Summary:
The National Cyber Security Centre (NCSC) of Ireland is warning of a growing trend in WhatsApp verification code scams targeting users. These scams initiate with the actors obtaining the victim’s phone number and entering the number into WhatsApp’s login screen. Typically, once entered, WhatsApp sends a verification code to the account owner’s phone as part of its security process. To log in successfully, the actors will contact the victim via WhatsApp, pretending to be a friend or family member from the victim’s contact list, and request the victim to share the verification code. According to the NCSC, this impersonation is possible because the scammer has already compromised the account of someone the victim knows, using the same technique. “The victim, believing they are helping a friend or family member, may share the code without questioning the request. If distracted or caught off guard, the victim is more likely to comply,” stated the NCSC.

Security Officer Comments:
The implications of sharing WhatsApp security codes can enable actors full access to the victim’s WhatsApp account, which can be further used to spread the scam or exploit the victim’s contacts. Given that the message is coming from a ‘trusted contact’, users targeted are more likely to comply to unusual requests and demands. With access to WhatsApp accounts, threat actors could launch targeted phishing attacks against victim contacts and gain access to sensitive information such as credentials to other platforms that victim has an account with.

Suggested Corrections:

1. Keep Your Verification Code Private: Think of your WhatsApp verification code as a secure password. It should never be shared with anyone. WhatsApp will never request this code directly, and neither should anyone else.
2. Activate Two-Step Verification: Enhance your account security by enabling two-step verification, which requires a PIN in addition to the verification code when accessing your account. You can enable this feature in WhatsApp settings under Account > Two-step verification. For more detailed instructions: https://faq.whatsapp.com/1920866721452534/?helpref=hc_fnav&locale=en_US
3. Be Cautious of Urgent Requests: Even if a message appears to be from someone you know, be wary of urgent requests for money or sensitive information. Always confirm their identity through a phone call or another trusted method.
4. Report and Block Suspicious Activity: If you receive suspicious messages or encounter questionable accounts, report them within WhatsApp.

Link(s):
https://www.ncsc.gov.ie/pdfs/2408200156_WhatsApp_Scam_Advice.pdf