WhatsApp accounts getting stolen with this nasty trick: What to do

(Image credit: Anadolu Agency / Getty Images)

In April, we saw a WhatsApp vulnerability that let anyone hijack your account if they knew your phone number and could glance at your phone's screen. 

Now it looks like someone has weaponized that WhatsApp flaw to trick you into giving up your account without the attacker ever needing to see your screen.

This information comes to us in the form of a single tweet by a young man in Paraguay who posted a screenshot of what appears to be a WhatsApp phishing message in Spanish purporting to come from WhatsApp itself. 

We can't verify that the message is real, and we haven't heard of any other incidents involving this scam, but the attack method makes sense and it would be pretty easy for an attacker to pull off.

Our Spanish is pretty rusty, but thanks to our collegue Kate Kozuch and also Google Translate, the message claims to be from the "WhatsApp support team" and states that someone has registered a WhatsApp account using your phone number. 

The message goes on to say that the recipient has been sent "a request for identity verification" using SMS. 

A standard feature of WhatsApp's two-factor-authentication (2FA) method for preventing account theft is to send the account owner a six-digit one-time use code to the older phone number to verify that the account owner has indeed requested a number change or is moving the WhatsApp account to new phone. 

The problem, as we reported in April, is that the texted 2FA code will by default display on the old phone's screen, locked or not. Anyone who can watch your screen in the few seconds after requesting the (phony) number change or device change will be able to steal your account. 

How to avoid this scam

Fortunately, as we explained in April, it's pretty easy to avoid falling victim to this scam. You need only to add a PIN to your WhatsApp account. 

Go into the WhatsApp settings on your phone, tap Account and then tap Two-Step Verification. You'll then have to create a six-digit PIN, which you will be asked to enter if you move your WhatsApp account to a new phone.

No need to see your screen

This new twist reported by the man in Paraguay eliminates the need for the attacker to see your screen, since the attacker is going to trick you into giving him the code yourself.

The message quickly veers into pure scam territory, stating that "If you fail to pass the verification or abandon the attempt, an indefinite suspension will be generated." 

That's a classic confidence-scheme call to action, threatening you with denial of service unless you act now. In reality, WhatsApp would not suspend your account for not verifying a change request.

The original poster didn't post the entire message, but the implication is that you'll be asked to forward the one-time 2FA code to the message sender. If so, then the message sender will be able to hijack your WhatsApp account.

"This is #FAKE," wrote the WABetaInfo Twitter account, to which the original Paraguayan poster had appealed for help. "WhatsApp doesn't message you on WhatsApp, and if they do (for global announcements, but it's soooo rare), a green verified indicator is visible. WhatsApp never asks your data or verification codes."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.