our blog to read such interesting articles like this.

See Also  What are Micropatches? Why Do We Need Micropatching?

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

  1. This is exactly what I'm going through right now.
    I am currently at the stage where my account is blocked and I cannot log back in.
    And its been over 12 hours.
    I have reached out toWhatsapp support but they haven't been really helpful.
    They keep repeatedly giving me standard FAQ responses.
    Their last response to me was that my account has been blocked by the 2 step authentication (no duh, i set that up myself).
    And to re-access I would need to send myself the 6 digit code and reenter the 2 step authentication.
    But the problem is I cannot even get back into my account period to do this.
    They said that if I didn't set up the code, I'd have to wait 7 days to reset my PIN.

    Even if I was able to get back in, I'm afraid the hacker would just keep attempting again to send codes until I'm locked out again.

    Not sure if there's any one who's experiencing this and has some further insight.

    1. This is very bad to hear that! You are the 3rd person who reported this problem to me. Two people who reported this issue got WhatsApp access restored. In both cases, they didn’t lose access. So, it helped them to restore access.

      It looks like it is impossible in your case, as you are logged out from the WhatsApp account. WhatsApp support is the only hope you should trust.

      Please share what you did to recover. That would help other people in such crises.

  2. Hi,
    I have the exact same issue and my whatsapp was hacked and I can no longer receive a verification code when I try to relog in.
    How can I regain access to my account?
    Should I be worried that my number was hacked?

    1. The best way is to report this to WhatsApp support. They will help you regain your access. Let me know if you face any issues in getting in touch with WhatsApp support.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.