WhatsApp Account Hijacking in South Africa: How Scammers Take Over in 60 Seconds

You get a WhatsApp message from a contact you trust. They say they accidentally sent their WhatsApp verification code to your number and ask if you received it. You check your SMS inbox. There it is, a six-digit code from WhatsApp. You forward it.

Your WhatsApp goes dark.

Within minutes, your contact list receives messages from "you" asking to borrow money urgently. R500 here. R2,000 there. A family emergency. A broken-down car. Whatever excuse works to get cash fast.

This scam takes 60 seconds. It is one of the most common forms of fraud in South Africa right now. Here we breakdown what is happening, and what you need to do to safeguard yourself from WhatsApp account takeovers.

How the WhatsApp registration code scam works

WhatsApp uses your phone number as your identity on the platform. When you set up WhatsApp on a new device, WhatsApp sends a six-digit SMS code to your registered number to verify ownership. Whoever enters that code on the new device gets full access to your account.

The scam works by tricking you into giving the attacker that code. Here is the sequence, step by step.

1. The attacker targets your number. They open WhatsApp on a new device and try to register using your phone number. WhatsApp sends the six-digit verification code to your phone via SMS, exactly as it would in a legitimate setup.
2. The attacker contacts you. They use a WhatsApp account that has already been compromised, usually someone in your contact list. The message appears to come from a friend, family member, or colleague. It says something like: "Hey, sorry to bother you. I think my WhatsApp setup code went to your number by mistake. Can you send it to me?"
3. You send the code. The request seems believable. The person looks familiar and the story is plausible. So, you share the six digits.
4. Your account is theirs. The attacker enters the code on their device. WhatsApp completes registration. You are logged out immediately.
5. The scam continues through your contacts. Using your account and your contact list, the attacker sends urgent money requests to everyone you know. Some people pay without question because the message appears to come from you. Others have their accounts hijacked the same way you did.

Why the "friend asking for the code" is always the attacker

There is no technical scenario in which a friend's WhatsApp setup code lands on your phone. WhatsApp only ever sends verification codes to the specific number being registered. Your friend cannot accidentally have their code delivered to you.

Every time someone asks you to forward a WhatsApp code you received, that person is running the scam. Even if the account sending the message belongs to a real person you know, that account has already been taken over.

The message may feel urgent. It will usually include a sympathetic story: a broken phone, a new SIM, a network problem. Ignore the story entirely. The request for the code is the fraud. Full stop.

What to do right now: Tell your family and close contacts about this scam. A five-minute conversation could stop someone from losing their account and their contacts from losing money.

What attackers do once they have your account

Money is the primary goal. Attackers work through your contact list quickly, sending requests that appear to come from you. They target amounts that feel manageable: R300 to R2,000. Smaller amounts generate less hesitation and faster transfers.

Some attackers use your account to compromise other accounts. They run the same code-forwarding scam on your contacts, using your account's credibility. One hijacked account can spread through an entire social network within hours.

If you use WhatsApp for business, the exposure is larger. An attacker with access to your account can read client conversations, impersonate you in supplier dealings, and gather information for Business Email Compromise (BEC) fraud. The financial and reputational damage extends well beyond a single R500 transfer.

What to do right now: If you run a business and use WhatsApp to communicate with clients or suppliers, treat your WhatsApp account security the same way you treat your email security.

How to recover your WhatsApp account

If your account has been hijacked, act immediately. You can take it back.

1. Open WhatsApp on your phone and register your number again. Start the setup process as if you are installing WhatsApp for the first time. WhatsApp will send a new six-digit code to your phone via SMS.
2. Enter the SMS code. When you enter your code, WhatsApp automatically logs out every other device using your number. The attacker's session ends the moment you complete this step. WhatsApp only allows one active registration per phone number.
3. If WhatsApp asks for a two-step verification PIN you did not set, the attacker has added their own PIN to lock you out. Tap "Forgot PIN." If you have a recovery email registered, WhatsApp will send a reset link. If not, WhatsApp imposes a 7-day security lockout before allowing a PIN reset. You will need to wait it out. Your account is recoverable.
4. Enable two-step verification immediately after regaining access. This is covered in the next section. Do not skip it.
5. Notify your contacts through a different channel. Use a phone call, SMS, or another messaging app. Warn everyone that your WhatsApp was compromised and that any requests for money they received from your account were fraud. Do not rely on WhatsApp alone for this step.
6. If contacts have already transferred money, advise them to call their bank's fraud line immediately and report the transfer. The faster they act, the better the chance of a recall. They should provide the recipient account number if they have it, and open a case with SAPS under the Cybercrimes Act.

How to enable two-step verification on WhatsApp

Two-step verification is the single most effective protection against this scam. It adds a PIN to your account. Even if an attacker gets hold of your SMS verification code, they cannot complete the setup without your PIN. They are stopped cold.

This takes two minutes. Do it now, before you finish reading.

1. Open WhatsApp. Tap the three-dot menu in the top right corner (Android) or tap Settings at the bottom right (iPhone).
2. Go to Account. Tap "Account" from the menu.
3. Select Two-step verification. You will see an option to enable it.
4. Tap Enable and set a six-digit PIN. Choose a PIN you will remember. Avoid obvious sequences like your birth year or 123456.
5. Add a recovery email address. This is essential. If you forget your PIN, WhatsApp uses this email to let you reset it. Without a recovery email, a forgotten PIN means a 7-day lockout.
6. Confirm and save. WhatsApp will occasionally ask you to enter your PIN as a reminder. This is normal and intentional.

That is the setup done. You have just made the registration code scam useless against your account.

What to do if someone was defrauded using your account

If people in your network sent money based on messages that appeared to come from you, here is what needs to happen.

Each affected person should contact their bank's fraud line immediately. Report the transfer as fraud. Provide the recipient account number if they have it. Banks can sometimes recall funds, but only if reported fast.

Open a case with SAPS under the Cybercrimes Act. This creates a formal record, assists bank investigations, and puts the incident on file. Do not skip this step because the amount seems too small. Reports matter.

As the account holder, you are not financially liable for fraud carried out through your compromised account. That does not mean you should ignore it. Cooperate with any investigations. Provide whatever information you have about when the hijack occurred and what contact details you have for the attacker's device or number.

Do not let embarrassment stop you from reporting. This scam targets people who are careful and trusting. It works because the request looks legitimate. Report it, recover your account, and lock it down properly.

For further guidance on account security, phishing awareness, or if this type of incident has affected your business, visit our phishing awareness toolkit or get in touch directly.