With the use of messaging apps exploding right now, it is important for users to understand that their account isn’t bulletproof from scammers and that social engineering remains the main path of deception. As Forbes reports, there’s a growing trend for using a simple scamming technique that has reignited during the past couple of weeks. Attackers are sending messages to their targets via a previously hijacked friend's WhatsApp or Messenger account, claiming they have sent their own six-digit verification code by mistake to the victim. Then, they ask the victim to send the code "back" to them. That is, in reality, the recipient's own WhatsApp code, so the targets are practically giving the attackers the keys to their personal account.
This attack method sounds simple, and it really is simple in its mechanics, but the fact that it remains effective makes it so popular in the days of self-quarantine and isolation. Scammers like to get their hands onto other people's accounts as they can be used to send messages to the victim's contacts, asking for money, gift cards, or even tap into the possibility of further scamming. Remember, in this case, the attacker would be able to access group conversations and any new messages that the hijacked account receives.
One way to protect yourself from this possibility is to set up the two-step verification feature that WhatsApp still hasn’t made mandatory. This would make it impossible for others to verify with your account/number on another device, as they would need the personal 2FA PIN for this step, which they would have no way to get. The account re-verification resets every week, so it is crucial to provide a valid email account that would serve as a fall-back means to re-access your account if ever needed. After one month, any re-verification missing the 2FA PIN will result in the deletion of the account and its replacement with a new one, for security reasons.
With the number of people falling victim to WhatsApp authentication code scamming growing quickly, the only way to tackle the problem is through raising awareness. The next time you communicate with your close friends and family, let them know that you would never ask for money or a verification code via WhatsApp or any other chat application. As for WhatsApp itself, maybe it should start promoting 2FA more aggressively, as there's a surge of new users joining the platform for the first time these days.