WhatsApp has completely changed the way users communicate. This is demonstrated, without going any further, that 2,000 million people use the service. However, it is essential to keep the account protected. And, when a platform accumulates so much information about the user and their contacts, it is inevitable that cybercriminals think about the benefit they can get if they exploit it.
Recently, the Civil Guard has called attention to a new scam aimed at deceiving the user to steal the account of the “app” owned by Facebook. This is the classic case of phishing, in which the offender, using social engineering, gets the affected person to share their keys. These types of actions are practically the order of the day, and do not exclusively affect WhatsApp. They are also popular when stealing bank passwords, commercial entities and social networks, such as Instagram.
Have you received an SMS like this?
DO NOT ANSWER IT !!!
It is the message with the verification code for the installation. If you provide it to a third party, it will control your account on your device and with it, access to all your groups and contacts#NoPiqueshttps://t.co/mkiaDcCUHc pic.twitter.com/OgUvVgqRtC
– Civil Guard (@guardiacivil) February 11, 2020
This is how this scam works: The criminal, who has previously supplanted any of the contacts of the affected, download the WhatsApp application on his “smartphone” and enter the phone number of the account you want to steal. The problem is that the messaging “app”, to ensure that the person who wants to access is the real owner, sends a six-digit verification code via SMS that is essential to access the platform. These digits, unless the “smartphone” has been previously infected with “malware” (computer virus), are not available to the cybercriminal.
Then, the criminal only has to deceive the legitimate owner of the account so that he shares the information. What he does is send a WhatsApp message to the victim posing as one of his contacts. In this he tells him that he has mistakenly sent an SMS in which six numbers appear, and asks him to resend them: «Hello, I’m sorry, I sent you a 6-digit SMS code by mistake, you can pass me by favor? it is urgent”.
Being a request from a person with whom, in theory, the victim is confident, it is easy to fall into the trap and end up sharing the information. Something that poses a great risk, both for the user and for the rest of their contacts. “The offender would have the ability to impersonate the victim and, through his contacts, using social engineering, access much more information, such as his keys to other services,” explains the director of the computer consulting firm Securízame, Lorenzo Martínez .
Two step verification
In order not to fall into a trap of this type, experts recommend activating two-step verification in WhatsApp. To enable this option, you must open the “app” and go to “Settings”, access “Account” and activate the “Verification in two steps”, so that the system will require a code when the user registers his WhatsApp phone number, such as when you change mobile devices.
In addition, you can associate an email address, which will allow WhatsApp to send you a link by email so you can disable two-step verification in case of forgetting the six-digit access code.
It is also important to look carefully at all the information before sharing it. If a user asks for a code, even if they have confidence in it, they must confirm the origin of the data. Precisely, another scam, which was recently reported by the cybersecurity company Kaspersky, uses this oversight to steal the WhatsApp account.
What to do if I have fallen into the trap
In case you have fallen into this scam or a similar one, you must register again in WhatsApp with your phone and verify the number by entering the six-digit code that you receive by SMS. Once you have done this, the session of the person with access to your account will be automatically closed.
However, if the offender has activated two-step verification, the operation becomes difficult. As WhatsApp explains on its website, you will have to wait seven days to verify your number without the verification code in two steps. After that time, regardless of whether you know the verification code in two steps or not, the session of the person with access to your account will be closed as soon as you enter the six-digit code sent by SMS. .