WhatsApp Impersonation Scams
Scammers impersonate WhatsApp with fake account verification code requests and hijacking attacks. WhatsApp will never contact you to ask you to forward a six-digit code to another person.
Last reviewed: 1 June 2026
WhatsApp is the world's most popular messaging app, and its brand is exploited in a distinctive hijacking scam: a fraudster contacts a target claiming to be a friend whose account is locked, and asks the target to forward a six-digit code that has just been sent to the target's phone. That code is actually the WhatsApp registration code for the target's own account — forwarding it hands control of the account to the attacker.
WhatsApp accounts, once taken over, are used to contact the victim's friends and family to perpetuate the same scam or to request urgent money transfers.
How scammers impersonate it
- Sending messages from a hijacked contact's account asking the target to forward a recently received six-digit code
- Claiming to be WhatsApp staff via message or email and requesting account verification codes
- Creating fake WhatsApp web login pages to harvest credentials
- Sending WhatsApp Business messages impersonating brands or government services to steal personal data
- Sending fake WhatsApp update or terms-acceptance messages with links to phishing pages
What the real organisation never does
- Ask you to forward a registration or verification code to anyone
- Contact you via WhatsApp to ask for account details
- Send terms-acceptance requests that require clicking an external link to continue using the app
- Request payment to unlock or restore a WhatsApp account
Common red flags
- Contact claiming to be a friend who asks you to forward a six-digit code just sent to your phone
- Unexpected six-digit SMS code from WhatsApp when you have not tried to log in
- Message from 'WhatsApp' asking for personal details or account verification
- WhatsApp Business message from an unverified account requesting sensitive information
- Request for your WhatsApp PIN (if you have set one) by any contact
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Message from hijacked contact: 'Hi, sorry to bother you — WhatsApp sent a code to my old number by mistake. It went to yours. Can you forward it?'
Email: 'Your WhatsApp account must be verified within 24 hours. Confirm here: [fake link].'
How to verify
- Never forward WhatsApp codes to anyone — they are your own registration codes
- Enable two-step verification in WhatsApp Settings > Account > Two-step verification
- If your account is hijacked, re-register by entering your phone number and the new SMS code — this logs out the attacker
- Verify any unexpected code request with the supposed contact via a different channel (phone call)
What to do if you're targeted
- If you forwarded the code, immediately re-register your WhatsApp by re-entering your phone number
- Warn your WhatsApp contacts that your account may have been used to scam them
- Report the hijacking to WhatsApp via Settings > Help > Contact Us
Frequently asked questions
A friend asked me to forward a WhatsApp code — should I?
Never forward a WhatsApp code to anyone. The code is your own account registration code, and forwarding it hands your account to the person requesting it.