Fake WhatsApp Two-Factor Reset Scam
Fraudsters use social engineering to obtain the SMS verification code sent when registering a WhatsApp number, then hijack the victim's account and use it to scam their contacts.
Part of: Two-Factor Reset & Social Takeover Scams
Last reviewed: 7 June 2026
WhatsApp's registration system relies on a six-digit SMS code sent to the phone number being registered. This straightforward verification mechanism becomes an attack surface when someone tricks you into sharing that code — because possessing it lets them register your number on their device and steal your WhatsApp identity.
The scam typically exploits a trusted relationship. A victim's friend (whose WhatsApp has already been hijacked) sends a message saying they accidentally sent a code to the victim's number and urgently needs them to forward it. Because the message comes from a known contact's account, people often comply without suspicion.
Once the attacker has your account, they read your existing chats to understand your relationships, then use your identity to send urgent money requests, SIM-swap requests, or further code-theft messages to your friends and family.
How this scam works on the WhatsApp brand
WhatsApp sends its six-digit registration code only when the WhatsApp app itself requests it — either during a fresh install, a phone number transfer, or a device change. The code is delivered via SMS from a number shown as WhatsApp. WhatsApp will also show an in-app notification if someone is attempting to register your number on another device.
The social engineering message from a hijacked contact account reads something like: 'Hi, sorry to bother you — I accidentally sent a WhatsApp code to your number instead of mine. Could you forward me the six digits? It's urgent.' No legitimate service or friend would need a code that was accidentally sent to a different number — this narrative is always fabricated.
Once the code is forwarded, the attacker registers the victim's number on their own device. WhatsApp logs the original device out. The attacker then contacts the victim's contacts with an identical message or with requests for urgent financial help, claiming to be the victim.
Common red flags
- A contact asks you to forward a WhatsApp registration code that 'accidentally' arrived on your phone
- You receive an SMS with a WhatsApp verification code that you did not request
- A contact's message has an unusually urgent or financial tone — 'can you send me money urgently, I am in trouble'
- You are suddenly logged out of WhatsApp on your own device without changing phones
- Messages from a known contact seem oddly formal, use different vocabulary, or misspell the contact's name
- A message comes from a contact claiming to be in a new number or abroad unexpectedly
How to protect yourself
- Enable WhatsApp's Two-Step Verification: Settings > Account > Two-step verification — this adds a PIN that must be entered even if someone has your SMS code
- Never share a WhatsApp verification code with anyone, regardless of who asks
- If you receive an unexpected registration code, this means someone is trying to take your account — do not share the code, and consider it an alert to strengthen security
- Set a recovery email in Two-Step Verification settings so you can reset your PIN if needed
- Call your contact on a different channel (a phone call) to verify any unusual request before acting
- Report the suspicious message using WhatsApp's built-in 'Report' feature
How to report it
- Report the hijacked contact account to WhatsApp by opening the chat, tapping the contact name, and selecting 'Report'
- If your own account was hijacked, email [email protected] from the email address associated with your account
- Report to Action Fraud at actionfraud.police.uk (UK) or the FTC at reportfraud.ftc.gov (US)
- Notify your contacts through another channel so they know messages from your WhatsApp may be fraudulent
Frequently asked questions
Does enabling two-step verification fully prevent WhatsApp account hijacking?
It significantly raises the bar. Even if an attacker obtains your SMS registration code, they would also need your six-digit two-step verification PIN — which is not sent by SMS and can only be known by you. It is the single most effective protection against WhatsApp account theft.
My WhatsApp account was taken over. How do I get it back?
Re-register your phone number in WhatsApp on your device. WhatsApp will send a new verification code to your number by SMS, which will log out the attacker. If two-step verification was enabled, you will also need your PIN. Contact WhatsApp support at support.whatsapp.com if you are still locked out.
Why would my friend's hijacked account send me a code request?
Once attackers control an account, they read recent messages to identify trusted contacts and then use the victim's identity to send plausible-sounding requests. A message from a friend asking for a code is far more likely to succeed than a message from a stranger, which is why this chain-hijacking method is so effective.