Scammers are deceiving victims into sharing their WhatsApp one-time passwords (OTPs), resulting in unauthorised account takeovers. Once they gain access to a WhatsApp account, scammers repeat the same scam on the victims’ contacts. No financial losses have been reported, but the public does lose access to their WhatsApp accounts.

🚩 Remember, any request to share a WhatsApp OTP, regardless of who it appears to come from, should be treated as a scam.

Knowing how a scam works is the best way to protect yourself and your loved ones.

How the WhatsApp takeover scam works:

This scam exploits the trust between you and the people in your contact list.

Step 1: You receive an OTP SMS from WhatsApp. The scammer uses your mobile number to log in to your WhatsApp account. This triggers a legitimate OTP SMS to be sent to your phone.

Step 2: Someone in your contacts asks you to forward it. You receive a WhatsApp message from someone in your contact list, whose account has already been compromised. The scammer, posing as this contact, claims their OTP was mistakenly sent to you, and asks you to send it to them.

Step 3: You’re logged out of your WhatsApp account. Once you give them the OTP, the scammer gains full access to your WhatsApp account and logs you out.

Step 4: The scammer poses as you and targets your contacts The scammer then repeats this process using your account and identity to target your contacts.

Tips to protect yourself:

Never share your OTPs with anyone. OTPs are personal authentication codes intended solely for the recipient. No legitimate contact, platform, or authority will request your OTP under any circumstances.

Enable Two-Step Verification on WhatsApp. This adds a secondary PIN that prevents unauthorised access even if a scammer obtains your OTP. To enable: Settings > Account > Two-Step Verification > Enable.

Review your linked devices. Remove any unrecognised devices immediately. In WhatsApp, go to Settings > Linked Devices. If your account has been compromised, this will remove the scammer's access.

Tell your contacts if your account is taken over. Tell them via a non-WhatsApp channel (e.g. phone call or SMS) to disregard any unusual OTP requests from your WhatsApp.

If you think you’ve been scammed, report it. Make a police report and contact the 24/7 ScamShield Helpline at 1799. Download the ScamShield app to block scam calls and filter scam SMSes.

For more information on scams, visit ask.gov.sg/scamshield. Download the ScamShield app to stay safe from scams.