ScamGuard

🔐 WhatsApp Verification Code Scam

If a 'friend' just messaged you asking for the 6-digit WhatsApp code that arrived on your phone — stop. It's not your friend. Here's exactly how the OTP-hijack scam works, how to recover an account in 5 minutes, and the one setting that blocks it forever.

Analyze With ScamGuardRun Deep AI Investigation
Chat with ScamGuard on WhatsApp

What ScamGuard checks for

  • Step-by-step OTP hijack explanation
  • 5-minute account-recovery playbook
  • Two-step verification setup walkthrough
  • Real scam example messages to recognise
  • Free verdict on any suspicious request
  • Evidence pack for the police and your bank

How this scam works

  1. 1
    Target selection

    Attacker picks your phone number — from a hijacked contact's address book, a leaked database, or a public group.

  2. 2
    Registration attempt

    On their device, the attacker opens WhatsApp and enters your number. WhatsApp sends the 6-digit verification SMS to your real phone.

  3. 3
    Social-engineering pretext

    The attacker DMs you — pretending to be a contact, a delivery service, your bank, or 'WhatsApp Support' — and asks you to share or 'confirm' the code.

  4. 4
    Code handover

    If you share the code, the attacker completes registration on their device. WhatsApp immediately logs you out on yours.

  5. 5
    Account takeover and abuse

    Within minutes they're messaging your contacts impersonating you, scraping group chats, and trying to extract money or more codes from other people in your circle.

  6. 6
    Lockout via two-step PIN

    If they're sophisticated, they immediately set a two-step verification PIN, which means you have to wait 7 days before WhatsApp will let you reset and reclaim the account.

⚠️ Red flags and warning signs

  • You receive a WhatsApp 6-digit code by SMS you didn't ask for
  • A contact suddenly asks for your verification code
  • A 'friend' says they're locked out and the code was 'sent to you by mistake'
  • WhatsApp suddenly logs you out on your own phone
  • Contacts message you saying they got a strange request from your number
  • Two-step verification reset emails you didn't request
  • Someone tries to add your number to a new SIM (SIM swap warning)
  • Multiple SMS codes arrive in quick succession

Real scam examples

The 'I'm locked out, please forward my code' message

Your cousin (or someone using their account) messages: 'Hey, I'm trying to log back into WhatsApp and the code was sent to your number by mistake — can you forward it?' If you forward the code, you're not helping your cousin — you're handing over your own account to the attacker.

The bank impersonation hijack

A scammer calls pretending to be from your bank's fraud team. 'We're verifying your identity — please read me the 6-digit code we just sent.' That code is actually the WhatsApp verification, not a bank OTP. Banks never read 6-digit codes back to you.

The 'parcel delivery' OTP relay

An SMS says 'Your parcel has arrived — confirm with the code: 123-456'. The 6-digit number is a real WhatsApp verification triggered by the attacker the moment you click. Nothing about your parcel exists.

The friend-of-a-friend chain

Once an attacker hijacks one account, they message that person's family group asking the same question. The trust of a familiar account in a familiar group dramatically raises the success rate. Whole social circles get rolled up in hours.

The 'WhatsApp Business' lookalike

A profile claiming to be 'WhatsApp Support' or 'WhatsApp Verification Team' messages you saying your account is at risk and asks for the verification code. WhatsApp Support never DMs users — and certainly never asks for codes.

How to protect yourself

  • Turn on two-step verification right now — Settings → Account
  • Add a recovery email so you can reset the PIN if you forget it
  • Never share any 6-digit code with anyone, ever — no exceptions
  • If a contact 'asks for your code', call them on a regular voice line to confirm
  • Set a screen lock PIN on WhatsApp itself (Settings → Privacy → App Lock)
  • Enable SIM-swap alerts with your mobile carrier
  • Don't post your phone number publicly — limit profile visibility
  • Warn elderly relatives explicitly — this scam targets them disproportionately

ScamGuard recommendations

Run a Deep AI Investigation

If your account was hijacked, generate an evidence pack for the police and your bank — wallet addresses, contact list of who was scammed in your name, and a timeline.

Deep investigation
Check the requesting number

If a 'friend' is asking for your code, run their number through the phone checker first.

Phone checker
Scan the WhatsApp message

Use the WhatsApp scanner to verdict the request automatically.

WhatsApp scanner
Send a screenshot to ScamGuard

Forward a screenshot of the SMS code and the request — our vision AI will confirm in seconds.

Open WhatsApp

ScamGuard tools you can use right now

Website Checker

Check any domain before you click.

WhatsApp Scanner

Paste a chat — get a verdict.

Screenshot Scanner

Upload a screenshot of any message.

