My account is locked and the attacker set their own PIN. What now?

If you registered a recovery email originally, tap Forgot PIN during re-registration and WhatsApp will email a reset link. If no recovery email exists, the reset is locked behind a mandatory 7-day wait. During those 7 days, alert every contact through other channels so they ignore money requests from your account. Report to WhatsApp at support@whatsapp.com with subject Lost or Stolen Phone, and to your country's cybercrime portal (cybercrime.gov.in/1930 in India, Action Fraud UK, Procon in Brazil, ecrime.ae in the UAE).

WhatsApp 6-digit code scam: how strangers hijack your account in 60 seconds and what to do

Q: I shared the code 30 seconds ago. Is it too late?

Not necessarily. Immediately open WhatsApp on your phone, re-enter your phone number, and request a fresh SMS code. When you enter the new code, WhatsApp logs the attacker out and you back in. The SMS code path is symmetric - whoever enters the latest code wins. The instant you are back in, turn on two-step verification with a PIN. The window is roughly 30 seconds to 2 minutes before the attacker enables their own PIN and locks you out for 7 days.

Q: Is two-step verification really enough?

Two-step verification stops the pure code-share scam completely because the attacker also needs your PIN, which you never share. WhatsApp will never call or text you asking for your PIN, SMS code, or any verification information - all official WhatsApp communications happen inside the app. If anyone asks for the PIN, it is a scam regardless of how they got your number.

Q: Why does WhatsApp not make two-step verification mandatory?

WhatsApp has progressively nudged users toward enabling it and added re-prompts inside the app, but full mandatory enrollment runs into recovery and accessibility problems: users in low-literacy contexts, users who change phones often, users whose recovery email is also compromised. WhatsApp's position is to make it strongly recommended with added friction on common attack patterns. The result is that the defense exists but adoption is partial. Turning it on yourself is the only thing inside your control.

The message that opens the attack

The message arrives from someone in your address book - a real contact, name and profile photo you recognize. The wording varies, but the spine is consistent:

"Hey, sorry, I sent a code to your number by mistake. Can you send it back? I really need it urgently."

Sometimes the framing is "my code went to your number because I typed wrong" or "WhatsApp glitched, please forward it." The tone reads as flustered and embarrassed. The contact is real, but they are not the one typing. Their WhatsApp was taken over earlier the same way, and the attacker is now using it to harvest the next batch from their contacts. You trust the contact. The attacker exploits exactly that.

What the WhatsApp 6-digit code actually does

WhatsApp's per-device login is one factor: a 6-digit SMS code sent to the phone number being registered. Per the WhatsApp Help Center registration documentation, this verifies the person installing the app controls the SIM. There is no second factor by default. Whoever types the code controls the account.

If an attacker enters your number on a fresh WhatsApp install, WhatsApp sends the code to your phone. Without it, they have nothing. With it, they are logged in as you, and your phone gets logged out because WhatsApp allows one primary device per number. The scam reduces to one move: get the victim to forward that code.

What happens the moment you share the code

Stage 1 - Login on attacker device. The attacker pastes your code into WhatsApp registration on their phone. Your phone shows "Your phone number is no longer registered with WhatsApp on this phone." You can no longer send or receive. The window between code-share and lockout is 5 to 15 seconds.

Stage 2 - Lock you out with a fresh PIN. The first action inside the stolen account is enabling two-step verification with the attacker's PIN. Per WhatsApp's two-step verification documentation, the PIN is then required to re-register. You do not know it. Without a recovery email set originally, the reset is locked behind a mandatory 7-day wait.

Stage 3 - Harvest your contacts. The attacker messages your most frequent contacts with either the same "code by mistake" trick or a cash-grab: "Hey, I am in trouble. Lost my wallet. Can you send R$ 800 by Pix?" Or INR via UPI, GBP via bank transfer, AED via local apps. The relative, seeing the message from the right name and photo, complies before checking.

