Here’s how the WhatsApp Account Takeover scam works…

Hackers attempt to gain access to your WhatsApp account by taking advantage of our tendency not to change the default PIN code on our phones voicemail account.

Firstly, the hacker will try to install WhatsApp on their own phone using a legitimate user’s phone number, typically late at night, while the user is asleep and not using their phone. WhatsApp will attempt to verify the login by sending a one-time verification code via SMS to the victim's phone. The hacker doesn’t have access to the victim’s phone, so is unable to see the verification code and enter it.

When the verification code is not entered, the WhatsApp service prompts the user to perform a ‘voice verification’, during which the WhatsApp service calls the victim’s phone and speaks the one-time verification code out loud. Since the victim is likely asleep, the automated message is left as a voicemail.

Most mobile service providers allow remote access to your voicemail account, by calling a generic number and entering your PIN code.

So to retrieve the voicemail, the hacker simply needs to call the generic phone number and enter the victim’s four-digit PIN – which, if you haven't changed it, is typically a simple combination such as 0000 or 1234 by default.

Once the hacker listens to the pre-recorded voicemail and hears the verification code, they can then access your WhatsApp account on their own device.

Defending against the WhatsApp Account Takeover Scam

1. Change the default PIN code on your voicemail account to a strong password. This can be done in your phone’s voicemail settings or by calling your phone service provider.

2. Turn on two-factor authentication on your WhatsApp account to add an extra layer of security. This can be done by opening the app and going to Settings > Account > Two-step verification > Enable.

This advisory was reproduced in full from an alert from Stay Safe Online.

Disclaimer

This information has been prepared by the Australian Cyber Security Centre ('the ACSC'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.