/ Scams

Scam alert: WhatsApp verification message trick

Hackers are trying to get access to WhatsApp accounts after stealing the identities of their victims’ contacts. Here’s how it works and what to watch out for.

First, you’ll receive an unexpected but genuine text message from WhatsApp containing a verification code. This is usually triggered when logging into the app for the first time, when you’ve been logged out, or you’re trying to log into WhatsApp from a new device.

But in the case of this scam, fraudsters have entered your number into WhatsApp themselves to try to get access to your account, triggering the verification code text.

 

Next, one of your WhatsApp contacts will message you via the app, usually with a story to try to persuade you to give them the verification code you’ve just received. They might say they’ve accidentally entered your number by mistake, for example.

Because the message seems to be from a relative or friend, a lot of people have been tricked into passing on the verification code, which then allows fraudsters to take over their accounts.

Once they’ve taken over, scammers might use your account in a few different ways.

What happens next?

We’ve heard that scammers have identified their victims’ closest contacts from their message history and have asked them for money or sensitive information.

They could also find out personal details about you and your contacts from your messages. This information could be used to access other important accounts, target you with more scams, or even blackmail you.

Scammers are likely to carry out the same trick with verification codes with the new set of contacts they’ve unlocked, gaining access to more and more accounts. A WhatsApp spokesperson told us:

“The safety and security of our users and their messages are really important to us. However, just like regular SMS or phone calls, it’s possible for other WhatsApp users who have your phone number to contact you.

We advise all users never to share their WhatsApp SMS verification code with others, not even friends or family. We also recommend that all users set up two-step verification for added security. For more information and resources on how to stay safe online visit our website

Guide: what is two-factor authentication and should you use it?

How to keep your WhatsApp account safe

⚠ Don’t share your login details or verification code with anybody. Not your closest family or trusted friends.

⚠ Set up two-step verification to secure your account.

⚠ Be wary of WhatsApp messages requesting money, even if they come from your contacts. If you’re not sure, give the friend a quick call to check.

As always, if you think you may have given sensitive details, such as payment information, to fraudsters, let your bank know what’s happened immediately.

Guide: how to spot a scam

Guide: how to get your money back after a scam

WhatsApp users who have lost access to their accounts can contact support@whatsapp.com.

Have you been targeted by this WhatsApp verification trick? Have you received any other suspicious messages through the platform? Let us know what happened.


Comments

This has happened to me over the last 36 hours since I upgraded my phone. I seemed to be just going round in circles from the ‘old’ phone to the new one, entering codes. There are now one or two numbers showing as ‘not available’ when I try them and I suspect they are fraudsters numbers. At present WhatsApp seems to be working OK and no data has been compromised as far as I can tell, but all very disturbing.

I hope you read all the text that WhatsApp sent you on your initial sign up.
I was asked to join for use with a fishing syndicate, but refused to join after reading that I was about to give control of all my files to WhatsApp. Having had problems with data abuses using Face Book,
and that I use online banking, there was no way I would agree to that.

mary doreen nash says:
28 May 2021

A young lady i know has had a call from someone who said they were the police and she was going to be arrested for money laundering two hours later and five conversations with five different people she was so terrified and confused she handed over her savings of £1500 , she used fingerprint verification and is now talking to her bank. She says she was so upset and confused and they knew lots of personal information.

AnuraJ says:
28 May 2021

I had exactly the same problem back in January when I got a new phone. Eventually, my account was locked because of “too many attempts” and I received a message saying I had to wait – I think it was – 12 hours before I could try again. When the time was up I tried again only to find the length of time automatically increased to 72 hours at which point I clicked on the “request a phone call” option. Within minutes a new code was transmitted and all went well this time.

I wasn’t concerned about scammers as I had actually got a new phone and, having been through the procedure a couple of years back, I was expecting the code. However, there weren’t any sort of problems two years ago so I don’t know what’s happened to their service in the meantime. I think the time to be wary is when you haven’t changed phones and you receive the code when you’re not expecting it.

