A dangerous new cybersecurity threat is sweeping across the United Kingdom as criminals are hijacking WhatsApp accounts through sophisticated social engineering tactics. This scam involves fraudsters impersonating trusted contacts and tricking victims into sharing six-digit verification codes that grant complete access to their messaging accounts. Once inside, the criminals then target the victim’s entire contact list, requesting urgent money transfers and potentially accessing sensitive personal information, banking details, and private conversations. Security experts warn that this scam could eventually escalate into large-scale identity theft operations, financial fraud networks, and even blackmail schemes as criminals gain access to years of private messages, photos, and videos stored within compromised accounts.
The WhatsApp hijacking scam has become one of the most prevalent cybersecurity threats facing UK residents in 2024. The attack typically begins when a criminal gains access to just one phone number, often through data breaches or by purchasing information on the dark web. They then attempt to register that number on a new device using WhatsApp, which triggers the legitimate user to receive a six-digit verification code via SMS. This is where the social engineering component becomes crucial to the scam.
How the WhatsApp Account Takeover Works
Criminals contact the target through various means, often posing as WhatsApp support, a delivery service, or even a friend whose account has already been compromised. They create a sense of urgency, claiming there is a security issue, a package waiting for delivery, or an emergency situation requiring immediate action. The victim is told they will receive a code and must share it quickly to resolve the supposed issue. Many people, caught off guard and wanting to be helpful, comply without realizing they are handing over the keys to their entire WhatsApp account.
Once the criminals input the verification code, they gain complete control of the account on their own device. The legitimate owner is immediately logged out and loses access. The criminals then quickly change the account settings, including the profile photo and privacy settings, to prevent the victim from regaining control. They also activate two-step verification using their own PIN, adding another layer of difficulty for the victim trying to recover their account.
The Financial Impact on Victims
After successfully hijacking an account, criminals move swiftly to exploit the victim’s contact list. They send messages to friends and family members claiming to be in desperate need of money, often citing an emergency situation such as a stolen wallet, urgent bill payment, or medical emergency. Because the messages come from a trusted contact’s verified WhatsApp account, many people do not question the request and send money immediately through bank transfers or payment apps.
UK Action Fraud has reported thousands of cases involving this scam, with individual losses ranging from hundreds to thousands of pounds. The total financial impact runs into millions of pounds annually, but the emotional distress and breach of privacy often prove even more damaging to victims. Many people store intimate conversations, private photos, and sensitive business communications within their WhatsApp accounts, all of which become accessible to criminals.
Protecting Yourself from Account Hijacking
Cybersecurity experts recommend several critical steps to protect against this threat. First and foremost, enable two-step verification within WhatsApp settings immediately. This adds a PIN requirement that criminals cannot bypass even if they obtain your verification code. Never share verification codes with anyone, regardless of how legitimate the request seems. WhatsApp and other genuine services will never ask you to share these codes.
If you receive an unexpected verification code without attempting to log in yourself, it means someone is trying to access your account. Do not share this code with anyone and consider it a warning sign that your phone number may be targeted. Additionally, educate your friends and family members about this scam so they can recognize suspicious requests even if they appear to come from your account. Set up a family code word that can be used to verify identity during emergency financial requests.