WhatsApp Account Takeover in 2026: How to Stay Safe
Scammers hijack WhatsApp accounts through stolen codes, fake linked devices, and call forwarding. Learn the 2026 tactics and how to lock your account down.
Your phone buzzes with a six-digit WhatsApp code you did not ask for. Moments later, a friend messages: "Sorry, I sent you a code by mistake, can you forward it back?" If you do, your WhatsApp account is gone, and the scammer is now messaging your contacts asking each of them for money. Account takeovers like this are a major scam vector in 2026, and a newer technique called GhostPairing has made them harder to spot. Here is how the hijacks work and exactly how to lock your account down.
Quick answer
WhatsApp takeovers in 2026 almost never break WhatsApp itself; they exploit your six-digit registration code, a malicious linked-device session, call forwarding, or phone spyware. The single best defense is turning on two-step verification (a PIN) in Settings, Account, since an attacker cannot set or change it. Never forward a verification code to anyone, audit Linked Devices weekly to evict a GhostPairing session, and lock your SIM with a carrier PIN. Those four habits take about five minutes and close every common door.
Key takeaways
- WhatsApp takeovers in 2026 typically arrive through one of four doors: the six-digit registration code, a malicious linked-device (WhatsApp Web) session, call forwarding that redirects voice verification, or spyware on the phone.
- The classic scam tricks you into forwarding your verification code to an attacker posing as a friend or "support."
- GhostPairing lures you to a fake "photo viewer" page that triggers a real linked-device pairing, letting the attacker read your messages, including banking one-time codes, silently.
- The single best protection is two-step verification (a PIN) in WhatsApp, which an attacker cannot set or change.
- Never share a verification code with anyone, and check Linked Devices weekly.
How accounts get hijacked
Real WhatsApp hijacks rarely involve "hacking" WhatsApp itself. They exploit the recovery and linking flows, plus human trust.
- The verification-code scam. WhatsApp confirms your number by texting a six-digit code. An attacker who has your number triggers the code, then, posing as a contact whose account they already stole, or as "support", asks you to forward it. Hand it over and they register your number on their device.
- GhostPairing. Documented in late 2025 and active into 2026, this campaign sends links (often from already-hijacked accounts) to fake "view photo" pages. Entering your number there can kick off a genuine linked-device pairing flow, quietly attaching the attacker's WhatsApp Web session to your account so they read everything you receive, including banking OTPs, without taking over the primary device.
- Call forwarding (MMI codes). A scammer calls and talks you into dialing a sequence starting with
*or#, which secretly forwards your calls, including WhatsApp's voice verification call, to them. - Device spyware. Malware on the phone can read codes and messages directly.
Here are the four doors at a glance, what each one looks like, and the control that shuts it:
| Attack vector | What you see | Control that stops it |
|---|---|---|
| Verification-code scam | A "friend" asks you to forward a code | Never share the code; two-step PIN |
| GhostPairing | A "view photo" page asks for your number | Don't enter your number; audit Linked Devices |
| Call forwarding (MMI) | A caller tells you to dial * or # codes | Never dial codes for a caller; check with carrier |
| Device spyware | Nothing obvious; codes leak silently | Keep the OS updated; remove unknown apps |
Warning
A WhatsApp verification code you did not request is a red flag, not an accident. It usually means someone is trying to register your number on their device and is about to ask you to "send it back." Never forward it.
Lock your account down
-
Enable two-step verification. In WhatsApp, go to Settings, Account, Two-step verification, and set a PIN. An attacker who somehow gets your code still cannot complete registration without this PIN, and they cannot set or change it.
-
Protect your SIM and number. Many takeovers chain through SIM swaps or call forwarding. Add a carrier PIN and port-out lock, our SIM-swap protection guide covers the steps.
-
Audit Linked Devices weekly. Open Settings, Linked devices, and log out any WhatsApp Web or desktop session you do not recognize. This evicts a GhostPairing intruder.
-
Never share your six-digit code with anyone, not a friend, not "support." WhatsApp will never ask for it.
-
Do not enter your number on random "view photo" or login pages, and do not follow unsolicited links, even from a trusted contact whose account may be compromised.
-
Never dial
*or#codes at a caller's instruction, that is how call forwarding gets enabled.
The "a contact asks for a code or money" pattern is the same trust-exploitation used in deepfake voice scams; agreeing on a family code word for any urgent money request, as we describe in our deepfake voice-clone guide, defeats both. And the fake "view photo" pages are a close cousin of the QR-code phishing ("quishing") and fake-CAPTCHA ClickFix tricks worth recognizing.
If your account is already taken over
Tip
Re-registering your own number kicks the attacker off. WhatsApp only allows one active registration per number, so signing back in with a fresh code logs them out of the primary account.
- Re-register your number. Reinstall or open WhatsApp and verify with a new code sent to your phone. This logs the attacker out of your account.
- If two-step verification blocks you, WhatsApp imposes a waiting period before you can reset the PIN without it, follow the in-app recovery flow.
- Remove unknown linked devices immediately once you are back in.
- Warn your contacts that your account was compromised and to ignore any money requests sent in the meantime.
- Check for SIM swap or call forwarding with your carrier, and turn on two-step verification now if it was not already on.
Frequently asked questions
Someone is asking me to forward a code "sent by mistake." Is it a scam?
Almost certainly yes. This is the most common WhatsApp takeover trick. The code is your registration code, and forwarding it lets the scammer register your number on their phone. Never send it, even if the request appears to come from a friend.
What does two-step verification actually protect against?
It adds a PIN that is required to register your number on a new device. Even if an attacker obtains your six-digit SMS code, they cannot complete the takeover without your PIN, which only you can set or change. It is the single most effective protection.
What is GhostPairing?
A 2026 campaign that abuses WhatsApp's linked-device feature. Victims are lured to fake photo-viewer pages that trigger a real device-pairing flow, silently attaching the attacker's WhatsApp Web session so they can read incoming messages, including one-time banking codes. Checking Linked Devices regularly catches and removes it.
How do I check who is connected to my account?
Open WhatsApp Settings and tap Linked Devices. Review the list and log out anything you do not recognize. Do this weekly, it is the fastest way to detect an unauthorized linked session.
The bottom line
WhatsApp account takeovers in 2026 do not break WhatsApp, they exploit your verification code, your linked-device list, your phone number, and your trust in a familiar name. Turn on two-step verification today, lock down your SIM, audit linked devices weekly, and never, ever forward a six-digit code. Those four habits close every common door, and they take about five minutes to set up.
Sources & further reading
- malwarebytes.com/blog/news/2025/12/the-ghosts-of-whatsapp-how-ghostpairing-hijacks-accounts
- securityaffairs.com/185814/hacking/ghostpairing-campaign-abuses-whatsapp-device-linking-to-hijack-accounts.html
- faq.whatsapp.com/1131652977717250
- bitdefender.com/en-us/blog/hotforsecurity/received-a-whatsapp-verification-code-without-requesting-it-beware-you-might-be-about-to-have-your-account-stolen
