As one of the world’s leading instant messaging platforms, it’s no wonder WhatsApp is a frequent target for hackers. As such, you’ll want to understand how your WhatsApp account can be breached—and take serious steps to protect your WhatsApp account, messages, and personal data.
1. Installing Malware
Sometimes, a hacker doesn’t need to hack your WhatsApp account directly. Sometimes, they just need to get a nasty strain of malware on your device and have it do all the heavy lifting instead.
Someone can access your WhatsApp messages using malware in a few ways. Malware with keyloggers can run silently in the background and record what you’re typing. This includes everything you’re sending to your friends but can also contain data such as entered usernames and passwords.
Some malware will instead harvest your messages directly. This includes malware that goes through your WhatsApp conversations and sends them back to the hacker, but it can also include viruses that hijack the screen recording feature of a phone and use it to take videos of what you’re looking at. If you happen to be chatting to someone while the malware is recording you, the cybercriminal can see what you’re discussing.
2. Call Forwarding Scams
While malware is more about monitoring your messages, there are ways in which a hacker can gain direct access to your WhatsApp account. These usually involve tricking you into giving the hacker the means to break your account’s two-factor authentication (2FA).
By far, the easiest way a hacker can crack your account’s 2FA protection is to have WhatsApp send login codes to them rather than you. One of WhatsApp’s 2FA methods gives you a login code over the phone, so hackers can use call forwarding to redirect that call over to them.
To achieve this, the scammer will convince you to enter a Man Machine Interface (MMI) code that redirects your calls to them. There are many tricks they can use, but the most common method involves convincing you that you need to call someone and then passing off the MMI code as their phone number.
Once call forwarding is set up, the cybercriminal can log into your account and opt for a voice call for the 2FA code. WhatsApp tries to call you, but it gets forwarded to the scammer, who gains access to your login code.
3. Social Engineering for Login Codes
Cybercriminals can also get 2FA login codes by asking you for them. Granted, they’ll often state that it’s something else and not the only thing stopping them from accessing your account, but they’ll still ask.
This specific attack targets SMS-based 2FA codes, where WhatsApp sends you a six-digit number that you enter into the app to log in. In this attack, the scammer will contact you and convince you that the six-digit number is actually for something else and ask you to hand it over.
One campaign reported by the Nottinghamshire Police in the UK saw scammers tell their victims that the six-digit code was actually a passcode for an important video call. People would hand over the code, thinking it would let them into a special group, not knowing that the person on the other end of the phone was about to make off with their account.
4. Fake WhatsApp Web QR Codes
When you want to use WhatsApp Web, you must scan a QR code with your phone. Unfortunately, cybercriminals have found a way to hijack this process and produce fake WhatsApp Web websites that display malicious QR codes. Once scanned, the scammer gains access to your account.
The Straits Times reports that this scam begins with a web search for WhatsApp Web. Usually, the official WhatsApp web page is the top result, but scammers are good at getting fake websites to the top of search engine results. And because people usually trust the first result, they click on it without realizing they’ve entered a trap.
The fake website looks identical to the WhatsApp Web, except this one has a malicious QR code that can steal people’s accounts. Some people don’t even realize they’ve handed over their details after scanning the code, as there are no obvious hints about what happened other than not logging into WhatsApp Web.
How to Stay Safe From WhatsApp Hacking
There are many ways people can get access to your account and messages. Fortunately, you can take plenty of measures to prevent them from getting in.
Never Give Out Login or 2FA Codes to Anyone
It’s very important not to give out your login codes, no matter what the cybercriminal says. Login codes sent over SMS will usually come with a message stating what it is, and some will even ask you never to share it with others. As such, be sure to double-check what you’re sending over before following instructions.
Think Before Following Any Given Instructions
While we’re on the topic, it’s a good idea to stop and think before following instructions. Does something about what the person asked you to do feel “off?” If so, it’s worth handling the situation with extreme caution.
For example, if someone asks you to call a number, and the number they give you contains hash symbols, asterisks, or greater-than and less-than symbols for some reason, it should set off alarm bells in your head. These symbols denote an MMI code, which means the scammer is trying to set up port forwarding on your phone.
Install a Good Phone Antivirus
If you’re worried about malware, ensure that your phone has a good antivirus installed. Some phones come with their own antivirus, but if it doesn’t, you’ll need to grab one from your phone’s app store.
Visit the Official WhatsApp Web Website Directly
If you want to use WhatsApp Web, always ensure you visit this URL: https://web.whatsapp.com/. You can bookmark it to visit later, or you can manually enter it into your address bar—it’s pretty easy to remember. By doing this, you know you’ll always arrive at the official WhatsApp Web website.
If you can’t break the habit of searching for WhatsApp Web every time you want to use it, double-check the URL you click on. Don’t blindly trust the first result; double-check the URL before you scan anything on the webpage. You may be at risk of losing your account if it says anything different from the URL above.