In spite of its end-to-end encryption and other security features, WhatsApp accounts can be hacked. Cybercriminals employ a variety of methods like social engineering, telecom fraud, and malware to target individual users rather than the app itself. They find loopholes in phone carrier systems and device vulnerabilities to hijack accounts. Compromised accounts are used to access private messages, impersonate users to scam contacts and extort money, and even to spread malware. Users in India are particularly vulnerable due to the enormous user base of more than 500 million and the prevalent use of mobile phone numbers for banking and UPI transactions.

Here is what you should know to keep your WhatsApp account safe:

SIM Swapping or Port-Out Fraud

One of the most common methods worldwide, SIM swapping involves attackers impersonating victims to telecom providers, tricking or bribing staff, or using forged documents to transfer the victim’s phone number to a new SIM card. This gives them control over the number. The attackers receive all SMS and voice verification codes for WhatsApp and other services.

This is highly prevalent in India, particularly in Delhi, Uttar Pradesh, Pune, and Mumbai. This method has been used for large-scale banking and UPI fraud. This form of attack has also been reported in the US and UK, often linked to crypto theft and financial scams.

How to stay safe: Set a SIM card PIN or port-out password with your carrier. Monitor for unexpected service loss. Where available, request a “port freeze” protection.

Verification Code Phishing Through Social Engineering

Attackers trick users into sharing the SMS verification codes sent by WhatsApp during login attempts. They impersonate friends, family, WhatsApp support, or banks using urgent or emotional appeals.

This fraud is common in India. Once attackers gain access to users' contact lists, they launch chain scams that often demand money from the users’ contacts. In the UK and Europe, a so-called “Hi Mum” scam led to over £1.5 million in losses, where attackers posed as family members in distress.

How to stay safe: Never share verification codes with anyone. Enable WhatsApp two-step verification by following this path: Settings > Account > Two-step verification.

Call Forwarding Exploitation

In this fraud, scammers trick victims into dialling codes like `21` followed by the attacker’s number under false pretences, such as delivery verification. This enables call forwarding, including WhatsApp voice verification calls, to the attacker.

In India, such cases have been reported in Pune, Mumbai, and Delhi-NCR. Similar schemes were reported in the US and EU.

How to stay safe: Check your call forwarding status using `*#21#` and disable forwarding with `##21#`. Avoid dialling unsolicited codes.

QR Code Phishing or 'Quishing' for WhatsApp Web

Hackers send fake QR links leading to malicious websites. Once the victim scans them, the attacker can access the user’s WhatsApp Web session.

This fraud has been reported in Indian tech hubs like Bengaluru, and has been linked to job scams. In the US and Europe, users have been tricked with meeting invites or fake links.

How to stay safe: Only scan QR codes from the official WhatsApp Web site (web.whatsapp.com). Regularly check and log out from unknown devices under Linked Devices in Settings.

Malware and Spyware Infection

Malicious apps, trojans, or advanced spyware like Pegasus and Paragon installed on the victim’s phone can steal WhatsApp messages, verification codes, or control the device remotely.

There were more than 90 reported spyware infection cases in 2025, targeting journalists and activists. Globally, such spyware campaigns and ransomware attacks have been reported in Europe and the US.

How to stay safe: Avoid installing apps from unknown sources. Keep your operating system and WhatsApp updated, and use reputable antivirus software.

Voicemail Hacking

When WhatsApp verification calls are missed, the code might be left in voicemail. Attackers who hack voicemail systems with default or weak PINs can retrieve these codes.

This crime has been reported in rural areas of India like Banda district in Uttar Pradesh, as well as in countries like the UK and Switzerland.

How to stay safe: Set strong voicemail PINs. Regularly check for unauthorised access to voicemail.

Linked Platform Exploits Such as Facebook Impersonation

Hackers have compromised linked accounts from Meta (which owns WhatsApp, Facebook, and Instagram) to phish WhatsApp codes or send malicious group invites. This is often used for crypto extortion.

In India, Kolkata has reported such scams. Similar impersonation was reported from Singapore.

How to stay safe: Secure your linked accounts in the Meta ecosystem with strong passwords and two-factor authentication. Avoid suspicious invites.

Physical Access or Device Cloning

Fraudsters can use stolen or lost phones to restore backups or clone SIM cards, gaining access to WhatsApp data.

This is common in urban thefts in India’s Mumbai and Delhi. Travel scams have been reported across the world using such device cloning techniques.

How to stay safe: Use biometric locks such as fingerprints, and strong PINs. Enable remote logout from WhatsApp Web sessions.

Account Takeover via Cloud Backups

Attackers can exploit vulnerabilities in cloud backups on Google Drive or iCloud. They can restore chats if backup encryption (which is optional and must be manually enabled) is not turned on.

How to stay safe: Enable end-to-end encrypted backups in WhatsApp settings. Secure your cloud accounts with strong passwords and multi-factor authentication (MFA).

Fake or Modified WhatsApp Apps

Using unofficial WhatsApp clients or downloading APKs can lead to leaked credentials through backdoors.

How to stay safe: Download WhatsApp only from official sources like Google Play, Apple App Store, or via web.whatsapp.com.

What are the signs that your WhatsApp account may be compromised?

Check for the following: You are unexpectedly logged out or receive a “registered on a new device” alert.

You receive unsolicited verification codes.

Unknown messages are sent from your account, or you are added to groups you didn’t join.

Friends report receiving strange messages or money requests from your number.

You see unrecognised logins in the Linked Devices section.

Messages appear as read (blue ticks), even though you didn’t open them.

What to do if your account is hacked

1. Immediately re-register WhatsApp on your phone using your number to log the attacker out.

2. Notify your contacts via another platform that your account was compromised.

3. Report the incident to WhatsApp through in-app support.

4. Contact your mobile operator if you suspect SIM swap or port-out fraud.

5. Change passwords and enable MFA on your associated email and cloud accounts.

6. File a cybercrime complaint with local authorities. (In India, visit: cybercrime.gov.in)

