The State Police has issued a warning about the return of a scam that uses WhatsApp’s six-digit verification code. If you receive a message like «Hi, I sent you a code by mistake, could you send it back to me?», don’t answer. That code is in fact the key that would allow the cyber criminals who contacted you to transfer an account to another phone. In fact, it is the verification code that normally arrives to confirm your identity when you change devices. If you agree to the scammer’s request by sending the code received from WhatsApp, the account becomes the property of the attacker: he will be able to use your profile, consult the address book (addresses and numbers saved on the device), send messages to your contacts and perpetrate other frauds. To defend yourself from this technique social engineeringdon’t send codes to anyone, don’t click on suspicious links and activate two-step verification in WhatsApp settings.
What is the 6-digit WhatsApp code requested by scammers
The 6-digit code you receive via SMS is in effect an authentication system and serves to confirm that the telephone number is in the hands of the legitimate owner. In the scam, the attacker exploits this logic by starting the activation procedure on one of his devices. Not being able to read the SMS that reach the potential victim whose phone number is associated with the WhatsApp account he wants to steal, he tries to deceive her with a seemingly harmless request. The psychological element plays a crucial role in this scam: this is because the request for the code usually comes from one of your contacts (who in turn has had their account stolen), making everything very credible.
This type of manipulation falls within the set of “social engineering” techniques, which consists precisely in the use of psychological stratagems to convince someone to reveal confidential information or carry out dangerous actions (such as sharing the code in question). If a user takes the bait set by the scammer, the theft of the account is practically guaranteed, as the State Police itself explains in a statement issued in recent days:
The code sent (…) allows cybercriminals to complete the procedure, take over your Whatsapp account and phone book, and exploit this data to carry out further fraud using your phone number, to the detriment of your contacts.
How to avoid WhatsApp account theft
To avoid having your WhatsApp account stolen, simply follow these three simple rules:
- First: the codes received via SMS are strictly personal, never share them, not even if a friend, family member or any other contact saved in your address book asks you to.
- Second: do not click on suspicious links in messages, as they could lead to pages where scammers carry out phishing.
- Third: Enable two-step verification in the Settings > Account > Two-Step Verification section. This function allows you to set a PIN to be used for each modification operation or for new accesses.
In the event that you have already provided the code and have already lost access to your WhatsApp account, you can attempt to recover it by following a specific procedure, which consists of the following steps:
- Open the app and select the Log in again option, confirming the operation.
- You will be asked to enter your telephone number complete with international prefix (for Italy it is +39).
- After doing this, you will receive a text or call with a new six-digit verification code: enter it in the text field in the app. When the code is accepted, all devices connected to your account are automatically disconnected, including the one possibly used by whoever stole your profile. In some cases, a request for a PIN linked to the two-step verification function may appear (if you have already set it up). If you do not remember this PIN (or if it was set by the scammer) you will have to wait approximately 7 days before you can try to log in again. After this time, the account will be recoverable and any unauthorized user will be disconnected in any case.
If you continue to have problems, do not hesitate to contact WhatsApp via the online contact form on this page or via [email protected].
