What is the WhatsApp OTP codes to hijack scam, and how to stay safe?

If you receive any unexpected or unwanted OTPs, ignore them and do not click on any links or download any media included with them [File]
| Photo Credit: REUTERS

Social media users are reporting a new WhatsApp scam that logs out a person from the messaging service and makes them lose all access to their accounts, including messages, contacts, media, and files stored. Once the perpetrators gain control of the victim’s WhatsApp account, they repeat the process with the victim’s contacts.

How does the scam work?

Multiple users on X described receiving normal WhatsApp texts from friends, family members, or acquaintances they had already added as contacts.

The WhatsApp message from their seemingly trusted contact asked the user to check their messages for an OTP or verification code that was sent to them by mistake, and then share the details over WhatsApp.

Users would naturally look for the OTP and share the security credentials without thinking about it too much, since the request was coming from a trusted sender.

Later, however, the user would be logged out of all their WhatsApp accounts – across devices – and would struggle to regain access to the hijacked account.

What is actually happening?

Several possibilities could be at play here, but signs point to a phishing scam. Many users do not realise that the OTP sharing request from their so-called trusted contact was actually a malicious user who had seized control of the sender’s WhatsApp account already.

Now, with access to a platter of potential victims and their phone numbers and other sensitive details, the attacker tries to take over the next victim’s WhatsApp account. Using the phone number, they generate an OTP to verify the user’s identity, change their login credentials, or log them out of all devices. This OTP is obviously sent to the victim’s device. The attacker would lie to the victim and pretend the OTP was generated for another purpose, before asking them to share it.

The victim would likely share the OTP without realising that the malicious user is taking control of their own account. By the time the hacked victim is able to contact Meta or report the incident to the police, the hacker might have gone on to scam multiple other people this way.

How can you keep yourself safe?

First and foremost, never share OTP messages or personal verification codes with others, even if you trust them fully. OTPs are for your private use alone. When they are shared with others, you may end up being exploited, hijacked, or hacked, even if the OTP is only being shared between trusted contacts.

When in doubt about the security of an OTP message, it is better to let the time limit run out so that the OTP becomes useless. The OTP can be generated again later, in a more secure environment.

If friends, relatives, acquaintances, or other known contacts suddenly ask you to share OTP numbers they claim were sent to you by mistake, do not engage with such messages or get into a conversation with the user, as they may have already been hacked. Report the incident to Meta and reach out to your contact directly, if possible.

If you receive any unexpected or unwanted OTPs, ignore them and do not click on any links or download any media included with them.