WhatsApp users are being warned of a scam that could give hackers access to your WhatsApp account and lock you out in the process.
WhatsApp is an app for smartphones. It offers a secure messaging service for one-on-one or small group conversations – often making it the platform of choice for many organisations to conduct business or respond directly to customers. As a result, it is a target for scammers trying to hack into users’ confidential conversations.
How the scam works
Hackers attempt to gain access to your WhatsApp account by taking advantage of our tendency not to change the default PIN code on our phones voicemail account.
Firstly, the hacker will try to install WhatsApp on their own phone using a legitimate user’s phone number, typically late at night, while the user is asleep and not using their phone.
WhatsApp will attempt to verify the login by sending a one-time verification code via SMS to the victim’s phone.
The hacker doesn’t have access to the victim’s phone, so is unable to see the verification code and enter it.
When the verification code is not entered, the WhatsApp service prompts the user to perform a ‘voice verification’, during which the WhatsApp service calls the victim’s phone and speaks the one-time verification code out loud.
Since the victim is likely asleep, the automated message is left as a voicemail.
Most mobile service providers allow remote access to your voicemail account, by calling a generic number and entering your PIN code.
So to retrieve the voicemail, the hacker simply needs to call the generic phone number and enter the victim’s four-digit PIN – which, if you haven’t changed it, is typically a simple combination such as 0000 or 1234 by default.
Once the hacker listens to the pre-recorded voicemail and hears the verification code, they can then access your WhatsApp account on their own device.
How do I stay safe?
- Change the default PIN code on your voicemail account to a strong password. This can be done in your phone’s voicemail settings or by calling your phone service provider.
- Turn on two-factor authentication on your WhatsApp account to add an extra layer of security. This can be done by opening the app and going to Settings > Account > Two-step verification > Enable.
- Read more on online apps – including how to be on the lookout for malicious apps.
- If you believe you have become a victim of a scam, go here for help: https://www.staysmartonline.gov.au/get-help
- Sign up to Government alerts to keep informed about cyber risks to individuals and businesses.
- Sign up to Your Digital File for an individual or business account and only store and share sensitive information using Your Digital File. The only way to securely store and share information that matters to you.