Govt issues nationwide alert over surge in WhatsApp account hijackings

Pakistan’s National Cyber Emergency Response Team (National CERT) has issued a nationwide advisory warning of a sharp increase in WhatsApp account hijacking incidents, describing the threat as active, widespread and high risk.

According to the advisory, attackers are not exploiting technical vulnerabilities in WhatsApp’s software but are instead using social engineering tactics to gain unauthorised access to user accounts. National CERT said these methods rely on manipulating users into sharing sensitive information or performing actions that compromise account security.

The advisory said common techniques include deceiving users into revealing one-time passcodes (OTPs), manipulating call-forwarding settings, sending phishing links, and circulating malicious QR codes that allow attackers to link victims’ accounts to their own devices. Once hijacked, compromised accounts may be used to impersonate users, defraud contacts, access private communications and spread malicious content.

National CERT warned that the consequences of account hijacking can include identity theft, financial fraud, data exposure, reputational damage and privacy violations. It added that organisations could also be at risk if employees use WhatsApp for official communication, potentially exposing sensitive or confidential information.

The advisory stated that all versions of WhatsApp are affected, including Android, iOS, WhatsApp Business, Web and Desktop platforms. It noted that successful account takeovers typically require user interaction, such as sharing verification codes or scanning QR codes, and said accounts without two-step verification are particularly vulnerable.

To reduce risk, National CERT urged users to enable WhatsApp’s two-step verification feature with a recovery email, regularly review linked devices and avoid sharing verification codes or PINs. Users were also advised to be cautious of urgent messages requesting money or codes and to avoid clicking links in unsolicited messages.

For compromised accounts, the advisory outlined recovery steps, including reinstalling WhatsApp, re-verifying phone numbers and resetting security settings. It said that in some cases, users may face a mandatory seven-day lockout if attackers enable two-step verification without a recovery email.