“Hey, I just found your photo!” is a simple text that shouldn’t set alarm bells ringing when received from a trusted friend, but it might be something far more sinister.

The text comes with a link, and when followed, the website looks similar and familiar. It’s a Facebook verification page, asking for your phone number – WhatsApp then sends you a code, and the page asks you to enter it.

But if you do so, you’ve already lost control of your WhatsApp account – all without any password theft or complicated con.

The attacker is then free to use your WhatsApp to target your contacts or scam people out of money by impersonating you.

The scam, dubbed ‘ghost pairing’ by cybersecurity companies, is the latest in a series of account-takeover scams spreading this year, with many relying on tricking you into entering a PIN code so cybercriminals can take over your account.

How does the scam work?

The scam is spreading rapidly at present, according to cybersecurity firm Avast. It relies on tricking you into using WhatsApp’s own systems to allow the hacker access.

The link in the text may look like a legitimate website from WhatsApp or Facebook, and since both are owned by Meta, they share many systems. But the page is not real, it’s a fake made by a hacker.

The scam messages look similar to this, although there are a variety of URLs (Avast).

(Avast)

Cybersecurity firm Malwarebytes says that one warning sign is that the URL contains references to photos or posts – typical ones include:

These URLs are a sign that the website is not authentic, and no personal details should be entered into them.

If a number is entered, WhatsApp then sends a real code authentication code, which, if then entered into the fake website, means hackers will now have access to your account.

• The QR code trap turning mystery parcels into a worrying scam
• The ingenious WhatsApp group chat scam selling fake tickets
• I made a split-second mistake on FaceTime – it led to a £15,000 ticket scam

The hacker then establishes their device as a linked device on your account, similar to how one links their WhatsApp account to a new phone or laptop.

As soon as this happens, the hacker has unlimited access to your account, can read all your messages, see your images and send messages as if they are you.

This is also how you can receive the message from a trusted contact, even if they’re a friend you message regularly. If they’re sending you a text with a dubious link, they themselves may have fallen prey to the scam.

The scammers are then reading all of their messages and attempting to scam their close contacts, relying on their built-up trust.

The scam page looks like an official Facebook and WhatsApp page. (Gen/Malwarebytes)

(Gen/Malwarebytes)

Dr Martin Kraemer, cybersecurity expert at KnowBe4, told Yahoo News: “Linking attacks are unfortunately the same as handing an attacker the keys to your front door, granting unlimited access.

“They are a prime example of social engineering, exploiting a legitimate process, which makes them so dangerous and difficult to reverse.”

What should you do if you fall victim?

If you fall victim, immediately revoke the hacker’s access.

The hacker is installed as a linked device on your account, so you should quickly remove all linked devices from your account except the device you’re using at the time.

To do this, go to Settings > Linked Devices and unlink every device.

What can you do to stay safe in future?

Kraemer advises being extremely cautious about links sent in a WhatsApp chat, even from close friends.

BuzzFeed

336

PetHelpful

X-rated reason visitors to popular Welsh beach are being issued a warning

Wales Online

Homeowner warned after sharing before-and-after photos of front yard: ‘I’d recommend pulling [those]’

The Cool Down

If in doubt, contact them via another channel, not WhatsApp, in case their account is compromised.

To keep yourself from other scams, enable two-factor authentication in WhatsApp.

To enable it, tap Account > Two-step verification > Turn on or Set up PIN. This sets up a PIN code, which means it’s harder for criminals to get into your account.

You can also add an email address to the account, which also makes it easier to recover in future.