Tue, 9 Oct, 2018Danielle McCarthy

Warning: WhatsApp voicemail scam gives hackers access to your account

Warning: WhatsApp voicemail scam gives hackers access to your account

A worrying new WhatsApp hack allows cyber criminals to access victim’s accounts via their voicemail inbox.

According to Naked Security, a blog run by British security company Sophos, scammers are attempting the attacks at night so they can take advantage of the app’s six-digit verification code.

The attacks have become so prevalent that Israel’s National Cyber Security Authority issued a nationwide warning.

Hackers start the scam by installing WhatsApp on their own phone using a legitimate user’s phone number.

To verify the login attempt, WhatsApp sends a six-digit verification code via text message to the victim’s telephone.

However, hackers are carrying out this scam at night, so victims are most likely sleeping rather than checking their phones.

WhatsApp then allows the hacker to send the six-digit verification code via phone call with an automated message.

As the victim is not on their phone, the message ideally goes to voicemail.

The cyber criminal then exploits a security flaw in many telecommunication networks which allows customers to use a generic phone number to call and retrieve their voicemails.

For many mobile phone owners, only a four-digit pin is required to access their voicemails – which if they haven’t changed is commonly 0000 or 1234 by default.

Hackers will then enter the password and gain access to the victim’s voicemail inbox, allowing them to retrieve the WhatsApp message containing the six-digit code.

Once the scammer enters the code into their own phone, they have complete access to the victim’s WhatsApp account.

To avoid being hacked, it is recommended that users turn on two-factor authentication on their account, adding an extra layer of security.

“Using application-based 2FA ... mitigates a lot of the risk, because these mobile authentication apps don’t rely on communications tied to phone numbers,” Sophos researchers explained. 

This can be done by navigating to Settings in WhatsApp, then tapping ‘Account’.

Users must then press on ‘Two-step verification’ and tap ‘Enable’.

Experts also encourage users to have a strong PIN on their voicemail inbox.

Have you encountered this WhatsApp scam? Let us know in the comments below.