WhatsApp Scam Alert: Essential Tips To Keep Your Account Safe From Hackers

"Sorry, I Mistakenly sent you a 6 digit code via Sms, can you forward it to me? It's urgent. (sic)"

Jasbir Ghosh, a 67-year-old teacher living in the eastern Indian state of Jharkhand’s Jamshedpur, received this message from her first cousin seven days ago. Not realizing what would happen next, Ghosh shared the one-time password (OTP), only to lose access to her WhatsApp account. 

"I was chatting with her in the evening, and then she messaged me asking for an OTP that was apparently sent to my number. Since we spoke in the evening, I sent it to her. Then she sent me another message, asking me to transfer Rs 10,000. I called her, wondering why would she need the money? That's when she told me that her account was hacked. And I instantly realized that my account was hacked too," Ghosh said, recounting the beginning of her ordeal. 

With access to Ghosh’s entire contact list, the fraudster sent messages to her friends, family, and acquaintances asking for money. 

“For two or three days, the hacker had access to 900 contacts I have on my phone—all my neighbors, colleagues, friends, relatives, and acquaintances,” Ghosh said, adding, “A few of my contacts have already sent the OTP, assuming I'm asking for it. The scammer asked people for money as well.”

The messages sent by the scammer to one of Ghosh’s contacts on WhatsApp (Image: Jasbir Ghosh/Accessed by Logically Facts) 

As she filed a complaint with the police and her bank as a precautionary measure, the bank manager told her that the account soliciting money was under a ‘Pankaj Mondal’ based in the eastern Indian state of West Bengal. The manager also said the account had received payments from nearly 700 people in the past few days. Fortunately, nobody in her contacts was swindled out of money. 

But Ghosh is one of the countless people who have been tricked using WhatsApp.

According to a report published by the Ministry of Home Affairs in India, WhatsApp topped the list of platforms misused between January to March 2024, followed by Telegram and Instagram. From January and March 2024, the Indian Cyber Crime Coordination Centre (I4C) received 43,797 complaints of cyber crimes committed through WhatsApp. 

While Meta has not released official user statistics in India since 2020, a Reuters report pegs the Indian WhatsApp user base to over 500 million, the largest in the world.

 

However, these scams are not limited to India. Law enforcement authorities in countries such as Singapore, the U.K., Ireland, and Bermuda, to name a few, have issued advisories warning about scammers trying to access WhatsApp accounts through the OTP route. 

Six digits away from a hack

For 37-year-old Mayumi, a Japanese national living in the southern Indian state of Karnataka’s Bengaluru, the hack came through a Facebook message—a scammer posing as a friend in need. Mistaking it for a genuine request, Mayumi complied and lost access to her WhatsApp account. 

Messages sent to Mayumi on Facebook Messenger and WhatsApp message sent by the hacker from Mayumi's number to another contact. Swipe to see the full conversation. (Source: Mayumi Chiba/Accessed by Logically Facts)

“When you try to get back into your WhatsApp, a message appears that asks you to log in after one hour or two hours, and that number keeps going up,” her husband, Karthik MS, a marketing consultant and entrepreneur in Bengaluru, shared. “What the hacker had done is that he logged into the account using a different device—we could see some Chinese mobile brand name on the login screen—and then the second SMS helped him register his number for two-factor verification key or something, which made it almost impossible for us to get back in immediately,” 

So is OTP the only way to get into somebody’s WhatsApp?

The three-way trap

Ritesh Bhatia, the founder of V4WEB Cybersecurity, a company working on digital investigations and forensics, said that scammers can get into your WhatsApp account in three ways:

1. Identity theft to con your contacts: Pretending to be someone who either knows you or someone you'll believe, scammers request the OTP and get into an account. For example: One could pretend to be a Meta executive and demand the OTP to avoid deactivation or pretend to be a friend who has lost access (just like in Ghosh’s case). Once a scammer can access anyone's WhatsApp account, it’s like a domino effect; it will set in motion a chain reaction. 
2. Tricking the user into enabling call forwarding on your devices: Scammers posing as courier company executives may con users by asking them to dial an OTP on their phone for an order they never purchased. The code, however, will forward the calls to the scammer's number, who can then use the 'verify with a call' option to log into WhatsApp.
3. Planting malware on your phones that clones your device: The third way is to get people to install an APK file (Android Application Package) or malware, usually disguised as an advertisement or an offer. Clicking on the link installs an application on your phone that allows the scammer to clone your device, enabling them to view the OTP sent to your number.

The process to log into WhatsApp (Source: Screenshot/WhatsApp)

The mental toll

While there was no monetary loss for Ghosh or her contacts, she spoke about the mental toll it took on her for a few days. 

“I had to call hundreds of people, warning them not to engage with my WhatsApp account. I was very distressed. I was scolded. People asked me why did I give the OTP? I kept thinking that all my WhatsApp data could be with him; including a few documents that I shared with my daughter or documents that she shared with me. My Aadhaar number, which is also linked to so many other things, we keep it handy on WhatsApp so that if we have to produce it, we can find it quickly. That was my biggest concern,” Ghosh recalled. 

