A new WhatsApp OTP (one-time password) hack has just been identified in India which enables scammers to takeover users’ accounts via a phone call. Whilst scams targeting WhatsApp are nothing new, this one takes advantage of external call forwarding services

How does this scam work?

Firstly, you will receive a call where the attacker will convince you to make a call to a number that starts with a specific combination – in this case, 67 or 405, as these are numbers linked to popular call forwarding services in India. In doing this, the attacker has tricked you into forwarding a call onto a number they own when your line is in use. 

The attacker then triggers the WhatsApp registration process for your number, requesting to receive the OTP by phone call. As you are currently on the phone to the attacker, your number is engaged which triggers the OTP call to be forwarded to the number held by the attacker. And with that, they’re able to completely hijack your account. 

How to avoid becoming a victim

Whilst the scam has currently only been found in India, every country and service provider offers some way to forward calls. That means it’s only a matter of time before examples of this type of scam are found elsewhere. 

As with any WhatsApp scam, to make sure you don’t end up a victim of this type of hack, it’s important to apply common sense security: 

  • Don’t trust anyone you don’t know who asks you to share information or call a specific number. 
  • Always verify someone’s identity independently before acting on a request
  • Inform yourself about call forwarding services in your country, or with your service provider, so that you can identify this scam quickly in case you’re targeted.