WhatsApp, how to protect yourself from the new six-digit code scam

Online scams are constantly evolving and WhatsApp is not immune to this type of threat. One of the most insidious frauds that returns cyclically is that linked to the six-digit verification code, which allows cybercriminals to take control of victims’ profiles. The scam starts with an apparently harmless message sent by a known contact: “Hi, I sent you a code by mistake, could you send it back to me?”. The message is the first step in stealing the victim’s profile, as the code requested is the six-digit verification code used in WhatsApp two-factor authentication. If the victim provides this code, the hacker can complete the verification and take control of the profile.

The scammer exploits the WhatsApp “change number” function starting from a contact already compromised in the victim’s address book. As his own number he enters that of the compromised contact, while as the new number he enters that of the victim: in this way he manages to send the code in question to the latter. The victim then receives a verification code via SMS. The hacker, posing as the compromised contact, asks the victim to resend the code, claiming it was sent by mistake. Once the code is obtained, the hacker accesses the victim’s profile, changes the account name and photo, and logs out the legitimate owner.

To avoid falling into this trap, it is essential to follow some security measures: first of all, remember that there are no situations in which it is plausible to share the six-digit verification code. Then, it is essential not to share personal information with strangers or in suspicious contexts. It is also important to add an additional level of security by requesting a personal PIN every time you register your phone number on WhatsApp: to do this, simply open WhatsApp and tap the three-dot menu at the top right on Android or the gear below on iOS. Then go to Settings > Accounts > Two-Step Verification.

If you are a victim of this scam, it is important to act quickly: first, try logging back into your account. If you manage to receive the verification code, your access will be automatically restored. If the hacker has already changed the associated number, you may need to deactivate the account. To do this, tap More options. > Settings > Accounts > Delete Account. It is important to immediately report the incident to the Postal Police and inform your contacts to avoid them falling into the same trap.