Fraudsters are using a social engineering trick to fool WhatsApp users into handing over the keys to their accounts.
As Zak Doffman of Forbes (opens in new tab) explains, the scam has been around for some time, but has seen a recent resurgence, possibly due to increased reliance on messaging apps during the coronavirus pandemic.
- Find out how to get WhatsApp dark mode
- Facebook dark mode: everything you need to know
- You can also try Chrome dark mode
The attack can take two forms, both of which rely on tricking the user rather than compromising the app itself. In the first type of attack, you receive an SMS from a person claiming to be a friend or contact. The person claims to be struggling to verify their own WhatsApp account, and says the authentication code will be sent to your phone instead.
Of course, the verification code sent to your phone is for your own account, and together with your mobile number, allows the crook to log in as you on their own device, access your conversations, and send messages posing as you.
The attacker can then send the same request for a verification code to contacts who know and trust you – an approach that's much more likely to be successful than an SMS from a random unknown phone number.
Now, attackers have found a more convincing way to trick you into parting with your login details: sending messages purporting to be from WhatsApp itself.
The new form of attack was first reported by WABetaInfo (opens in new tab) on Twitter, after a user queried a strange-looking message that appeared to originate from the company.
This is #FAKE. WhatsApp doesn't message you on WhatsApp, and if they do (for global announcements, but it's soooo rare), a green verified indicator is visible.WhatsApp never asks your data or verification codes.@WhatsApp should ban this account. 😅 https://t.co/nnOehPL8CaMay 27, 2020
As WABetaInfo notes, WhatsApp and its partner company Facebook will never ask for your account details, and are very unlikely to send you any messages directly.
It's also wise to protect your account by enabling two-step verification, which prevents any attempts to log into your account on a new device without also entering a six-digit PIN that you have created yourself. Find out how to set it up now (opens in new tab).
- Check out our full list of the best Android games