Sandra Shanks says:
28 May 2021

Two days after I posted and paid for recorded delivery, I received an email allegedly from The Post Office. I was informed that I had not paid enough and it demanded an additional £2.60 immediately.
I ignored this and after a further try, I heard no more. Not a great deal of money but perhaps people pay it without question because of that.

I then received another email from a delivery firm, alleging that I was not at home when they tried to deliver goods (value £105), from Laithwaites.
It was now back in their depot and I should send £2.50 to have parcel redelivered.
I contacted Laithwaites who informed me that the box had not yet been put out for delivery. They said immediately that it was a scam which many customers had reported.

Sandra – Although the upfront payment demanded in the Royal Mail scam is a small amount that is just a Trojan horse and once the criminals have your bank details they raid your funds and have plundered people’s life savings.

This has cropped up in a number of different scam-related Conversations but there is Conversation devoted chiefly to the Royal Mail version. See –
https://conversation.which.co.uk/scams/royal-mail-fake-website-text-scam-warning/

Sandra, when ever money is involved you can bet it is a Scam! As you know, never click on a link. Well done to you for contacting your supplier. Please take care and be aware.

Fran Heron says:
2 June 2021

I am well past my sell-by date and seriously IT=challenged at the best of time.
I was recently taken in by widespread advertising of a Starscope Monocular device purchasing an additional one at halfprice, a gadget to attache mobile phone to photograpn images and for good measure I bought an insurance policy.
I was bombarded by messages saying I had not completed my purchase and in a digital chat I said I had checked by bank balance and the sum in excess of £90.00 had been debited to the address in the US. I was then told that the fault was at their end and after a few questions I felt reassured.
After a number of weeks I received one device and being very busy put it aside after a cursory look. The next day I received the second devide and the mobile attachment gadget.
On examination, the packaging was very poor, there was no branding on the device, no instructions and clearly the product was very inferior. It had been shipped from China.
I then began to get loads of the advertising on my mobile and I think I may have updated WhatsApp and have again been bombarded with promotional material.
At this point I thought I would try the company website and went in search only to discover among my choices from Starscope Monocular was Starscope Monocular SCAM. There are no details of product return if dissatisfied.
So I have been scammed with probably no chance of recovering my money. On top of that I am worried that my mobile could well have been hacked and what I need to do to find out if this is so and how to remedy the situation.
I am thinking maybe I should get in touch with my bank and will do so just in case.
Any advice you can give me would be appreciated. There’s no fool like an old fool.

Hi Fran, sorry to hear this. If unauthorised charges have been made against your bank card, then you should report that to your bank.

Buying unfamiliar goods sight unseen is always a risk. I think it was ever thus, even in olden days when such items were advertised in newspapers and magazines.

Regretably, the Internet makes it all too easy for us to buy from overseas. But if we do that, we can lose our UK legal right to return goods within 14 days if we don’t like them.

If you are now being deluged with advertising, your details may have been shared with advertisers by the firm you dealt with.

If all these adverts are coming by email, then you may be able to block them by using decent security software with a spam blocker.

If you are suffering loads of pop up adverts while browsing, then adding an ad blocker to your browser may help. It can also help to restore your browser to factory settings, to remove any an authorised add ins that may be lurking there.

As you say you do not have strong IT skills you may want to pay a reputable IT professional to help with that. Most good local computer repair shops can probably help there, but I recommend you avoid the likes of PC World or dodgy online services.

Agree you should avoid PC World. A few years ago my laptop was hacked, so I took it to PC World who said they could sort it. Well they did sort it, they didn’t tell me that all they would do was wipe the laptop completely and put back on the Windows 7 that I was on at the time. Everything else was gone. All my photos from some years. When I went back to them they said I didn’t ask for those things to be kept. Never again would I ever trust them. shortly after I| had a phone call supposedly from them saying my laptop was compromised. I phoned themand they said the phone call wasn’t from them.

