How Hackers Take Over WhatsApp Accounts and Ways to Stop Them

0

Shantanu Gupta, noted author, political analyst and founder of The Ramayana School, was on a routine train journey last week when someone tried to hack his WhatsApp account.

“Around 10 AM, my WhatsApp started logging in and out on its own—something that had never happened before. Then, suddenly, I was logged out completely. It seemed like the hacker was trying to access my account from another device. After multiple failed login attempts, WhatsApp asked me to wait four hours. I lost control of my account and the hacker took over,” he told indianexpress.com.

Gupta was stunned by how easily his account was compromised. “All they needed was my phone number and access to the voice OTP, and they could configure WhatsApp on another device,” he said. What shocked him more was how effortlessly the hacker forwarded his call to their own device, giving them access to the voice OTP for WhatsApp. “It’s unsettling that my network provider didn’t even verify or send a warning SMS before allowing such a crucial call to be redirected,” he said.

A scam in action

Gupta’s wife was travelling with him when the hacker took control of his account and started messaging his contacts—demanding money from friends, family, and even his wife. Soon, his phone was flooded with concerned calls and messages. That’s when he used other social media platforms to warn everyone that his WhatsApp had been hacked.

Though he managed to recover his account within a few hours with help from the Noida police, the damage was done. He endured hours of stress, and his reputation was at risk.

Gupta is furious with both Meta and his network provider, Airtel—and rightfully so. Within hours, hundreds of messages asking for money were sent from his account, yet Meta failed to flag the suspicious activity. Lack of direct support from Meta added to his frustration. “If there’s unusual activity in my bank account, I can immediately call my bank. But with Meta? Where do I go? There is no helpline, no support. All I could do was wait four hours and hope I could log back in,” he said.

Gupta wasn’t pleased with WhatsApp either. “How does WhatsApp not have an algorithm to detect when someone is repeatedly using terms like ‘UPI’ and ‘money’ in a short span?” 

Equally frustrated with Airtel for allowing call forwarding without verification, Gupta said, “If my network provider can block spam calls, why can’t they prevent voice OTP hijacking?” 

Gupta now advises everyone to enable two-factor authentication on WhatsApp and, for iPhone users, activate ‘lockdown mode’ in security settings to prevent unauthorised device linking.

A bizarre case of overnight hacking

Manish (name changed), another WhatsApp user, has been facing a strange issue for a week now. Every night, it seems someone else takes control of his WhatsApp account. In the morning, he requests a review from WhatsApp and regains access.

During the night, unusual activity occurs—several WhatsApp groups are created using his number, but he has no idea who the members are. None of their numbers are saved in his contacts. Deleting these groups has become part of his morning routine.

Despite enabling two-factor authentication, nothing seems to work. Manish has finally decided to register a complaint at a local police station.

How WhatsApp accounts get hacked

According to Gautam Kumawat, professional hacker and founder of HackingFlix, WhatsApp hacking is a growing threat, and attackers use social engineering, technical exploits, and SIM-based attacks to hijack accounts.

Here are some common hacking methods:

OTP phishing: Scammers impersonate trusted contacts or WhatsApp support, tricking users into sharing their six-digit verification code.

SIM swapping: Attackers use a new SIM card for a victim’s number, allowing them to take over WhatsApp.

WhatsApp Web hijacking: If an attacker gains brief access to a victim’s phone, they can link the account to WhatsApp Web and maintain remote access.

Call merging scam: A scammer calls you, claiming they got your number from a mutual friend. They then ask you to merge the call with another number, supposedly the ‘friend’. Once merged, you unknowingly connect with an automated WhatsApp OTP verification call. The scammer hears the OTP and gains access to your account.

Stay vigilant

When indianexpress.com reached out, a Meta spokesperson, in an email, responded saying, “WhatsApp continues to invest in technology, safety tools, and resources to help users safeguard themselves from online scams. We advise people never to share their six-digit PIN with anyone—not even friends or family. We recommend enabling two-step verification for added security. Features like ‘silence unknown callers’ help screen out spam and scam calls. We’ve also been running awareness campaigns like ‘Scams Se Bacho’ to educate users and have joined the Safer Internet India coalition to collaborate on strategies to combat cyber fraud.”

Red flags to watch for

Shiv Raj, Additional Superintendent (ASP), Banda district, a cybercrime expert and PPS officer of Uttar Pradesh Police, warned users to look out for the following signs of hacking:

📌Receiving a WhatsApp verification code without requesting one
📌A friend or contact asking for your OTP
📌Unexpected logouts from your WhatsApp account
📌A notification that your number is registered on a new device

“Users should never click on suspicious links or share OTPs. In cyberspace, follow a zero-trust policy—don’t trust anyone blindly. Also, never hand over your device or digital data to anyone,” Raj said.

How to protect yourself

Kumawat and Raj shared tips to safeguard your WhatsApp account:

📌Never merge calls with unknown people
📌Always verify the identity of callers
📌Never share personal details on WhatsApp, even in private chats
📌Avoid clicking on suspicious links
📌Never share OTPs received on your device
📌Enable two-step verification for extra security
📌Use a SIM PIN to prevent unauthorised transfers
📌Regularly check linked devices in WhatsApp Web
📌Enable biometric authentication (Face ID or fingerprint)
📌Restrict privacy settings—hide last seen and profile picture from unknown numbers

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: