Hackers are hijacking WhatsApp accounts by tricking users into sending verification codes
When a secondary school friend contacted him out of the blue a few months ago asking for a verification code on WhatsApp, administrative executive Tan Jun Heng, 25, did not suspect anything was amiss.
His friend simply claimed to have “accidentally” sent the code to his number.
But within seconds of sending the code, Mr Tan was automatically locked out of his own WhatsApp account.
It had been hijacked.
“I started panicking and tried to log back in, but I ended up competing (virtually) with the hacker for control of the account,” said Mr Tan, who regained control of his account some 24 hours later after writing to WhatsApp.
By then, the hacker had assumed his identity and tricked two of his friends into handing over their verification codes as well.
Mr Tan and his friends are among a growing pool of WhatsApp users who have become victims of social hacking, where scammers use already hijacked social media accounts to contact victims by posing as their friends or family.
Hackers typically request or trick their victims into handing over their WhatsApp security verification codes, which must be entered when registering a mobile phone number for a new phone or device.
They then use the codes to gain full access to their victims’ accounts, which will allow them to exploit the victim’s personal relationships and ask for money from friends or family.
They can also target the victim’s workplace, or sell their victim’s personal information on the dark Web.
The Singapore Police Force has issued multiple warnings of such “takeover” attacks in the past two years.
This does not include unreported cases, which is expected to be a much higher number.
National University of Singapore’s Associate Professor Chang Ee-Chien, whose research interests include data privacy, said the impersonation tactics used by hackers are “very low-tech, but very effective, as people tend to trust their friends or family”.