Fake WhatsApp IT Security Helpdesk Scam
Scammers impersonate WhatsApp's security operations team to contact users — often via email or a fake WhatsApp business account — with urgent requests to verify account details or install a 'security patch,' leading to credential or device compromise.
Part of: Fake IT Helpdesk Credential Scams
Last reviewed: 8 June 2026
WhatsApp's legitimate security communications are limited and delivered through the app itself or through the account's registered email. WhatsApp does not operate a phone helpline, does not send security agents to call users, and does not email users with instructions to install software or verify credentials on external websites.
This scam pattern is especially prevalent among WhatsApp Business users — small business owners who use WhatsApp Business API and who are more likely to believe they are subject to formal compliance or security review requirements from Meta/WhatsApp.
The technical framing — 'security audit,' 'mandatory encryption upgrade,' 'API compliance check' — can intimidate users into compliance before they pause to verify the request.
How this scam works on the WhatsApp brand
A WhatsApp Business user receives an email from [email protected] stating that their WhatsApp Business API access is under a mandatory security review and will be suspended unless they complete a verification within 24 hours. A link leads to a page requiring their WhatsApp Business account phone number and a 'one-time passcode' that WhatsApp will send.
The code that WhatsApp sends is the account's real registration code. Entering it on the fake page — framed as a security verification — transfers the code to the scammer, who registers the account on a new device.
In a phone variant, a caller claims to be a WhatsApp IT security engineer and walks the business owner through a 'security check' that involves reading out the code received by SMS.
Common red flags
- WhatsApp does not operate a security helpline and will not call business users for compliance checks.
- WhatsApp security emails come from @whatsapp.com — any other domain is fraudulent.
- The 'one-time passcode' you are asked to enter during a security verification is your WhatsApp registration code — sharing it hands over your account.
- Urgent framing about API suspension or compliance violation with a tight deadline.
- The verification page URL is not whatsapp.com, business.whatsapp.com, or a Meta domain.
- The caller cannot identify your registered business name or account metadata without you providing it first.
How to protect yourself
- WhatsApp Business API compliance issues are managed through the official Meta Business Help Center — not external emails.
- Enable Two-Step Verification on your WhatsApp account (Settings > Account > Two-Step Verification) so that a stolen registration code alone cannot complete a device takeover.
- Never share a WhatsApp SMS code with any caller or on any website, regardless of the stated reason.
- If your WhatsApp Business account was hijacked, immediately re-register your number by reinstalling WhatsApp Business on your device.
- Notify your customers if your account was compromised to prevent them from being targeted using your business identity.
How to report it
- Report to WhatsApp via the in-app report function: open the scam message > tap the contact name > Report.
- Forward the phishing email to [email protected].
- Report to the FTC at ReportFraud.ftc.gov.
- UK users: report to Action Fraud at actionfraud.police.uk.
Frequently asked questions
Does WhatsApp conduct security audits of Business API accounts by phone?
No. WhatsApp Business API compliance is managed through the Meta Business Help Center and official documentation. WhatsApp does not conduct security audits by phone call or via unsolicited emails from non-whatsapp.com domains.
My WhatsApp Business account was hijacked — how do I recover it?
Reinstall WhatsApp Business on your device and re-register your phone number. When you enter your number, WhatsApp will send a new registration code to your SIM, logging out the attacker. You will also need to enter your Two-Step Verification PIN if it was set.
Should I set a Two-Step Verification PIN on WhatsApp Business?
Yes, absolutely. Two-Step Verification requires a six-digit PIN whenever your WhatsApp account is re-registered on any device. This is the single most effective protection against account hijacking through stolen registration codes.