Is it safe to click a suspicious link sent on WhatsApp?
Suspicious links on WhatsApp — even from contacts whose accounts may be compromised — can lead to phishing sites, malware, or account-takeover attempts. Do not click without verifying the sender through another channel.
Last reviewed: 10 June 2026
Explanation
WhatsApp is widely used for personal communication, which makes it a trusted channel that criminals exploit. Account takeover fraud frequently uses WhatsApp: once an attacker gains access to one account, they message everyone in the contact list with links or requests, appearing to come from a trusted friend or family member.
Common WhatsApp scam patterns include: a six-digit verification code forwarded request (used to steal your own account — never forward verification codes to anyone), links to fake prize pages, impersonation of family members claiming an emergency and asking for money, and business impersonation where a supplier or employer's number is cloned.
Links sent via WhatsApp can lead to phishing sites optimised for mobile browsers, malware targeting Android devices, or pages designed to harvest WhatsApp credentials specifically. WhatsApp Web credential phishing has become particularly prevalent — fake login pages that steal your session token to hijack your account.
The defence against WhatsApp-based fraud mirrors general phishing defence: do not click unexpected links, verify requests from contacts through a separate channel, and never forward verification codes to anyone regardless of who is asking.
Common red flags
- A contact sends an unexpected link with minimal context — 'check this out', 'you should see this'
- A family member or friend messages with an urgent request for money or sensitive information
- You receive a message asking you to forward a six-digit code you received by SMS
- A 'known' contact's communication style is noticeably different from their usual pattern
- The link leads to a login page that asks for your WhatsApp credentials or phone number
What to do now
- Do not click the link — contact the sender by phone or another channel to verify
- If a family member is claiming an emergency, call them directly to confirm
- Never forward SMS verification codes to anyone — this is always an account-takeover technique
- If you have already clicked and suspect your account is compromised, re-register WhatsApp to reclaim your account
- Report the message using WhatsApp's built-in reporting function
- Enable two-step verification in WhatsApp settings for extra account protection
Frequently asked questions
My friend's WhatsApp is asking me to forward a code — what should I do?
This is almost certainly an account-takeover scam using your friend's compromised account. Never forward any SMS code. Call your friend by phone to tell them their WhatsApp has likely been taken over so they can act to recover it.
How do I enable two-step verification on WhatsApp?
Open WhatsApp, go to Settings, then Account, then Two-step verification, and follow the setup process. This adds a six-digit PIN that must be entered periodically and when re-registering your number, making unauthorised takeovers much harder.