14.11.2023 - The NCSC is once again observing a rise in reports on the following phenomenon: one of your contacts gets in touch via WhatsApp and asks you for help with an urgent problem. All you have to do is forward a code. At first glance, everything seems fine, but unfortunately the forwarding causes your WhatsApp account to be blocked. How does that happen, and what can you do to prevent it?
The incoming WhatsApp message, which really does come from the account of one of your contacts, might look something like this:
The recipient is asked to transfer a numerical code to that contact. The sender claims that they have made a mistake and now need the code urgently. And lo and behold, the code arrives almost simultaneously, via text message:
This deceives them into doing their contact a favour, and anyway, forwarding a code costs nothing. It doesn't take long for the rude awakening: the victim can no longer access their own WhatsApp account or send and receive messages. What has happened?
In this case, the contact's account has already been compromised and taken over by a hacker, who now has access to the contacts list and is going through it and trying to take over those accounts too. To do this, the hacker can simply enter a contact's phone number in WhatsApp and take over the account, provided they are able to confirm that the number really belongs to them. This requires them to know and enter the 6-digit code that is sent to the real owner's device. For this, the hacker needs a ruse to obtain the code. As soon as the code is in their possession, they can complete the takeover of the account – at least in most cases. Unless the owner has taken precautions. But more about that later.
Now the game starts all over again: each new compromised account brings more contacts with it, which the attacker now also tries to take over.
The scammers are not able to view their victims' previous messages: those are saved on the phone that sent or received them.
Motivation
A hacked WhatsApp account does not only allow scammers to take over other accounts. The hackers can also:
- blackmail the user by demanding money to release the account;
- send spam, e.g. with links to phishing websites or adverts for investment scams. Since the message comes from a contact, it looks all the more trustworthy;
- misuse the account as a contact for small ad fraud – this is especially useful if a scammer is operating from abroad but wants to look Swiss.
Countermeasures
However, users of WhatsApp or other chat services are not entirely powerless against this tactic. You can protect yourself better in just a few steps:
- As a general rule, you should never share any code you receive. If in doubt, you can always call the person who is apparently requesting the code, to ask what is going on.
- You should definitely activate two-factor authentication (on Android, for example: Settings à Account à 2-Step Verification). This issues a one-time 6-digit code. Without this code, the account cannot be transferred to another device. Of course, you should never share this code either.
- Please also read our weekly review on WhatsApp hacking via voicemail: to prevent this scam, protect your voicemail appropriately, or deactivate it.
The measures described can also be used with other social media accounts. For example, Facebook and Instagram accounts can be usurped using similar methods. Here too, two-factor authentication is the easiest remedy.
But if it is too late and you have already lost control of your WhatsApp account, the following measures may help:
- Use other channels to inform your contacts that someone may be sending fraudulent messages in your name.
- In principle, you can regain control by using the scammers' own methods: log into the app with your phone number and enter the code which you will be sent by text message.
- If, however, the scammer has set up two-factor authentication in the meantime, things are a little more complicated. In this case, you will have to wait for seven days before logging in again, but this time without the second factor.
(Source: https://faq.whatsapp.com/1131652977717250/).
Current statistics
Last week's reports by category:
