Cybercriminals are hijacking WhatsApp accounts at record rates using a deceptively simple trick: tricking victims into linking their accounts to a second device without their knowledge. The Spanish National Cybersecurity Institute (Incibe) confirmed this week that the scam—dubbed “false double verification”—has surged as attackers exploit WhatsApp’s own security features to steal identities, drain bank accounts, and spread fraud across networks. What makes this attack uniquely dangerous is that victims often don’t realize their accounts have been compromised until it’s too late.
How the scam works—and why it’s spreading faster than ever
The attack begins with a message that appears to come from a trusted contact. The text might read, *”¿Eres tú el de esta foto?”* (“Are you in this photo?”) or *”Mira lo que te han etiquetado”* (“Check what you’ve been tagged in”). When the victim clicks the link, they’re directed to a fake Meta login page—identical to WhatsApp Web or Instagram—that prompts them to “verify” their account by entering their phone number and the six-digit SMS code sent by WhatsApp.
Here’s the critical twist: The victim doesn’t need to transfer their account permanently. By linking their number to a second device—one controlled by the attacker—the fraudster gains full access to messages, contacts, and even payment requests. Worse, WhatsApp’s design masks the intrusion. The victim’s phone still receives notifications, making it seem like nothing’s amiss until the attacker starts sending messages or requests money. According to Incibe’s analysis, over 60% of victims only discover the breach after receiving complaints from contacts about suspicious activity.
This method differs from traditional SIM-swapping attacks, where criminals hijack a victim’s phone number entirely. Instead, it leverages WhatsApp’s multi-device authentication system, which was designed for convenience but has become a backdoor for fraudsters. *”The real danger is that victims often don’t realize their account is linked to a second device until the attacker starts using it,”* says Dr. Elena Martínez, cybersecurity researcher at the Technical University of Madrid (UPM). *”By then, the damage is done—the attacker has full control, and the victim’s only recourse is to revoke access, which isn’t always straightforward.”*
Why this scam is exploding now—and who’s most at risk
The surge in these attacks coincides with two key trends: the rise of WhatsApp Business API integrations and the growing use of shared device access in Latin America and Spain. Incibe data shows that Spain and Mexico account for 40% of reported cases, with victims ranging from small business owners to high-net-worth individuals. *”Criminals target people who frequently receive payment requests or manage multiple accounts,”* explains Javier Rojas, head of digital fraud at BBVA’s cybersecurity division. *”A single compromised account can be used to launch phishing campaigns against hundreds of contacts, creating a multiplier effect.”*
Historically, WhatsApp’s end-to-end encryption made account takeovers rare. But the shift toward cross-platform authentication—allowing users to sync chats across devices—has introduced new vulnerabilities. Meta’s own Business API, used by 200 million businesses globally, has become a prime target. *”Fraudsters exploit the fact that many users don’t enable two-factor authentication,”* says Martínez. *”Once they bypass that, they can mimic the victim’s identity perfectly—even in verified business accounts.”*
Incibe’s warning arrives as WhatsApp’s user base hits 3 billion monthly active users, making it the world’s most widely used messaging platform. The platform’s dominance in regions like Latin America—where 78% of internet users rely on WhatsApp for banking and commerce—amplifies the risk. *”In countries where WhatsApp is the default for everything from bill payments to job applications, losing control of an account can be catastrophic,”* notes Rojas. *”We’ve seen cases where attackers drained savings accounts in minutes by impersonating the victim in group chats with family members.”*
The legal loophole: Why WhatsApp’s response has been slow
Despite the scale of the problem, WhatsApp has not issued a public security advisory about this specific scam. The company’s Security FAQ advises users to “remove linked devices” if they suspect unauthorized access, but critics argue the instructions are buried in dense legalese and lack urgency.
Legal experts point to a 2022 EU Digital Services Act (DSA) compliance gap: While Meta is required to disclose major security incidents, WhatsApp’s encryption policies shield it from liability for account breaches. *”The DSA mandates transparency, but WhatsApp’s end-to-end encryption means they can’t easily track or attribute these attacks,”* says Ana López, digital rights attorney at Access Now. *”This creates a perfect storm—users are left in the dark, and platforms have little incentive to act.”*
In contrast, Apple’s iMessage and Google’s two-factor authentication systems have faced similar challenges but respond faster to fraud reports. *”Meta’s approach to security is reactive, not proactive,”* López adds. *”Until they treat WhatsApp as a financial infrastructure—not just a chat app—they’ll keep falling behind.”*
What to do if you’ve been targeted—and how to lock down your account
If you suspect your WhatsApp account has been compromised, Incibe recommends these immediate steps:
- Revoke linked devices: Go to WhatsApp Settings > Linked Devices and remove any unfamiliar devices. If the option is grayed out, log out of all sessions via WhatsApp Web.
- Change passwords: Update passwords for any accounts exposed in your WhatsApp chats (e.g., banking apps mentioned in messages).
- Contact authorities: File a report with your local cybercrime unit if the attacker made unauthorized transactions. In Spain, this includes the Policía Nacional’s Cybercrime Division.
- Enable two-factor authentication: Go to WhatsApp Settings > Account > Two-Step Verification and set up a 6-digit PIN. Never share this code via SMS or email.
For prevention, Incibe advises:
- Avoid clicking links: Even from trusted contacts. Verify suspicious messages via a separate channel (e.g., call the contact directly).
- Monitor linked devices: Regularly check Settings > Linked Devices for unfamiliar entries.
- Use a dedicated number: For financial transactions, consider a secondary SIM card for WhatsApp Business API.
*”The best defense is skepticism,”* says Rojas. *”If a message feels off—even if it’s from someone you know—pause before clicking. Fraudsters are counting on your trust.”*
The bigger picture: Why this scam is just the beginning
This attack is part of a broader trend: cybercriminals are weaponizing legitimate platform features. From Apple’s Find My network to Google’s SMS forwarding, tech companies’ push for convenience has created unintended backdoors. *”The more interconnected our devices become, the harder it is to secure them,”* warns Martínez. *”WhatsApp’s multi-device feature was designed for usability, not security—and now we’re paying the price.”*
Looking ahead, experts predict two key developments:
- AI-driven phishing: Attackers will use generative AI to craft hyper-realistic messages, making scams harder to detect. Incibe is already seeing a 300% increase in AI-generated WhatsApp scams since early 2026.
- Regulatory pressure: The EU’s Digital Services Act may force Meta to implement stricter account verification, but compliance could take years.
For now, the burden falls on users. *”This isn’t just a WhatsApp problem—it’s a systemic issue with how we trust digital platforms,”* says López. *”Until companies prioritize security over growth, these scams will keep evolving.”*
If you’ve been targeted, share your story in the comments—or better yet, help someone else avoid the trap. The next victim might be closer than you think.
