The Malaysian Communications and Multimedia Commission (MCMC) has issued a statement warning the public to be wary of increasingly inventive tactics employed by scammers trying to hijack a user’s WhatsApp account, due to increasing reports of fraud cases being committed through the app.
MCMC said scammers usually manage to take over victims’ WhatsApp accounts by tricking them into divulging their six-digit verification codes, which users will usually receive when there is an attempt to change the phone number associated to their account.
To do this, scammers have been known to contact potential victims while posing as a hapless individual or business claiming to have mistakenly keyed in the victim’s phone number while trying to complete an online transaction, explaining that as a result the authorisation code for the transaction had been sent to the victim’s phone and imploring them for help retrieving the code.
These appeals could even come from the victim’s family members or friends via accounts that scammers had already hijacked, said MCMC.
This tactic commonly misleads the victim into thinking they would be sending the scammer an unrelated TAC (transaction authorisation code) when in fact they would be handing over the six-digit verification code to the victim’s own WhatsApp account.
Those who have been duped into giving up their codes could end up having their accounts stolen by scammers, added MCMC.
MCMC said scammers have also impersonated WhatsApp employees to fool users into sharing their verification code, adding that there have also been instances where the scammer would deliberately fail at keying in the code several times in order to force an automated system by WhatsApp to call the user about their verification code.
In this instance, the scammer would also contact the user to ask for the code while pretending to be someone else. If the user did not answer the automated call by WhatsApp and it goes into the user’s voice mailbox, then the scammer would try to randomly guess at or ask for the user’s voice mailbox PIN code to access the recording, according to MCMC.
The regulatory body advised WhatsApp users to be suspicious of any attempts to procure their six-digit verification code, adding that it is absolutely imperative that users never reveal the code to anyone else to prevent their accounts from being hijacked.
It added that users should also enable two-factor verification on WhatsApp and utilise more complicated PIN numbers for their voice mailbox as additional security measures.
According to an FAQ by WhatsApp, a user may be sent the verification code via SMS – even when one wasn’t requested – for a number of reasons.
WhatsApp said this could happen due to someone mistyping their own number, or a hacker attempting to take over the person’s account.
Without the code, the hacker will not be able to complete the verification process, which would prevent the account from being hijacked.
If your account has been stolen, you will have to sign into WhatsApp with your phone number and verify your phone number by entering the six-digit code you receive via SMS.
Once you enter the six-digit SMS code, the individual using your account will be automatically logged out.
You might also be asked to provide a two-step verification code. If you don’t know this code, the hijacker using your account could have enabled two-step verification.
You must wait seven days before you can sign in without the two-step verification code, according to WhatsApp.
Regardless of whether you know this verification code, the other person will be logged out of your account once you entered the six-digit code received via SMS.
In a separate FAQ about stolen accounts, WhatsApp also advised the victim to inform family and friends if they suspect someone is impersonating them in chats.
Users whose WhatsApp accounts have been stolen are encouraged to file a complaint with MCMC or lodge a report at the nearest police station.