SIM-Swap WhatsApp Account Takeover Scam
Criminals convince a mobile carrier to transfer a victim's phone number to a SIM card they control, then use that number to receive WhatsApp's SMS verification code and hijack the account, often to scam the victim's contacts.
Part of: SIM Swap Scams
Last reviewed: 8 June 2026
WhatsApp ties your account identity to your phone number. When you register or re-register, WhatsApp sends a six-digit verification code by SMS to that number. Whoever controls the SIM card associated with the number receives the code and therefore controls the account.
SIM swapping exploits this by tricking a mobile carrier's customer-service team into porting the target's number to a new SIM card. Attackers use personal information gathered from social media, data-breach dumps, or prior phishing calls to answer the carrier's identity verification questions convincingly.
Once the number is ported, all WhatsApp SMS codes go to the attacker's device. They register WhatsApp on their phone with your number, complete verification, and immediately have access to your contacts list, group memberships, and chat history. They then pose as you to request emergency money from your friends and family.
How this scam works on the WhatsApp brand
WhatsApp's SMS-based registration was designed for convenience, not for a world where carrier social engineering is routine. WhatsApp does offer two-step verification as an additional layer, but many users have not enabled it.
The sequence of the attack: the criminal researches the target's carrier from call history or social posts, calls the carrier's support line with the target's name, address, and last four digits of their ID or account number obtained from a breach, claims the phone was lost, and requests a new SIM. Once the carrier processes the swap, the victim's real phone loses signal.
Friends then receive WhatsApp messages such as 'I'm in hospital and need money urgently — please send to this account'. The messages come from the victim's real number and display their real profile photo, making them highly convincing.
Common red flags
- Your phone unexpectedly loses mobile signal or shows 'SOS only' in an area with normal coverage.
- You receive a WhatsApp verification SMS you did not request.
- Contacts message you asking about an unusual money request they received from 'you'.
- Your WhatsApp shows you as logged out and requires re-registration with a new code.
- You receive carrier notifications about a SIM change or number transfer you did not initiate.
- Calls and SMS messages stop arriving at your normal number for no apparent reason.
How to protect yourself
- Enable WhatsApp two-step verification at Settings > Account > Two-step verification — this adds a PIN required even after SMS verification.
- Contact your mobile carrier and ask them to add a 'port freeze' or extra PIN to prevent unauthorised SIM swaps.
- Never share your phone account PIN with anyone who calls claiming to be your carrier.
- Warn your contacts that if they receive unexpected urgent money requests from you, they should call you directly to verify.
- Monitor active WhatsApp sessions at Settings > Linked Devices and revoke any you do not recognise.
- Use a non-SMS second factor such as an authenticator app for your email and banking accounts as an extra precaution.
How to report it
- Contact your mobile carrier immediately to reverse the SIM swap and restore your number.
- Report the SIM swap to the FTC at IdentityTheft.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- Report the compromised WhatsApp account at whatsapp.com/contact/forms — select 'My account was hacked'.
- Notify your bank if any financial accounts are linked to the compromised phone number, as other SMS-based two-factor authentications may also be at risk.
Frequently asked questions
Does enabling WhatsApp two-step verification stop a SIM-swap attack?
It significantly raises the bar. Even if an attacker receives your SMS code after a SIM swap, they would still need the six-digit PIN you set in WhatsApp two-step verification to complete the account takeover.
Can WhatsApp restore my account after a SIM swap?
Yes. Contact WhatsApp support at whatsapp.com/contact and report the account takeover. You can also re-register on your own device once your carrier restores your SIM — entering the SMS code on your phone reclaims the account.
How did the attacker know enough to pass my carrier's identity checks?
Personal details such as your date of birth, address, and last four digits of an ID number are widely available in data-breach dumps or can be assembled from social media profiles. Carriers are improving verification processes, but social engineering remains a risk.