The National Cyber Emergency Response Team (National CERT) of Pakistan has issued an advisory warning users about a surge in WhatsApp account hijacking and unauthorized access incidents, describing the threat as widespread and active.
According to the advisory, attackers are increasingly using social engineering techniques to take control of WhatsApp accounts. This allows them to steal personal data, impersonate users, and defraud contacts through trusted communication channels.
National CERT explained that WhatsApp account ownership is closely linked to SIM card possession and phone number verification. This makes users vulnerable if they unknowingly share verification codes or respond to fraudulent requests. The advisory stated that compromised accounts are often used to ask contacts for money, spread phishing links, and distribute malicious content, leading to financial losses, privacy violations, and reputational damage for individuals and organizations.
The advisory identified several attack methods currently being used, including one-time password (OTP) scams, call forwarding exploits, phishing links, and QR code–based fraud. In these cases, victims are tricked into sharing six-digit verification codes, dialing call forwarding USSD codes, entering their credentials on fake websites, or scanning malicious QR codes that link their WhatsApp accounts to devices controlled by attackers.
National CERT also listed several warning signs of account compromise. These include unexpected logouts, unrecognized messages being sent from a user’s account, unknown devices appearing in the “Linked Devices” section, unsolicited two-step verification prompts, and unexplained call forwarding activation. Users experiencing any of these signs were advised to act immediately to prevent further misuse.
The advisory outlined an official recovery process for affected users. It stated that reinstalling WhatsApp and re-verifying the phone number can immediately remove attackers from the account. However, if attackers activate two-step verification without setting a recovery email, users may face a mandatory seven-day lockout period. During this time, neither the victim nor the attacker can access messages. After the lockout, full control can be restored by setting a new PIN.
National CERT urged all WhatsApp users to enable two-step verification with a recovery email, regularly check linked devices, and never share verification codes or PINs. For organizations, it recommended employee awareness training, strict verification procedures for financial requests, and stronger incident response measures. The advisory warned that WhatsApp-based attacks can expose sensitive business communications if not properly addressed.