Someone Took Over My Friend's WhatsApp. Here's What She Missed.
She didn't click a suspicious link. She didn't download a shady app. One afternoon, her WhatsApp simply stopped working — and by the time she figured out what happened, someone had already messaged her entire contact list asking for money.
The attacker didn't need her password. They just needed a six-digit code she never should have shared.
The Attack You've Probably Never Heard Of
Here's how it works. When you install WhatsApp on a new phone, the app sends a one-time verification code to your phone number via SMS. Whoever enters that code first controls the account.
Attackers exploit this by calling you pretending to be a friend, a telecom employee, or even WhatsApp support. They tell you they accidentally sent a code to your number and ask you to read it back. The moment you do, they're in.
Your account moves to their device. You get logged out. They get your entire chat history, your contact list, and — if you haven't enabled disappearing messages — months or years of private conversations.
The Fix That Actually Matters
The single most effective thing you can do takes about 45 seconds.
Go to Settings → Account → Two-Step Verification and turn it on. WhatsApp will ask you to create a six-digit PIN. This PIN is separate from the SMS verification code — it's something only you know, stored nowhere but your memory (and optionally a recovery email).
Now, even if an attacker gets your SMS code, they still can't activate your account without this PIN. It's a second lock on the door.
Most people skip this because WhatsApp doesn't push you hard enough to set it up. That's a design failure on their part, not a user mistake. But right now, after reading this sentence, you should go set it up.
What Registration Lock Won't Save You From
Here's the counterintuitive part that almost every guide ignores: your WhatsApp account and your WhatsApp backup are two separate attack surfaces.
Locking your account with two-step verification protects you from someone hijacking your number. But if your chat backup lives in Google Drive or iCloud — which it does by default — an attacker who gets into your cloud account gets everything anyway.
According to WhatsApp's own support documentation, end-to-end encryption for cloud backups exists but must be manually enabled. It is not on by default.
Go to Settings → Chats → Chat Backup → End-to-End Encrypted Backup and enable it. You'll set a password or a 64-digit encryption key. Don't lose this — WhatsApp cannot recover it for you. But without this step, your private conversations are sitting in a cloud folder protected only by your Google or Apple account password.
The Linked Devices Trap
Most people don't realize WhatsApp lets you stay logged in on up to four devices simultaneously. This is convenient. It's also how someone can maintain persistent access to your account even after you've recovered it.
If your account has ever been compromised — or if you just want to check — go to Settings → Linked Devices. Look at the list. If you see a device you don't recognize, or one you haven't used in months, remove it immediately.
The scary version of this: an attacker who briefly accessed your account can link their browser or computer and then quietly read your messages for weeks. You'd never know unless you checked this screen.
Your SIM Card Is a Vulnerability Too
Phone numbers are the foundation WhatsApp is built on, and phone numbers can be stolen. This is called a SIM swap — an attacker convinces your mobile carrier to transfer your number to a new SIM card they control.
According to the U.S. Federal Trade Commission, SIM swapping is a documented form of identity theft that mobile carriers have struggled to prevent.
The best defense is to call your carrier and add a verbal PIN or passphrase to your account — something required before any changes can be made. This isn't foolproof, but it raises the bar significantly. If your carrier offers a "SIM lock" or "port freeze" feature, enable it.
Two-step verification in WhatsApp also provides a layer of protection here, because even if someone swaps your SIM, they still can't activate WhatsApp without your personal PIN.
The Social Engineering Script to Know
Attacks targeting WhatsApp almost always follow a predictable script. Someone contacts you — often impersonating a friend whose account has already been taken over — and says something like:
"Hey, I accidentally sent a WhatsApp code to your number instead of mine. Can you send it to me?"
The code they're asking about is not theirs. It's yours. Reading it to them is the entire attack.
No legitimate person, company, or service will ever ask you for a WhatsApp verification code. The moment someone asks, hang up or stop responding. It doesn't matter how convincing the story sounds.
According to Kaspersky's security research blog, this forwarding scam is one of the most common methods used to hijack accounts at scale, because it requires zero technical skill and works entirely on social pressure.
The Honest Caveat
Everything above will make your account significantly harder to compromise. But "harder" isn't the same as "impossible."
If someone has prolonged physical access to your unlocked phone, two-step verification doesn't help you. If your recovery email account gets compromised, your backup encryption key could be at risk. And if a sufficiently motivated, well-resourced attacker targets you specifically — not a bot running a mass scam, but a person with time and intent — the attack surface is always larger than any single article can cover.
This guide is about making you a harder target than most people around you. That matters, because the vast majority of account takeovers happen because of predictable, preventable mistakes — and the attacker moves on when they hit resistance.
Set the PIN. Encrypt the backup. Check your linked devices. Add a SIM lock.
Do those four things and you've already done more than 90% of WhatsApp users.
Sources:
- WhatsApp Support — End-to-End Encrypted Backups
- U.S. Federal Trade Commission — SIM Swap Scams
- Kaspersky Blog — WhatsApp Account Hijacking