The 6-digit code scam on WhatsApp strikes again because it exploits the trust we place in our contacts to trick us into handing over the keys to our account.
It returns cyclically, changes shape and continues to claim victims: we are talking about one of the most widespread scams of recent years, the 6-digit code scam on WhatsApp. It is striking because it exploits two very powerful elements: the trust we place in our contacts and the security mechanisms of the app itself which, with over three billion users worldwide, remains a privileged target for cybercriminals, whose aim is to deceive people into spontaneously handing over the keys to their account.
The mechanism. The scam follows a simple and proven scheme. It begins with the receipt of a message from a contact in your address book, a contact who, however, has already been hacked by the attacker, who has the chat history with the victim at his disposal to carry out his deception as best as possible. For this reason, the text often has a reassuring and personalized tone, for example: “Hi France’, you should have received a code by mistake from WhatsApp, can you send it back to me?“.
Shortly afterwards, or at the same time, an SMS with a six-digit numeric code is received on the phone. That code comes directly from WhatsApp, it is the verification code necessary to activate the account on a new device, and it is the app itself that generates it, but it was the fraudster who triggered its sending, who started the access procedure by entering the victim’s number on another smartphone. In other words, the criminal does not see that code and cannot intercept it: he can only convince the victim to pass it on to him. If this happens, the app’s security system is bypassed from the inside and the account immediately passes under the control of the attacker, excluding the legitimate owner.
The weak point. At this point a question arises: how did the scammer take over the account of the friend who writes first? In most cases, exactly the same mechanism. The scam spreads in a chain: a first victim gives up the six-digit code, loses access to his profile and becomes, against his will, the perfect Trojan horse to attack other contacts. Upstream, however, the origin is even more banal: a stolen or lost smartphone, without an effective screen lock, or protected by a weak or easily guessable PIN.
The damage. When the scam is successful, the damage is immediate: the legitimate owner is ousted from the account, while the attacker gains complete access to chats, photos, voicemails and address book.
From there it can continue to spread the same “code sent in error” request, or go further, forwarding malicious links, requests for money, or tailor-made messages using real personal information. In the worst cases, the account can be seized for a long time, with the recovery data being modified, thus making it necessary to intervene from assistance or report it to the authorities.
How to defend yourself. The most effective protection is also the simplest: never share control codes, even with people you know. A 6-digit code only makes sense to those who request it personally and at that precise moment. It is essential to activate WhatsApp’s two-step verification, which adds a personal PIN required when registering the number, and enable security notifications, which alert you when the cryptographic keys of an account change.
In the event of theft, you must immediately attempt to restore it on a new device by entering your number and, if that is not enough, proceed with deactivation and reporting, alerting your contacts to break the chain. The scam only works as long as there is someone who lowers their guard while, to interrupt the mechanism, it would be enough to simply do nothing.