However, data or documents shared via WhatsApp are stored locally on people’s phones and cannot be accessed unless a contact is specifically asked to send them.

At the cyber crime department, the police officials asked her to file an official application detailing her complaint. “The police asked me, ‘How much money did you lose?’ I kept telling them that it’s not a matter of losing money, but all my contacts will be misused and someone else will fall prey to it.” 

Karthik and Mayumi, on the other hand, said they tried raising the issue with Meta but couldn’t find a way to contact any representative to seek help. 

WhatsApp advises people not to share their verification codes with others, and states that the company doesn’t have “sufficient information to identify the individual who is attempting to verify” a WhatsApp account. It adds it can't deactivate an account or say who accessed it— time and location of where and when it was accessed. In case of hacking, WhatsApp recommends reaching out to mobile service providers and blocking the SIM card. 

The redressal mechanism 

Law enforcement authorities advise victims to file a complaint immediately. In India, cyber offenses are handled under various sections of the Information Technology Act of 2000, the Bhartiya Nyaya Sanhita, 2023, and the Protection of Children from Sexual Offences Act, 2012 (POCSO Act). 

Referring to the use of the APK file method, CK Baba, Superintendent of Police in Bengaluru, said that most of the WhatsApp hacks originate through them. 

“It becomes very difficult for us to track it because WhatsApp has end-to-end encryption of chats, and we cannot access the communication between two people. There is an enormous amount of anonymity, so we cannot know where this APK originated. Scammers also mostly use VPNs and foreign services. While in the usual cases, we use digital forensics like ID tracking, tech records, etc, but in these cases, we can't use any of these methods,” he said. 

Baba said that while the scam is at a nascent stage (restricted to people’s WhatsApp accounts and not their data), it has been challenging to crack the cases that end up in financial fraud too.

“If there is an established source where the money has gone, there are sufficient clues and technical aid that we can use to track down the people. However, there are always a lot of intermediaries in such scams. The person of contact or the person receiving the money may not be the main perpetrator. They may not be in India, so jurisdiction issues may pop-up. The account we get details of may be a mule account (bulk accounts opened by scammers) which is shut down immediately after the transaction. We may be able to catch this person, but he or she may not be the main culprit,” Baba said. 

Baba explained that the money is often transferred to other tertiary accounts or converted to other forms such as bitcoins or dollars, making it difficult to follow the money trail. The fact that scammers keep updating and changing their modus operandi is also a challenge, he said. 

People don’t always report these cases because of fear, guilt, and shame, but Baba highlights the need to report these cases immediately (the golden hour) emphasizing on the possibility of a recovery. 

According to the 2022 National Crime Records Bureau (NCRB) data there were a total of 65,893 registered cases of cyber crime in India. A report in the Indian Express, which accessed data compiled by I4C, states that Indians lost a whopping Rs 33,165 crore in the past four years to cyber crimes and fraud, with the total amount in 2024 itself being a massive Rs 22,812 crore. These numbers are not limited to WhatsApp scams but underscore the magnitude of the problem. 

Experts, however, said that more manpower and infrastructure is required to tackle this problem. 

Gautam Mengle, Assistant Vice President and Security Awareness Strategist at CyberFrat, a company that focuses on cyber security, said, “The problem is that you have a law that requires inspector rank officers but nothing has been done to increase the manpower. These are things we have to think about, list out, and address at a systemic level.”

They also recommend that platforms such as WhatsApp take more responsibility. 

“Most of the time, it is the victim who feels it's their mistake. But it is not their mistake. If you ask me, this is the mistake of WhatsApp. Why have you built a technology in such a fashion that any common person can get hacked? I want to tell WhatsApp that when all this is happening, why aren't you making two-step verification compulsory instead of optional?” questioned Bhatia.  

Protect yourself

The current way out is to try to ensure you are not vulnerable to scams or fraud. Bhatia recommended a ‘POV’ approach—Pause, Zero trust by default, and Verify.

“On Instagram, we see a trend of ‘POV’ or point-of-view videos. So I have a ‘POV’ for being cyber secure. 
P stands for Pause—whenever you see a message, video, audio, or text, pause. O also looks like a zero, and O stands for Zero Trust by default. Condition your mind to have zero trust. Could this be fake? The moment you have zero trust, move to the next step. V, which stands for Verify. If you get a message from someone asking for money or a code, just call them up and not on WhatsApp, but a regular call. This is very important,” said Bhatia. 

A few other simple things to remember: 

1. Report the crime immediately. You can dial the national helpline number, 1930, or report the incident on the National Cybercrime Reporting Portal.

2. Never share your OTP with anyone.

3. Usually, scammers thrive on panic and create an artificial sense of urgency, remember to stay calm and think.  

4. Don’t click on suspicious or unknown links. 

(Editor’s Note: Logically Facts has contacted Meta and WhatsApp, but no response was received at the time of publishing this story. The story will be updated if and when we receive a response.)

This report first appeared on logicallyfacts.com, and has been republished on ABP Live as part of a special arrangement. Apart from the headline, no changes have been made in the report by ABP Live.