Suddenly logged out of WhatsApp? Seeing the message "Your phone number is registered on another device"? Or getting frantic texts from friends saying you asked them for money or a verification code? Your WhatsApp has almost certainly been hijacked — and the good news is that, because WhatsApp ties your account to your phone number, you can usually take it back in minutes. This guide walks you through exactly how, then how to lock it down so it never happens again.
Signs Your WhatsApp Was Hijacked
Confirm what you are dealing with. The usual tell-tale signs are:
- You were logged out without doing anything, and re-opening WhatsApp asks you to verify your number again.
- "Your phone number is registered on another device" appears when you open the app.
- Friends or family report odd messages from you — asking for a 6-digit code, money, gift cards, or a crypto "opportunity".
- Messages appear as read that you never opened, or chats/contacts you do not recognise.
- You stopped receiving SMS on your phone entirely — a red flag for a SIM-swap attack (see below).
How WhatsApp Accounts Actually Get Taken Over
Understanding the attack tells you how to undo it. WhatsApp's encryption is not "cracked". Instead, attackers exploit how the account is registered:
1. The six-digit code scam (by far the most common)
WhatsApp verifies your number by texting you a 6-digit registration code. An attacker enters your number on their phone, which triggers that text to you. They then message you — often from a hacked friend's account, or posing as "WhatsApp Support" — with a believable story: "I accidentally sent my code to your number, can you forward it?" The moment you send that code, they finish registering your number on their device and you are pushed out.
2. SIM-swap fraud
The attacker convinces your mobile carrier to move your number to a SIM they control (using stolen personal data, or a bribed/socially-engineered store rep). Now the verification SMS goes to them, and they register WhatsApp without ever needing your help. The clue is that your own phone loses signal/SMS.
3. Phishing and fake "WhatsApp Web" pages
A link promises a giveaway, a "verify your account" page, or a QR code to scan. Scanning a malicious QR can link your account to the attacker's WhatsApp Web/Desktop session; entering details on a fake page hands over information used to take the account.
Step 1 — Reclaim Your Number Immediately
This is the core of recovery. Because only one phone can hold a number at a time, re-registering instantly logs the attacker out.
Open WhatsApp and verify your number
If you were logged out, open WhatsApp and enter your phone number. If the app still shows you as logged in but acting strangely, reinstall it from the App Store / Google Play, then enter your number.
Enter the 6-digit SMS code WhatsApp sends you
WhatsApp texts a fresh code to your number. Enter it. This single action kicks the attacker off your account, because the number can only be active on one device. Do not share this code with anyone, ever.
No SMS arriving? You may have been SIM-swapped
If the code never arrives and your phone has lost signal/SMS, call your mobile carrier right away, report the SIM swap, and have your number restored to a SIM you control. Once SMS works again, repeat the verification.
Locked out and panicking? Skip the trial-and-error.
Our certified bilingual tech remotes in, walks you through re-registration and two-step verification, and secures the account on the spot — same day, from $59. No fix, no fee.
Step 2 — If the Hacker Set a Two-Step Verification PIN
A smart attacker turns on WhatsApp's two-step verification, which adds a 6-digit PIN required to re-register the number. This is meant to protect you — but in their hands it blocks you. Here is how it plays out:
- If no recovery email was linked to that PIN: WhatsApp enforces a mandatory 7-day waiting period. After 7 days you can re-register your number without the PIN. It is frustrating, but the account becomes recoverable and the attacker is locked out at the end of the wait. During the wait, the attacker also cannot move your number to yet another device.
- If a recovery email was linked: on the PIN screen tap Forgot PIN? → Send email, and reset the PIN through that email. If the attacker changed the recovery email to their own, you will have to wait out the 7-day period instead.
Step 3 — Kick Them Off Your Linked Devices
WhatsApp lets your account run on companion devices (WhatsApp Web, Desktop, a second phone). An attacker may be reading your chats through a linked session even after you are back in.
