A terrifying new WhatsApp scam has come to the limelight, threatening to steal accounts without needing to have the OTPs. This comes at a time when rival homegrown competition is trying its best to encourage WhatsApp users to switch to the platform for a safer texting experience. The sophisticated new cyber threat, known as GhostPairing, is targeting WhatsApp users globally, allowing hackers to take full control of accounts without the need for traditional SIM swaps or One-Time Passwords (OTPs).
Unlike previous scams that relied on tricking users into sharing a code, GhostPairing exploits the Linked Devices feature of the messaging platform, making it significantly harder for the average user to detect. This allows for account hijacking, thus affecting innocent and unsuspecting users, leading to further trouble.
WhatsApp GhostPairing scam: How it works
According to cybersecurity experts, the attack unfolds in a multi-stage process that bypasses WhatsApp’s standard security guardrails:
The phishing hook:
Users receive a message—often appearing to be from WhatsApp Support, a known contact, or a high-stakes job offer —containing a link to a fraudulent website.
The fake interface:
The link directs users to a page that mimics the official WhatsApp Web login screen, complete with a QR code.
The pairing trap:
In some variations, the site prompts the user to enter their phone number to verify their account. The attacker then initiates a ‘Link with Phone Number’ request from their own device.
The silent hijack:
If the user follows the instructions on the fake site—thinking they are logging into a desktop version or securing their account—they unknowingly authorise the attacker’s device.
Once paired, the hacker has full access to the victim’s chat history, contacts, and the ability to send messages as the user, all while the original account remains active on the victim’s phone.
Why is it more dangerous than previous scams
Because the hijack happens through the official Linked Devices protocol, it does not trigger a New Login alert that would typically require an OTP. This allows the attacker to remain a ghost on the account for days or weeks, harvesting private data or targeting the victim’s contacts with financial scams.
How to protect your account from WhatsApp GhostPairing
Security analysts recommend the following immediate steps to safeguard against GhostPairing:
– Regularly go to Settings > Linked Devices in WhatsApp. If you see a device you don’t recognize (e.g., Google Chrome – Linux or macOS), log it out immediately.
– Never scan a QR code sent via chat or found on a non-official website to ‘verify’ your identity.
– Set up a custom PIN in Settings > Account > Two-step verification. This adds a layer of protection that even a paired device cannot easily bypass.
– Be skeptical of ‘official’ messages: WhatsApp will never ask you to link a device or scan a code to “upgrade” your security through a chat message.