Simon Wright says:
3 June 2021

Hi, I stupidly clicked on a spam link I received in a whatsapp message yesterday and something downloaded on to my phone. I’m now terrified that my whatsapp account and phone has been hacked/compromised, any ideas what I should do? Thanks.

Hi Simon, sorry to hear this.

If you think that your phone has been compromised by a software download, then you may be able to fix that by either directly removing the software or by the more extreme option of doing a factory reset on your phone.

Failing either of those, you could always just get another phone.

In my experience it is rare for malicious apps to be downloadable from the official Apple or Google apps stores, but Android phones can also be set up to allow the side loading of unofficial apps – which are a lot more likely to include malicious code.

I’ve also seen PC browsers infected with malicious add-ons, so just “factory resetting” any web browsers used on your phone may also get rid of any problems. This often works on PC’s.

Before you factory reset a phone, you should probably back up any key data on your phone, e.g. contacts and any treasured photos or movies. If your have an iPhone or an Android phone, then you can usually set your Apple or Google account to automatically back up those data to the cloud.

It would also be worth checking the list of installed apps and removing any that you do not need or do not recognise.

After doing a factory reset, you’ll need to log back in to your Apple or Google account, so make sure that you know all your login details before you reset any phone. Given that you are worried about malicious apps, I suggest you do not reinstall all your currently installed apps after any reset. Instead, it would be better to install apps one at a time as as needed.

Great guidance @derekp, we also have some guidance on our site that might help as well Simon.

How to factory reset an android phone – https://computing.which.co.uk/hc/en-gb/articles/360010592200-How-to-factory-reset-your-Android-phone-or-tablet?&source_code=911CQJ&gclid=Cj0KCQjw–GFBhDeARIsACH_kdZ8Ia4biYLN3ECSr6vXjbWNwD5vme_8XFnU7OzVnzn_Gi2sWhHBh5AaAuLiEALw_wcB&gclsrc=aw.ds

Reset your Android device to factory settings (via Google) –
https://support.google.com/android/answer/6088915?hl=en-GB

Hope this helps 🙂

Thanks Chiraq. I was tempted to add “and never allow any social media apps like Whatsapp or Facebook (etc.) onto your precious phone…” but that is probably not advice that many would want to follow.

WhatApp and Face book are the same company, I believe.

Simon Wright says:
3 June 2021

Thanks for all the help and advice. It wasn’t an app that was downloaded, it was a link on a whatsapp message that I clicked on.

Hi DerekP,

Maybe don’t cliche Chirag’s links…they look a bit dodgy to me !!!????

Hi KenR, Chrirag is a Which? staff member, I’m sure he will have checked his links before posting.

I don’t understand the point of this scam – WhatsApp messages are sent from one phone NUMBER to another – having someone’s verification code won’t let you see all their old messages, as messages are stored locally on the phone. The only place the are backed up to is either an iCloud account or Google drive

The thing is with scams if they send a text or email and you Reply to it or read the email or text they know that your email or watts app account is active so they can send you scams in the future or the present

Nick says:
8 June 2021

…andwhat about you notify to WhatsApp support that someone stolen your account by this method and then WhatsApp “support” suspends your account forever. This is helping hackers to continue and forces good users to move to Telegram

Susan Tomkins says:
13 July 2021

WhatsApp message received last night …

Hi Mum, my phone broke and this is my new number

I didn’t click the links at the bottom, but can see many people would!

Madelyn says:
27 August 2021

My mum has just been victim to this!! They sent the same thing virtually.

Unfortunately, my mum thought it was me and so engaged in conversation with them. The fake me told her that I was stressed, and to cut a long story short she transferred the scammers £2690, thinking it was me and that I was going to pay her back.

My mum’s bank can’t do anything as the money has left her account. And the scammers bank is highly likely unable to do anything as the money was most likely withdrawn instantly.

It’s awful.

