WhatsApp Account Takeover
The Cyber Security Authority (CSA) has noticed an increase in incidents of individuals falling victim to social engineering and unwittingly sharing their WhatsApp verification codes with malicious actors, leading to unauthorised access and account takeover. At least 64 such reports have been recorded starting in April this year.
- Malicious actors after compromising an existing WhatsApp group begin to target members of groups that the initial victim is part of.
- They craft persuasive messages designed to lure their targets to disclose their verification code. Some of these methods are:
- Notifying the victim through text messages about an ongoing upgrade on their group platforms and requesting the victim to share the code that will be sent to them.
- Calling the victim to inform them that a security code has been sent to prevent their account from being hacked and requesting the victim to share the code that will be sent to them.
- Informing the victim that they have received a mobile money transfer, and that they are required to reveal the code sent by the perpetrator to access the funds.
- Sharing URLs in WhatsApp groups and instructing group members to click on them to update their information by providing the code that will be sent to them.
- Once the code is shared, the victim's account is compromised, opening the door to unauthorised access and account takeover. The malicious actors may then go on to impersonate the victims and defraud their contacts resulting in reputational damage as well as monetary losses.
- Never Share Verification Codes:Treat your verification code like a password; keep it confidential and share it with no one.
- Enable Two-Step Verification:Two-step verification adds an extra layer of security to your WhatsApp account. To enable it, open WhatsApp > Settings > Account > Two-step verification > Enable. This will prompt you to create a six-digit PIN that will be required periodically and whenever you register your phone number with WhatsApp again
- Verify Unexpected Requests:If you receive a message requesting your verification code unexpectedly, verify the sender's identity through a different communication mode/platform before taking any action.
- Educate Friends and Family:Share this information with your friends and family, especially those who might be less familiar with online scams. Awareness is crucial in preventing such incidents.
Contact the Cyber Security Authority
The CSA has a 24-hour Cybersecurity/Cybercrime Incident Reporting Points of Contact (PoC) for reporting cybercrimes and for seeking guidance and assistance on online activities, Call or Text – 292, WhatsApp – 0501603111, Email – email@example.com
Issued by Cyber Security Authority
October 31, 2023