Action Fraud UK reported WhatsApp impersonation scams cost UK victims over 1.5 million GBP in 2021 alone. India's CERT-In issued advisories on the same pattern. Brazil's Procon agencies have logged "golpe do codigo" as a top consumer complaint since 2022.

Why this hits hardest in India, Brazil, and MENA

In India, Brazil, the UAE, Saudi Arabia, Egypt, and most of MENA, WhatsApp is the primary messaging app, not a secondary one. SMS is for bank OTPs. Email is for work. WhatsApp is the casual default for families. A message from a family member carries the same trust as a tap on the shoulder.

Trust networks are dense - an Indian user might have 200 to 500 active WhatsApp contacts. Each takeover gives the attacker that-size attack surface. Same density in Brazil (WhatsApp groups organize neighborhoods) and MENA (extended family is core social infrastructure). "I am in trouble, please send money" hits hardest when sent to a parent or grandparent who is conditioned to help instantly. Same-day money rails (UPI, Pix, instant bank transfers) settle in seconds and are irreversible.

The 7 red flags that catch every variant

Any unsolicited request to share a code. If you did not just try to log in somewhere, no legitimate person needs your 6-digit code. Not a friend, not your bank, not WhatsApp itself. The code is for you to type into the app, never to forward.
The contact behaves urgently or out of character. A relative who normally types calmly suddenly using clipped, panicked phrasing. A friend in a different time zone messaging at 3am. Tone shift is a red flag because the attacker is usually not a native speaker, and the urgency forces them to skip small talk.
The phrase "by mistake" or "by accident." Real friends do not accidentally send WhatsApp codes to other people - WhatsApp has no feature that does that. The code only goes to the number being registered. "I sent a code to you by mistake" describes a thing that cannot happen.
Urgency or emergency hook. "I need it now," "my dad is in the hospital," "I am about to miss my flight." Urgency exists to short-circuit deliberation. If the only reason for haste is the request itself, that is the scam admitting what it is.
Request to keep it secret. "Do not tell anyone, it is embarrassing." Real friends do not ask you to keep mundane requests private. Secrecy is the scammer building a moat around the lie.
A language shift from the contact's usual style. Aunt who always types Hindi-English mix suddenly in pristine English. Friend who always sends voice notes now sending only text. Style breaks are tells - the attacker controls the text but not the contact's habits.
Follow-up call is impossible or refused. "Let me call you to confirm" met with "I cannot talk right now, please just send the code" - that is the scam. A real contact will get on a call. The attacker will not, because the voices do not match.

You do not need all seven. Any one is sufficient to refuse, pause, and verify through a separate channel.

Prevention: turn on WhatsApp two-step verification

The highest-leverage defense is turning on two-step verification before anyone targets you. With it on, sharing the code is no longer game-over - the attacker also needs your custom PIN, which you never share and which is never sent over SMS.

Setup takes 60 seconds: Open WhatsApp -> Settings -> Account -> Two-step verification -> Turn on. Choose a 6-digit PIN that is NOT the same as any bank PIN. Add a recovery email - without one, the PIN reset is locked behind a 7-day wait.

Per the WhatsApp two-step verification documentation, the PIN is required any time the number is re-registered. If an attacker gets your SMS code but not the PIN, the takeover fails. The attacker can social-engineer the SMS code but cannot social-engineer the PIN - there is no plausible cover story for "also send me your private PIN."

Recovery if you already shared the code

Speed matters. The window between code-share and the attacker enabling their own PIN is usually under 30 seconds.

30-second recovery if you act immediately:

Open WhatsApp on your phone and re-register your number. Enter your number, request a fresh SMS code. When you enter the new code, WhatsApp logs the attacker out and you back in. Per WhatsApp's documentation, only one primary device is allowed, so re-registration always kicks the other side out.
Immediately turn on two-step verification. Settings -> Account -> Two-step verification -> Turn on. Set a PIN. Add a recovery email. This blocks the attacker from re-attempting.