Hi Madelyn, your mum has been the victim of an authorised push payment scam, and many banks are signed up to the voluntary code, and there’s a good chance she’ll get her money back if she contacts the bank. We’ve got lots of advice here for her to follow – and let us know how she gets on. https://www.which.co.uk/consumer-rights/advice/what-to-do-if-you-re-the-victim-of-a-bank-transfer-app-scam-aED6A0l529rc

Worth knowing that I spoke to two victims of this scam and interestingly, one was reimbursed by their bank and the other wasn’t (despite being same banking group). If her bank says no refund, escalate the complaint to the Fos. More on this here: https://www.which.co.uk/news/2021/09/which-calls-for-an-end-to-banks-blaming-fraud-victims/

How is the bank responsible for someone responding to a whatsapp scam, unless they knew the scammer?. Was the bank negligent? What should it have done to stop the payment? I’d simply like to know the basis and reasoning underlying the notion that the banks should give money to people in these circumstances.

Hello Malcolm, the banks in question are signed up to the CRM Code. This means they should reimburse victims unless they can establish that their customer didn’t have a ‘reasonable basis’ for believing the person or organisation they are sending money to is genuine. As I state in the article, Financial Ombudsman Service (FOS) data indicates that banks are getting most reimbursement decisions wrong: 73% of complaints about APP fraud were upheld in favour of consumers in 2020-21.

https://www.lendingstandardsboard.org.uk/wp-content/uploads/2021/04/CRM-Code-LSB-Final-April-2021.pdf

@chiara-cavaglieri, hello Chiara. Thanks for your quick reply. I am fairly familiar with the CRM but my question was why is the bank held responsible to make a repayment if it had no knowledge of the circumstances of the transaction and could not be aware that the destination for the transfer was to a fraudster? I am simply trying to establish whether we regard the banks in such circumstances as having a liability through negligence, or whether they are simply expected to act as a benefactor by giving money to those suffering a loss.

If the banks have no liability, why are they expected to repay and not some other organisation? Indeed, I might ask why someone who falls for a scam, with no material involvement of a third party, such as their bank, should expect to be repaid? It is not that I lack sympathy, I would like someone to give a logical explanation so that I understand the argument being used.

If we order goods or services online we have a legal right to cancel the contract within fourteen days, with a few exceptions such as bespoke goods.

Some of us have suggested that there should be a period during which those who realise or suspect that they have been scammed could stop the payment. This need not apply in the case of payments to companies or other organisations that we have already used.

By not providing the opportunity to cancel the payment, perhaps the bank could be considered negligent – in my opinion.

There’s a ‘no blame’ fund for CRM code cases where neither the victim nor the bank is at fault. Firms may fund no blame cases from the central fund or ‘self fund’ the reimbursement of customers who are assessed to be in a ‘no blame’ scenario.

Protections for authorised fraud were extremely limited before the code was introduced – I appreciate that banks can only be expected to do so much, but they had to be forced to introduce simple things like Confirmation of Payee or fraud warnings at the point of payment. APP fraud is a huge problem for the industry – and worryingly showing no signs of abating – and let us not forget that scammers are using UK accounts to launder their stolen monies (either by setting up accounts or using money mules).

You might find this worth a read? https://www.which.co.uk/policy/money/6249/pushpaymentfraud

Hi Chiara – As I mentioned above, I am concerned that it is possible to transfer funds without a period in which the transfer can be blocked. On Which? Conversation and elsewhere I have read of people realising they have been scammed before they have ended the call.

I would like pending payments to be the default, giving the opportunity for the victim of a suspected scam to report an incident to their bank for investigation. There is no need to delay payments to regular payees.

I wonder if you or one of your colleagues could comment on this.

@chiara-cavaglieri, thanks Chiara. So in some (many) cases the bank is making an ex gratia payment when it has no responsibility for the fraudulent transaction. Who provides the fund that makes these charitable payments? The banks’ customers? Does this not rather take away some responsibility from potential “victims” if they know that, should they make a less-than-responsible transaction – one they might not give due consideration to – they will get their money back?

Should we not be looking at how we can reduce fraud, both by advising customers and also looking at what further measures banks could realistically take, rather than just paying off customers who, whatever else, have responded to a fraud and instructed their bank to move their money? Perhaps Which? could give their proposals.

