Some scams come and go while others come and go and then return. So is the story of the WhatsApp-SMS scam. It has been around for a while, but, for some reason, it has been seeing a recent resurgence. Here is how it works.
Imagine that you suddenly receive an SMS with a six digit sign in code for WhatsApp that you never requested. It is a legitimate WhatsApp message, but how is it that you are receiving it?
There are a couple of possible angles here. Normally, if you’re using WhatsApp and if you want to use it on another device, you will be able to sign in using a QR code that is read by the phone you have WhatsApp installed on. If, however, you are signing in for the first time, have changed your phone number, or are signing in from another device and don’t have your phone, you will be sent an SMS message containing 6 digits. Typing in these digits will verify your device and let you use WhatsApp. In other words, this scam starts when someone has your phone number, otherwise, how could WhatsApp send you a code you don’t need? The scammers may actually have gotten your phone number from somewhere, such as Facebook, or from some data leak. They could also hope to get lucky by randomly sending six digit codes to the WhatsApp code verification page, hoping someone is trying to sign in. Admittedly, because of time limitations, this strategy would require a lot of luck, but it’s mathematically possible.
If the site determines that this code does not match a phone number in their database, they will send you to a site for you to download the app. A good scam would be for hackers to spoof this page and send you to some sort of fake login page where they can gather data or make you download an infected app.
So, imagine that I have somehow gotten your phone number. I try to use it to sign into WhatsApp. WhatsApp tells me it will send a code to the number I typed in. But, although I have the number, I don’t have the phone. You do. This is when you receive the code out of no where. My problem, as the scammer, is to get you to send me the code within a limited time period, usually, about 3 minutes. If you send me the code, I can complete the sign in process, get into your account and, if I want, change the contact phone number change the password, and take complete control of your account… but I need that code first.
That’s where social engineering comes into play. Scammers may have already taken over the account of one of your contacts. In this case, the text message they send you appears to be legitimate. It comes from your contact’s real account. Your ‘friend’ may say that they’ve had a code sent to your number by mistake and could you please send it to them as it is urgent.
They may say that they had their account hacked and they needed this code to get it back. Some say their phone has been locked and that’s why they used your number. They had the code sent to you since their number was no longer useful. They may ask you to send a screen shot or the code itself. They could buy time by claiming they would soon be sending a request for a code from WhatsApp and that you should be ready to receive it. Sometimes they say they have a new phone but you have their old number and that number is linked to their WhatsApp account, so could you please send them the code so they can set up their new phone? Their approach relies on sympathy and the fact that most people want to be helpful. The cost is a hacked account and a lot of angry friends who will become similar victims because of your naiveté.
It’s easy to tell people to never share a verification code with anyone, but when you see written pleas from friends who seem to be in real trouble, it’s just as easy to forget this advice. If they say they need this code quickly, you may not have time to contact your friend through some other means, although this is really what you should do. The fact that these recent scams are written in good English also makes them more believable. One way that you could try to deal with the scam is to ask the person to verify their identity like this person did.
You may think that giving the code away can’t hurt you, but you’d be wrong. Not only could you lose your account, you could jeopardize the account of all of your contacts. They may be contacted, in your name, with a claim that you desperately need money, for example. If their goal was to ruin your life, they could do so by posting material that may call into question your morality. And always be aware that stalkers may use the WhatsApp scam to simply have permanent access to your account so that they can keep a close eye on your life. In addition, through a chain of continued attacks on contacts and contacts of contacts, scammers can amass large amounts of personal information that could be used for more sophisticated hacks which may even involve the companies these people work for.
Although this post is written about WhatsApp, the technique can be used with any social media account that requires you to use a code to verify a connection or transaction. Codes can be sent to email addresses or phones. Banking scams may use similar tricks. In the end, no matter how valid the request seems to be, and no matter how dire the situation is, simply never give this verification code to anyone. You really should contact the person who asked for the code. Call them and speak with them directly to be sure they are your real friend and not someone who has possession of their phone. They will probably thank you for giving them a heads up. If you send them an email, make sure you ask them a question that only the two of you would know the answer to. It may be that the scammers have also gained control of the person’s email account. So, in the end, if you get an unwanted code, just delete the message and let your real friend know that their account has been compromised. If you or your friend’s account was compromised, you may be able to get it back by following the advice given on the WhatsApp site. But I should warn you, it won’t be easy.