The SMS code path is symmetric - whoever enters the latest code wins. If you re-register before they set their PIN, you win.

If the attacker set their PIN first: Request the SMS code, then when WhatsApp asks for the PIN you do not have, tap "Forgot PIN?" If a recovery email was registered, WhatsApp emails a reset. If not, the reset is locked for a mandatory 7-day wait. During those 7 days: alert every contact via other channels (SMS, email, Signal, calls) that your WhatsApp is compromised. Email support@whatsapp.com with subject "Lost or Stolen Phone." Report to your country's cybercrime portal: cybercrime.gov.in + helpline 1930 (India), Action Fraud 0300 123 2040 (UK), Procon + Delegacia de Crimes Ciberneticos (Brazil), ecrime.ae (UAE). If relatives sent money, contact their bank within minutes - UPI and Pix transfers can sometimes be reversed if the bank acts fast.

Why this scam keeps working

The OTP-share habit is reinforced every day. Users type 6-digit codes into bank apps, UPI, government portals, ecommerce checkouts many times daily. Most default to "if a code arrived and someone is asking, the system is working." Social trust bypasses critical thinking - "Uncle Raj" feels different than a raw phone number. And two-step verification is off by default. The first time the takeover lands, it is too late.

Where SafeBrowz fits

The takeover happens inside the WhatsApp app, outside what a browser scanner can see. The browser layer catches adjacent attacks: fake WhatsApp Web login pages, fake "WhatsApp Pink/Gold" malware downloads, fake account-deletion phishing emails, and the takeover-aftermath where stolen accounts message contacts with phishing links to fake banks, Pix portals, and UPI confirmation pages. SafeBrowz scans every URL before render with a 550+ brand database, credential-kit signatures, and AI content analysis in 100+ languages.

Frequently asked questions

Can someone really hijack my WhatsApp just by getting one code?

Yes. WhatsApp's primary device login is single-factor by default. Sharing the SMS code logs the recipient into your account on their device and logs you out within seconds. Documented in WhatsApp's security pages and CERT-In, Action Fraud, and Procon advisories. Two-step verification adds a PIN you control and breaks this attack.

The message came from a real contact. How did they get hacked?

The same way - someone they trusted shared a code earlier in the chain. Each successful hijack gives the attacker 200 to 500 new contacts to target. By the time you receive the "code by mistake" message, the contact lost control of their account already. The attacker is operating their phone with their name and photo, but it is not them typing.

I shared the code 30 seconds ago. Is it too late?

Not necessarily. Open WhatsApp on your phone, re-enter your number, request a fresh SMS code. When you enter the new code, WhatsApp logs the attacker out and you back in. The SMS code path is symmetric - whoever enters the latest code wins. The instant you are back in, turn on two-step verification. The window is roughly 30 seconds to 2 minutes before the attacker enables their own PIN and locks you out for 7 days.

My account is locked and the attacker set their PIN. What now?

If a recovery email was registered originally, tap "Forgot PIN" during re-registration and WhatsApp emails a reset. If not, the reset is locked behind a mandatory 7-day wait. During those 7 days, alert contacts via SMS, email, Signal, or calls so they ignore money requests. Email support@whatsapp.com with subject "Lost or Stolen Phone." Report to cybercrime.gov.in/1930 (India), Action Fraud (UK), Procon (Brazil), or ecrime.ae (UAE).

Is two-step verification really enough?

It stops the pure code-share scam completely because the attacker also needs your PIN, which you never share. WhatsApp will never call or text asking for your PIN, SMS code, or any verification info. Per WhatsApp's safety center, all official communications happen inside the app. If anyone asks for the PIN, it is a scam regardless of how they got your number.

Why does WhatsApp not just make two-step verification mandatory?

Mandatory enrollment hits recovery and accessibility problems: users in low-literacy contexts, users who change phones often, users whose recovery email is also compromised. WhatsApp makes it strongly recommended with in-app re-prompts but not required. Turning it on yourself is the only thing inside your control.