Open Settings → Linked Devices
On Android: tap the three dots → Linked devices. On iPhone: Settings → Linked Devices.
Log out every device you do not recognise
Tap each unknown session and choose Log Out. If in doubt, log out of all of them and re-link only the devices you actually use.
Need This Fixed Right Now?
IT Cares recovers hijacked accounts remotely — usually in 30 minutes or less, from $59. No fix = no charge.
Step 4 — Secure It So It Never Happens Again
Recovering the account is half the job. These steps make a repeat takeover far harder:
Enable two-step verification — with a recovery email
Settings → Account → Two-step verification → Turn on. Choose a 6-digit PIN you will remember and add a recovery email. The email is what lets you (not an attacker) reset the PIN later. This is the single most important protection on WhatsApp.
Add a port-out / transfer PIN with your mobile carrier
Call your carrier and ask for a "port protection" or "number transfer PIN". This blocks SIM-swap fraud — no one can move your number without the PIN, even with your personal details.
Turn on automatic chat backups
Settings → Chats → Backup to Google Drive (Android) or iCloud (iPhone). A recent backup means a future incident never costs you your message history.
Never share a code — and slow down on "urgent" requests
Treat any message asking for a code, money, or gift cards as a scam until verified by a phone call. The urgency is the manipulation.
What the Hacker Does With Your WhatsApp
Speed matters because of what they do once inside:
- Scam your contacts — "I'm stuck, can you send me money / a code?" messages that exploit the trust people have in your name.
- Spread the same code scam to everyone in your chats, hijacking more accounts in a chain.
- Read your conversations — looking for banking details, passwords, or anything sensitive shared in chat.
- Run crypto and investment cons in your name inside group chats where you are trusted.
- Hold the account hostage, especially business numbers, demanding payment to "release" it.
WhatsApp Business Accounts
If a hijacked number is your WhatsApp Business line, the stakes are higher — customers receive scams in your brand's name. Recovery works the same way (re-register the number), but also: review your Business Profile for changes, check any linked catalog or payment settings, notify customers through another channel that you were compromised, and consider moving the number onto the WhatsApp Business API with a provider that adds admin controls. If the number is tied to a Meta Business account, secure that Meta account too (password reset + authenticator-app 2FA).
When to Call IT Cares
Most personal WhatsApp recoveries follow the steps above. Reach out for hands-on help when:
- You suspect a SIM swap and need help coordinating with your carrier and re-securing every account tied to that number (email, banking, social).
- A business number was hijacked and you need it recovered and hardened fast, with minimal customer fallout.
- The same attacker hit multiple accounts (email + WhatsApp + social) and you want a full security clean-up.
- You are stuck in the 7-day PIN wait and want to make sure nothing else on your phone is compromised in the meantime.
IT Cares connects remotely, walks you through every step, removes rogue sessions, sets up two-step verification correctly, and audits the rest of your accounts — same day, anywhere in Canada.
Real Example: How the Six-Digit Code Scam Plays Out
It helps to see the attack in motion, because the recovery makes far more sense once you understand the trick. Here is a composite of cases we see almost weekly:
You get a WhatsApp message from a friend — a real friend, whose account was hijacked an hour earlier. The message is casual and urgent at the same time: "Hey! I'm setting up WhatsApp on a new phone and the verification code got sent to your number by mistake. Can you forward it to me? Sorry, in a rush!" Seconds later a genuine WhatsApp SMS lands on your phone with a 6-digit code. Everything lines up — a known contact, a plausible story, a real code arriving exactly when they said it would. So you send it.
What actually happened: the attacker typed your number into WhatsApp on their device, which is why the code came to you. The instant you forward it, they finish registering your number on their phone and you are logged out. Within minutes they are sending the identical message to everyone in your contact list, and the chain continues. The entire con takes under five minutes and relies on a single moment of trust. Knowing this, the rule writes itself: a code that arrives on your phone is only ever for your phone. No legitimate person or company ever needs you to read it back to them.
