SIM-Based Identity Verification Bypass Scam on WhatsApp
After hijacking a phone number through a SIM swap, criminals immediately re-register the number on WhatsApp to hijack the victim's account, contacts, and linked verification codes.
Part of: SIM-Based Identity Verification Bypass
Last reviewed: 5 July 2026
WhatsApp uses SMS one-time codes to verify a phone number, which means anyone who controls that number, whether through a SIM swap or a fraudulent port-out, can register it on a new device and take over the account within minutes.
How this scam works on WhatsApp
Once the swapped SIM is active, the scammer opens WhatsApp on a new phone, requests the verification code, and completes registration before the real owner notices their signal has dropped. This locks the victim out entirely and gives the scammer access to years of chat history, group memberships, and saved media, which is often mined for further personal details used in follow-on identity fraud.
With control of the account, the scammer messages the victim's contacts, especially family members and coworkers, asking for urgent money transfers or claiming a 'new number' needs verification, while also using the hijacked number to intercept one-time passcodes sent by banks or other apps that rely on SMS or WhatsApp-based two-factor authentication. Because many services treat a verified WhatsApp number as a trusted identity signal, the takeover can cascade into bypassing verification on other accounts entirely.
Common red flags
- Your phone suddenly shows 'no service' or 'SOS only' with no explanation
- You receive an SMS from WhatsApp confirming a registration you did not request
- Contacts report receiving strange money-request messages from your account
- You are logged out of WhatsApp on your usual device without warning
- Your carrier confirms a SIM swap or number port was processed that you did not authorize
- Two-factor codes you expect never arrive because they are being intercepted
How to protect yourself
- Enable WhatsApp's two-step verification with a PIN so a SIM swap alone cannot register your account
- Set a PIN or passcode with your mobile carrier to block unauthorized SIM swaps or number ports
- Move critical account verification away from SMS to an authenticator app where possible
- If your phone loses signal unexpectedly, contact your carrier immediately to check for a SIM swap
- Warn close contacts through another channel the moment you suspect your WhatsApp has been hijacked
- Use WhatsApp's 'Log out from all devices' and re-verify as soon as you regain control of your number
How to report it
- Contact WhatsApp support in-app or via the Help Center to report account takeover and request recovery
- Report the unauthorized SIM swap to your mobile carrier's fraud department immediately
- File a report with your local police and, in the US, the FTC at IdentityTheft.gov
- Warn affected contacts and ask them to report the impersonating messages to WhatsApp
Frequently asked questions
Can I get my WhatsApp account back after a SIM swap takeover?
Often yes, once you regain control of your phone number you can re-register the account, though you may need to go through WhatsApp support if the attacker enabled two-step verification with their own PIN.
Does two-step verification fully stop this scam?
It significantly raises the bar, since the attacker would need both your number and your WhatsApp PIN, but it does not prevent the SIM swap itself, so carrier-side protections still matter.