New Account Takeover on WhatsApp
Fraudsters use social engineering, SIM swapping, and intercepted verification codes to take over WhatsApp accounts, then exploit the trusted contact list to run impersonation scams against the victim's connections.
Part of: New Account Takeover
Last reviewed: 1 June 2026
WhatsApp account takeover is particularly damaging because the platform is used for intimate personal and business communication. A successfully hijacked account gives the attacker access not only to future conversations but to the contact list, message history, and the established trust that makes impersonation of the account holder immediately effective.
WhatsApp's phone-number-tied identity model means that a SIM swap — convincing a mobile carrier to transfer the victim's number to a new SIM — gives the attacker complete control of the account without needing any application credentials.
How this scam works on WhatsApp
The most common takeover vector involves tricking the victim into forwarding their WhatsApp registration code. A message arrives from an attacker posing as a friend, claiming they accidentally sent a code to the victim's number and asking them to forward it. This code is the victim's own one-time registration password — forwarding it hands over account access.
SIM swap attacks are executed by impersonating the account holder with the mobile carrier, providing enough personally identifying information (gathered from social media or data brokers) to convince carrier staff to port the number to a new SIM. With the number active on their SIM, the attacker re-registers WhatsApp and takes full control.
Phishing sites targeting WhatsApp Web users capture the QR code scan in real time, establishing a persistent parallel session that the attacker maintains even after the victim closes their browser session.
Common red flags
- A contact asking you to forward a six-digit SMS code 'sent to you by mistake'
- SMS registration code arriving when you did not attempt to log into WhatsApp
- Unexpected WhatsApp session appearing in Linked Devices you did not authorise
- Contacts reporting unusual messages sent from your account
- Mobile service interruption that coincides with inability to receive SMS — a potential SIM swap indicator
- WhatsApp prompting re-registration when you have not changed your device or number
How to protect yourself
- Enable WhatsApp's two-step verification under Settings > Account > Two-step verification — this requires a PIN to re-register your number
- Never forward a six-digit SMS code to anyone under any circumstances
- Contact your mobile carrier to add a SIM lock or port protection to your account
- Review your active sessions regularly under Settings > Linked Devices and terminate any you do not recognise
- Use a strong, unique email linked to your WhatsApp account for recovery purposes
- Warn contacts immediately if your account is taken over, so they can ignore messages sent during the compromise
How to report it
- Re-register your WhatsApp account as soon as possible — this automatically logs out the attacker
- Report the takeover to WhatsApp's support and enable two-step verification immediately after recovery
- Report a SIM swap to your mobile carrier's fraud team and national telecommunications regulator
Frequently asked questions
What is two-step verification on WhatsApp and why does it matter?
Two-step verification adds a six-digit PIN that is required whenever your phone number is re-registered with WhatsApp. Even if an attacker obtains your phone number via SIM swap or finds your registration SMS, they cannot complete the re-registration without this PIN. It is the most important single protective measure for a WhatsApp account.