WhatsApp Account Hijack: How Fraudsters Win Your Cooperation

Imagine relaxing in your room or hanging out with some friends, and then your phone starts buzzing. Everyone in the world is calling to ask you, “When did you start promoting Ponzi schemes (invest N50,000and collect N100,000 the third day)?” They have all received WhatsApp messages—individually and in the groups you belong to—from you, promoting the investment. Of course, many can tell the message can’t be from you. There are telltale signs e.g. “Hi, this is John has you all know me.” But the message is from your account with your picture – everyone of us has friends and acquaintances who would like to think this is what you have resorted to because of Nigeria’s harsh economic conditions. The reputational damage of fraudsters hijacking your account is real.

Here is how fraudsters hijack your WhatsApp account

At least, this is one of their smartest tricks. They download the WhatsApp application, then enter your phone number to set it up. WhatsApp would assume you are using the app on a new phone, but would take steps to ensure it is really you, the owner of the phone number associated with the WhatsApp account that is trying to use or transfer your WhatsApp account on a new phone.  So, you will get an automated call that will give you a code that you require to set up your WhatsApp account on a new phone.

The fraudsters play a fast one on you by making you hand over the code to them. Assume you are a member of the Ikoyi Golf Club and you are active on its WhatsApp group where you have been discussing a CSR project. You suddenly get a call and you are asked, “have you registered for the committee discussion on the CSR project tomorrow at 10am? Oh, you haven’t. Okay, you will get a call now from an American number giving you the code you require to register”. Immediately you finish this conversation, you indeed get a call from a USA telephone number and the guy supposedly from your Ikoyi Golf Club WhatsApp group calls to request your registration code within 10 seconds of you getting it. Once you hand it over to him, you have handed over the code the fraudster requires to take over your WhatsApp account – all your contacts, your display picture, all the chats you’ve had with everyone including groups. The fraudster will start chatting with everyone pretending he is you and offering a lot of crazy investment opportunities.

The whole operation relies on a fraudster infiltrating a WhatsApp group and monitoring conversation so as to have a story to trick you with. The main damage is to your peace of mind and probably, reputation. You cannot contact anyone on your WhatsApp account that has now been transferred to the fraudster’s phone number. And the whole world starts to call you, telling you or wanting to verify what has been sent to them in your name. But you can recover your WhatsApp account almost immediately. Your old app asks you to register: enter your telephone number and select the option to get a call to receive a code to register. You will immediately restore all contacts except WhatsApp groups from which many administrators would have noticed that someone is sending strange messages from a new number and would have most likely removed your account. You would have to ask to be re-invited.

How to prevent your account being hijacked

1. Authorize the two-way verification process

To do this, click on Settings in WhatsApp, select account, then choose two-step verification and you will be asked to set up a 6-digit PIN for your account. So, if someone tricks you with story to hand over the code required to hijack your account, they will need this pin to succeed. Many have refused to do this because they are unaware of the frustration and embarrassment the hijacking of their account can result to.

2. Do not use the unauthorised version of WhatsApp

Avoid using an unsupported version of WhatsApp. Though the popular GBWhatsApp has been banned by WhatsApp, some users still find a way to install it on their mobile devices.

3. For WhatsApp groups

If you notice the number of a member’s account has changed, notify the admin and also call to verify that the member has truly linked their account to a new number. If you can’t do this before the purported hacker starts sending unusual messages, quickly call your member to alert him or her that his or her account has been hijacked by a fraudster. Of course, you should quickly remove this account and re-add the member once they have regained control of their account. When you call them, you should also share the procedure for recovering the account – they may not know this. It is advisable to put a call through to the group member whose number has been sending unsolicited messages to the group to clarify if they were hacked.