Fake WhatsApp Two-Factor Reset Social Takeover Scam
Scammers trick WhatsApp users into disabling their two-step verification PIN by sending convincing social messages, then take over the account using the now-unprotected SMS registration flow.
Part of: Two-Factor Reset & Social Takeover Scams
Last reviewed: 8 June 2026
WhatsApp's two-step verification adds a six-digit PIN as a second layer of security beyond the SMS registration code. When two-step verification is active, anyone trying to register a WhatsApp account with a phone number must also know the PIN — a detail that a SIM-swap attacker or code-intercepting criminal does not have.
Criminals have developed a social approach to bypassing this protection: convincing the account owner to disable two-step verification themselves, under the guise of account recovery or a 'security update'. The message is usually sent via WhatsApp from an already-compromised contact, adding the trust factor of a known name.
Once the victim disables two-step verification, the attacker — who may already have the SMS verification code via SIM swap or social engineering — can re-register the account on their device without the PIN barrier.
How this scam works on the WhatsApp brand
WhatsApp allows users to disable two-step verification through Settings > Account > Two-step verification > Disable. This is a legitimate feature for users who forget their PIN. Scammers abuse it by fabricating a reason for the victim to use it.
The social engineering message typically reads: 'I'm trying to register WhatsApp on a new phone and the system keeps sending a verification to your number by mistake — can you go into your settings and disable two-step verification? It will allow the system to clear the error.' The message arrives from a trusted contact whose account is already compromised.
Once the victim disables two-step verification and confirms back to the attacker, the attacker uses the SMS code (obtained through SIM swap or a previously sent verification request) to register the victim's number on their own device.
Common red flags
- A WhatsApp message from any contact asks you to disable your two-step verification PIN.
- The request is framed as helping the sender resolve a 'registration error'.
- An unexpected WhatsApp SMS verification code arrives at roughly the same time as the disabling request.
- The message creates urgency: 'I need you to do this in the next few minutes before the verification window expires.'
- The contact sending the message has not spoken to you recently and the message feels out of character.
- After you disabled two-step verification, your WhatsApp signs you out.
How to protect yourself
- Never disable two-step verification at another person's request, regardless of who appears to be asking.
- Enable WhatsApp two-step verification if you have not already done so at Settings > Account > Two-step verification.
- If you receive an unexpected WhatsApp SMS code, do not share it — it means someone is attempting to register your number.
- Add a two-step verification PIN that is memorable only to you — not a date of birth or sequence others might guess.
- Alert your WhatsApp contacts if your account was taken over, so they do not fall for the same disabling request.
- Contact your mobile carrier to add a SIM-swap protection PIN for additional defence.
How to report it
- Report the scam message in WhatsApp by tapping the message > More options > Report.
- Report to WhatsApp at whatsapp.com/contact/forms if your account was compromised.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- Alert the person whose account was used to send the disabling request so they can recover their account.
Frequently asked questions
Is there any legitimate reason someone would ask me to disable my WhatsApp two-step verification?
No. There is no scenario in which disabling your own two-step verification helps another person's WhatsApp registration. This is exclusively a social engineering tactic designed to remove the security barrier protecting your account.
I already disabled two-step verification after receiving the message. What should I do?
Re-enable two-step verification immediately at Settings > Account > Two-step verification and set a new PIN. Also check your Linked Devices list for any unfamiliar devices and remove them. If you were already locked out, use WhatsApp's account recovery process.
How does my contact's account get compromised in the first place?
Your contact may have fallen for the same trick themselves, or their account was taken over via SIM swap or code sharing. Once the attacker has any account, they use the contact list to propagate the attack to everyone that account communicates with.