South Africa has seen a rash of hijacked WhatsApp accounts in the past week, with scammers then impersonating their victims and asking for emergency money transfers from their friends.
The fraud usually relies on first hijacking a phone number by porting that number to a new network, and a new SIM card under control of the scammer. Unless a WhatsApp account is protected by two-factor verification, whoever receives SMSes controls WhatsApp for the associated phone number too.
Once they can impersonate victims via WhatsApp, scammers need only wait for an incoming message (either directly to the victim, or to any group to which the victim belongs) to obtain the phone numbers of acquaintances – and ask those people to send money via e-wallet services.
If you are a victim, the fastest way to halt the attack and get back control of your WhatsApp account is to get back control of your cellphone number. Here is everything else you can and should do.
If you can't get your number back fast, email WhatsApp.
WhatsApp offers a last-ditch way to deactivate your account via email. Send a mail to [email protected], with this exact phrase in the subject and body of the mail: "Lost/Stolen: Please deactivate my account". Add your phone number in the body of the mail, in the international number format +27 XX XXX XXXX, and remember to drop the first zero in 083 or 082.
Once you have your number back, log in to WhatsApp – and log out web users.
Once you sign in to WhatsApp, anyone else using your number is logged out automatically, so log in as soon as you are receiving SMSes again.
But that won't necessarily stop an attacker from still impersonating you using the WhatsApp web interface. To prevent that, go to to settings in WhatsApp, select "WhatsApp Web", and click on "Log out from all devices".
If you are asked for a verification code you didn't set up, you'll have to wait a week.
WhatsApp allows you to create a six-digit PIN number to prevent account hijacking. If you don't activate that option, an attacker can do so while controlling your account – locking you out.
The bad news is that there is nothing you can do except wait. After a WhatsApp account has been inactive for 7 days it become possible to log in without a verification code. Your hijacker is kicked out before you are asked for that six-digit PIN number, which means neither of you can use the account, and it it will sit idle. A week later you – as the person who gets the SMSes – will win out.
Let your WhatsApp groups know they were compromised – and check for new members if you are an admin.
At attacker who hijacks your WhatsApp account has access to all the groups of which you are a member – and which you administer.
It's only polite to let people know that their conversations could have been spied on while your account was compromised, even if the discussion isn't secret or sensitive.
If you administer any groups, check for new members added by "you" while you were being impersonated, or a scammer could keep listening in.
