WhatsApp has been making the news for the past few days thanks to its "confusing" privacy updates and subsequent backlashes. As the buzz around WhatsApp continues to grow, a year-old global WhatsApp scam seems to have recently resurfaced in Bangladesh.
How the scam works
Shakawat Hossain, an employee of a leading financial institution, is one of the recent victims of this scam. "I received a simple SMS from a colleague mentioning that he sent me six-digit code by mistake and asking to send the code back to him urgently. As it was a trusted colleague's number, I didn't suspect much. Next thing I know, I was logged out of my WhatsApp account," said Shakawat. "I later found out that my colleague's account was hacked first and the hackers later used his number to send me the text," he added.
How the scam works is surprisingly simple and crude. Every time we set up WhatsApp on a new phone, WhatsApp sends us an SMS with a one-time code that we must enter to start receiving WhatsApp messages on that phone. The purpose of the code is to confirm that the number is in our possession. What the hackers do is that they use an already hacked account to contact one of the victim's friends. Like the SMS sent to Shakawat, they ask for the code they have "mistakenly" sent. The new victim, believing that they're just helping their friend, sends the code back to the hacker and just like that, their own WhatsApp is also hacked. The hacker can then receive new WhatsApp messages and see what groups they belong to, but thankfully, cannot view old messages.
How to prevent
This crude scam involves no technological sorcery, making it surprisingly effective and easy and without a software patch to prevent it. However, there is another way that most WhatsApp users are not aware of. The one-time code usually sent to new phones is auto generated from WhatsApp itself. But you can set your own six-digit PIN from the "Two-Step Verification" setting, accessible from Settings>Account from within the app.
With this PIN set up, WhatsApp will ask you for the PIN you set, whenever you are installing WhatsApp on a new phone with your number, rendering the scam ineffective.
And of course, never send any code or PIN back to anyone, no matter who it is, unless you are one hundred per cent sure.