Six-Digit OTP Code Trap: How Scammers Hack Your WhatsApp Account

Recently, a chain of WhatsApp hackings by scammers posing as friends and colleagues came to light when staff of Delhi University were targetted.

Victims received a message from a known contact saying they had accidentally sent a code to their phone number that they urgently needed. Many forwarded the code to the sender, after which their WhatsApp account was compromised. Once the scammers accessed these accounts, they targeted others on the victims’ contact list. 

This is a common hacking technique in which fraudsters take over WhatsApp by tricking users into sharing their verification codes. Let’s break down their process and, more importantly, what you can do to stop it before you get logged out of your account.

• Six-digit Code: You receive a WhatsApp text from an individual (usually a contact on your phone) saying they urgently require the six-digit code, which they accidentally sent to your number via SMS.

• Account Takeover: Once you share the code received via SMS from WhatsApp, you will be logged out of your account, which is now under the scammers’ control. 

• Mass Hacking: The scammers now have access to your WhatsApp contacts and will impersonate you, repeating the same process to trap more victims.

• Money Transfer: Scammers might also use your account to ask your contacts for money, claiming there is an emergency. Since the request comes from a known individual, people are more likely to fall for it.

• Expanding the Scam: They might also send malicious links that install malware or spyware, which can steal your personal information, including bank details, IDs and passwords

• If you receive a WhatsApp registration code and have not initiated or requested it, then someone is trying to access your account. 

• A contact who says they “accidentally” sent the code to you is a scam, as WhatsApp will never send someone else’s code to your number.

• A contact messaging you with urgent or unusual requests or sending across unknown links needs to be viewed with suspicion.

• If you suddenly get logged out of your account and are unable to log back in, this suggests that your account has been hacked.

• Decline: Do not forward the WhatsApp registration code that you received via SMS to the sender.

• Verify: You can always audio or video call the sender to confirm whether they sent the messages on WhatsApp. If they do not answer, use other platforms, such as messaging apps, SMS, or email.

• Pause: Do not click on any link the scammers send across.

• Log out: If you use WhatsApp on devices other than your primary phone, go to WhatsApp ‘Settings’, tap on ‘Linked devices’, and log out of unknown devices.

• Two-Step Verification: WhatsApp allows you to add an extra layer of protection by setting up a six-digit PIN. Here’s how you enable it:

  WhatsApp ‘Settings’ > Account > Two-step verification > Turn on > Create 6-digit PIN > Confirm your PIN > Add email (in case you forget your PIN)

• Re-register: If your account was stolen, reinstall WhatsApp on your phone and generate a registration code, which you will receive via SMS. Once you re-register, the scammer using your account will be logged out automatically.

• Warn: Inform your contacts that your account has been hacked and that they should ignore any messages they receive from it.

• Notify: If you’re unable to regain access, file a complaint with WhatsApp via their Grievance Channel. You can also file a complaint with the local police and call the national cybercrime helpline number—1930.

(The Quint's Scamguard initiative aims to keep up with emerging digital scams to help you stay informed and vigilant. If you've been scammed or successfully thwarted one, then tell us your story. Contact us via WhatsApp at +919999008335 or email us at myreport@thequint.com. You can also fill out the Google form and help us take your story forward.)