A new WhatsApp scam is making waves on social media, with users reporting that they are being logged out of their accounts and losing access to all their messages, contacts, and media. The scam involves cybercriminals tricking users into handing over their one-time passwords (OTPs), giving them full control over the victim’s account.

Several users on X described their experiences with this scam, which begins with a WhatsApp message from a friend, family member, or acquaintance already in their contact list. The message asked the user to check for an OTP or verification code that was sent to the user by mistake, and requested that they share it back over WhatsApp.

Trusting the sender, many users retrieve the OTP and send it over without realising they are handing cybercriminals the key to their WhatsApp account. Moments later, they are logged out of all their devices, and regaining access becomes a challenging task.

This scam is a form of phishing. The attacker gains control of a user’s WhatsApp account and then uses their contact list to target new victims. When a victim shares the requested OTP, the attacker uses it to verify a login attempt, locking the victim out of their own account. Once in control, they continue the cycle by messaging the victim’s contacts and repeating the scam.

By the time users realise their accounts have been hijacked, the cybercriminals might have already scammed multiple others.

How to protect yourself

Follow these security measures to safeguard your WhatsApp account from this growing scam:

–              Never share OTPs or verification codes with anyone, even if the request comes from a trusted contact.

–              Be sceptical of unusual requests. If a friend or family member suddenly asks for an OTP, verify their identity through a phone call or another platform before responding.

–              Enable two-step verification in WhatsApp settings to add an extra layer of security.

–              Ignore and report suspicious messages directly to WhatsApp/Meta.

–              Let OTPs expire if you receive them unexpectedly. They can be regenerated later, in a secure environment.                 Source: TNS