As far as delaying payments is concerned, whenever I transfer money from my account I am asked to choose between an immediate transfer or one at a later date. Perhaps we should educate banks customers to always delay a payment for a couple of days when paying an unknown beneficiary. I do not see why we should always rely on someone else to think for us.

I would, however, like to see banks provide accounts with differing facilities tailored to those with limited capabilities. That could include automatic payment delay (although I really do wonder whether most who fall for scams would think differently even after a day or two), limited amount that could be transferred without approval, approval required to pay anyone not on a pre-agreed list, for example.

I wonder how the banks will use the new service where a customer checks with them before making a payment to someone new. If the bank approves it they are guaranteed recompense if it proves fraudulent. If they do not bother to check, will this guarantee not be available? I would have thought for a significant amount of money this would make a good deal of sense or the customer to make the simple check – as long as the service can deal with all the enquiries.

It’s my understanding that the Commons Treasury committee called for a 24-hour delay for Faster Payments (bank transfers) for fraud prevention measures. I don’t know how feasible it is to do this – and many businesses rely on instant payments – or how effective this would be.

Personalised Faster Payments (consumers choosing ‘slower’ payments or ‘lower’ payments) has potential in my opinion. I have asked banks previously if they can set their own Faster Payments daily limits to minimise fraud – none did at the time but NatWest has recently introduced this and others may follow. https://www.which.co.uk/news/2021/05/natwest-to-allow-personalised-bank-transfer-caps-to-beat-scammers/

Thanks for replying, Chiara.

I’m a NatWest customer and aware of the opportunity to limit daily payments, which at least provides customers with control if they choose to use it. I hope you can persuade other banks to do the same.

I know that I can delay a payment made online but I believe that the delay should be the default to provide protection those who have been scammed, who may act without thinking or under pressure. There is no need to delay payments to regular payees or for official services, for example via the gov.uk website. It is encouraging to hear that the Commons Treasury Committee has raised this issue. Before we were using faster payments and back in the days of cheques we accepted that the payment process was not immediate and although I never asked my bank to stop a cheque payment I knew that the possibility existed.

I feel that the wishes of business are being put above the needs of their customers.

I’d like to see evidence that delaying a payment to an unkown recipient would be significantly effective in reducing fraud.

A reputable business would, presumably, not commit fraud so delaying payments to them would not be necessary. So I’m not clear what “wishes of business” are taking precedence.

I would welcome a response from Which? to the proposals (and questions) in my comment above.

“So I’m not clear what “wishes of business” are taking precedence.” As Chiara has explained, many businesses rely on instant payments. That may be their preference perhaps they need to accommodate delayed payments even if the consequence is a delay in supplying goods.

The Consumer Contracts Regulations allow us fourteen days to return products bought online without any need to provide a reason. I doubt that suits the wishes of business and I’m surprised that consumers have this extent of protection. All I am suggesting is that the DEFAULT should be to delay payments to payees except in certain circumstances, for example previously used payees. Perhaps there could be an opt-out for those consumers who objected.

Well firms get spoofed and if a victim falls for it yes they should get partly blamed as it should have red flags that something and not wright or detect something wrong

Ilina Timonova says:
28 August 2021

I recently had a chat with someone who came across to my profile on Instagram but wanted to continue the chat on WhatsApp due to his “work restrictions”. Apparently he was an American doctor/sergeant and lecturer currently working in Yemen. After a couple of days chatting, didn’t share any personal information with him, except my mobile number 😞, I blocked him. Anything he said didn’t make sense to me and when I asked for a video call he said he can’t on his phone but only on his computer and asked for my email which I didn’t give. At that point iv had enough and blocked him. I think he has stolen someone’s identity. I was thinking of reporting it but didn’t know how.

Martha says:
23 December 2021

It happened to me but made no sense because my son lives in Australia and the ‘new’ number was a UK one! Somebody didn’t do their homework – need to try harder!