A seemingly urgent delivery notification could be a gateway to identity theft on WhatsApp, authorities are warning. Both the Spanish National Cybersecurity Institute (INCIBE) and the Guardia Civil have issued alerts about a growing scam that leverages the platform’s widespread use to compromise user accounts. The core of the deception lies in tricking individuals into surrendering a six-digit verification code, effectively handing over control of their WhatsApp profile to criminals.
The scam typically begins with a phone call from someone posing as a delivery driver. They claim to need a six-digit code, sent via SMS, to “confirm delivery” of a package. Once provided, this code allows the scammer to install WhatsApp on their own device, gaining complete access to the victim’s account. This access can then be used to impersonate the victim, potentially soliciting money or sensitive information from their contacts. The increasing sophistication of these scams, and the potential for significant financial and personal harm, underscores the need for heightened vigilance among WhatsApp users.
How the Scam Works: A Step-by-Step Breakdown
The fraudulent process hinges on social engineering – manipulating individuals into divulging sensitive information. The initial contact, often a phone call, creates a sense of urgency and legitimacy. The “delivery driver” persona is a common tactic, capitalizing on the frequent online shopping habits of many. Crucially, WhatsApp itself never asks for a verification code over the phone. This represents a key indicator of a scam. The six-digit code is designed to secure account access, not to confirm a delivery.
Once the scammer has the code, they can bypass the standard security measures and activate WhatsApp on a new device. This effectively clones the victim’s account, allowing the perpetrator to send messages, access contact lists, and even view previous conversations. The Guardia Civil reports that over 100,000 people have viewed their alert regarding this specific scam, highlighting the growing awareness of the threat.
Protecting Your WhatsApp Account: Two-Factor Authentication is Key
The Guardia Civil strongly recommends enabling two-factor authentication (2FA) on WhatsApp. This adds an extra layer of security beyond a simple password. 2FA requires a second form of verification – typically a code sent to your mobile device, a notification within the app, or an email – to access your account. Two-Factor Authentication (2FA), as explained by Google, significantly hinders unauthorized access even if a password is compromised. It’s a widely recommended security practice for various online platforms, including Google accounts and banking services.
Beyond 2FA, INCIBE advises verifying the phone number of the caller against the official website of the purported delivery company. Any unexpected SMS messages requesting personal information should be ignored and blocked. A healthy dose of skepticism is crucial when receiving unsolicited communications, especially those demanding immediate action.
A Second Scam Variant: Messages from Compromised Contacts
According to Bruno Pérez, a forensic computer expert, another similar scam is circulating. In this version, the fraudulent request for a verification code arrives not as a phone call, but as a text message from a known contact. The message is crafted to appear legitimate, using the same language and tone as the individual it’s impersonating. “As soon as you give them the code they ask for, the cybercriminals access your WhatsApp, change settings and block you,” Pérez explained, with the ultimate goal of using the compromised account to solicit financial assistance from the victim’s contacts.
Pérez recommends a more drastic, but effective, solution: uninstalling WhatsApp, turning off your phone, and then reinstalling the app after restarting it. This rapid action can prevent the scammers from quickly exploiting the compromised account to send fraudulent messages.
What to Do If You’ve Been Scammed
If you suspect you’ve fallen victim to this scam, immediate action is essential. Report the incident to the Guardia Civil via their emergency line, 062, or to the National Police at 091. You can also contact INCIBE through their helpline at 017, via WhatsApp at 900 116 117 (save the number in your contacts first), or through Telegram using the alias @INCIBE017. INCIBE’s Cybersecurity Help service is available 24/7, 365 days a year, providing free and confidential assistance to internet users facing cybersecurity issues.
VerificaRTVE has documented this recurring cyber scam, noting its various iterations and other similar WhatsApp-based fraud attempts. Their reporting highlights the persistent nature of these threats and the importance of staying informed.
Authorities are continuing to monitor these evolving tactics. The next step in combating this fraud will likely involve increased public awareness campaigns and collaboration between law enforcement and WhatsApp to identify and disrupt the scammers’ operations. Staying informed and practicing good digital hygiene – including enabling 2FA and being wary of unsolicited requests for personal information – remains the best defense against these increasingly sophisticated attacks.
Have you encountered similar scams? Share your experiences and help raise awareness in the comments below.