Reverse Image Scanner

Catch stolen profile photos.

Why OTP hijacking is the most underestimated WhatsApp risk

Most people assume WhatsApp's end-to-end encryption protects them from account theft. It doesn't. Encryption protects message content in transit — it has nothing to do with who controls the account. The single weakest link is the 6-digit SMS code, and attackers don't need to break encryption when they can simply convince you to read the code aloud or forward it. The scam is brutally efficient: a single hijacked account becomes a credibility platform to hijack a dozen more, often inside the same family WhatsApp group.

The two-step verification PIN — the one setting that defeats this scam

Two-step verification adds a 6-digit PIN that WhatsApp requires anytime your number is registered on a new device. Even if an attacker tricks you into handing over the SMS code, they cannot complete registration without the PIN. Setting it takes 30 seconds (Settings → Account → Two-step verification) and you'll only ever be prompted for it when you genuinely install WhatsApp on a new phone. Pair it with a recovery email so you can reset the PIN if you forget. If you do nothing else after reading this page, do this.

What to do in the first 5 minutes of a confirmed hijack

(1) Reinstall WhatsApp on your phone and re-register with your number — entering the new SMS code immediately boots the attacker. (2) If two-step verification was set by the attacker, you'll see a 7-day wait — start it now; the clock only ticks once. (3) Post in your most active group chat (or call/SMS your top 20 contacts) warning everyone not to act on any money request from your number. (4) Change the password on any account that uses WhatsApp as a 2FA channel (mostly crypto exchanges). (5) Open a Deep AI Investigation on ScamGuard to document the incident with timestamps and any wallet/phone artifacts — useful for your bank, the police, and to warn anyone who was scammed in your name.

Frequently asked questions

What is the WhatsApp verification code scam?

Also called the 'WhatsApp OTP hijack' or 'six-digit code scam'. An attacker tries to register WhatsApp using your phone number. WhatsApp sends the 6-digit verification code to your phone by SMS. The attacker then messages you — usually pretending to be a friend whose account is locked — and asks you to forward them the code 'by mistake'. The moment you share it, they take over your WhatsApp account on their device and lock you out.

Why would someone want to hijack my WhatsApp?

Three reasons. (1) They can immediately message everyone in your contact list pretending to be you and ask for urgent money transfers — friends and family trust messages from your number. (2) They can scrape your group chats for sensitive information. (3) They can hold the account for ransom or sell access to other crews.

How do I recognise the scam in real time?

You get an unexpected WhatsApp 6-digit SMS. Almost simultaneously, a contact (or someone pretending to be one) messages you saying 'Hey I'm locked out, I accidentally sent my code to your number — can you forward it?' If those two things happen close together, it's the scam — every time, no exceptions.

What do I do if I already shared the code?

Act in the next 5 minutes. Reinstall WhatsApp on your phone and request a new verification code — entering it kicks the attacker off your account. If they've already enabled two-step verification, you'll have to wait 7 days for the lock to reset, but you'll be re-registering on the correct device the whole time so the attacker eventually gets booted. Tell every contact what happened so they don't fall for impersonation messages from your number.

How do I stop this from happening?

Turn on WhatsApp two-step verification — Settings → Account → Two-step verification → set a 6-digit PIN. Even if an attacker gets your SMS code, they cannot complete registration without the PIN. Add an email address so you can recover the PIN. Never share any 6-digit code with anyone, ever — WhatsApp staff will never ask for it.

Can the attacker see my old messages?

Not the ones already on your phone — those stay end-to-end encrypted on your device. But they will see all new messages and any chats backed up to Google Drive / iCloud if they restore from a backup.

Are 'business verification' code requests safe?

If you didn't request the code, it is never safe to share. Real WhatsApp verification (for a new device YOU control) is something only you initiated.

Does turning on two-step verification slow down login?

Only when you install WhatsApp on a new device — it asks for your PIN once. Day-to-day messaging is unchanged.

Can ScamGuard help recover a hijacked account?

ScamGuard can guide you through the official WhatsApp account-recovery flow, document the incident for your bank if scammers impersonated you, and help warn your contacts via a Deep AI Investigation report. WhatsApp itself runs the account recovery — there is no third-party shortcut.

Related ScamGuard checkers

WhatsApp scam checkerWhatsApp job scam checkerPhone scam checkerSMS scam checkerCrypto scam checkerRomance scam detectorWebsite scam checkerPhishing link checkerFake profile checkerIdentity theft checker

Related articles

Try ScamGuard free

1 free check, no signup needed. Then create an account for unlimited investigations.

Analyze With ScamGuard Run Deep AI Investigation
Analyze With ScamGuard