WhatsApp Web and Desktop: The Overlooked Backdoor
Reclaiming your number logs the attacker out of the main account, but companion sessions deserve a second look. WhatsApp lets up to four linked devices (WhatsApp Web in a browser, the Desktop app, a second phone) stay connected and read your messages independently. A patient attacker who briefly held your account may have linked their own browser before you recovered — and on some setups a linked session can persist for a while after the phone re-registers.
That is why Settings → Linked Devices is not optional housekeeping; it is part of recovery. Open it and treat every session you cannot personally account for as hostile. If you only ever use WhatsApp on your phone, you should see no linked devices at all — anything there is a red flag. When unsure, tap Log out from all devices and re-link only what you actively use. Also be wary of any "scan this QR code to win / verify / continue" prompt online: scanning a malicious QR is precisely how an attacker links their browser to your account in the first place.
What WhatsApp Support Can — and Cannot — Do
People often expect WhatsApp to have a hotline that instantly restores an account. In reality, WhatsApp support is email-based and deliberately limited, because the recovery is designed to be self-service through your phone number:
- They can help if your number was registered on another device — emailing support@support.whatsapp.com (or using in-app Settings → Help → Contact Us from a working account) with the sentence "Lost/Stolen: Please deactivate my account" will deactivate the number, freezing the attacker out. The account auto-reactivates when you next verify.
- They cannot bypass the two-step verification 7-day waiting period, hand your account to someone who does not control the number, or recover messages that were never backed up.
So the fastest path is almost always the self-service one in Step 1 — re-register the number. Support is a backstop, mainly useful to deactivate a stolen number while you sort out a SIM issue.
How to Warn Your Contacts and Limit the Damage
While you were locked out, the attacker was almost certainly messaging your contacts. Once you are back in, contain it:
- Post a status update and message your most-active chats: "My WhatsApp was hijacked for the last [X] hours. If 'I' asked you for money, a code, or a crypto tip, it was a scammer — please ignore and delete it."
- Check your group chats — attackers often post investment scams in groups where your name carries weight. Delete those messages and tell the group.
- Tell anyone who actually sent money to contact their bank immediately; fast reporting sometimes allows a reversal.
- Report the attacker's number if you can identify it, and report the original hijacked-friend account that messaged you, so the chain can be cut.
Protecting the Family Members Most Often Targeted
Two groups get hit hardest: older relatives, who tend to trust a familiar name and may not know codes should never be shared, and teens, who move fast and tap links. A ten-minute conversation prevents most of it. Walk them through one rule — "never read a code to anyone, ever" — and set up two-step verification with your email as a recovery fallback on their account (with their permission) so a future lockout is recoverable. For a parent or grandparent, also add a carrier port-out PIN on their phone line, since seniors are frequent SIM-swap targets.
WhatsApp Security Checklist — Save This
- Two-step verification on, with a recovery email attached.
- No unknown sessions in Linked Devices.
- Automatic chat backup enabled (Google Drive or iCloud).
- Carrier port-out / transfer PIN set on your phone number.
- Privacy set so your profile photo and "last seen" are not visible to Everyone (reduces targeting).
- A personal rule, shared with family: never forward a verification code to anyone.
Need This Fixed Right Now?
IT Cares recovers hijacked accounts remotely — usually in 30 minutes or less, from $59. No fix = no charge.
Frequently Asked Questions
The most common way is the six-digit code scam: an attacker posing as a friend or as "WhatsApp support" tricks you into sending them the verification code WhatsApp just texted you, which lets them register your number on their phone. Other routes are SIM-swap fraud (the attacker ports your number) and phishing links. WhatsApp's encryption itself is not broken — the attacker relies on getting your code or your number.
You recover the account by re-registering your number, and the six-digit code is sent by SMS to that number. If you still have your SIM, just request a new code. If you were SIM-swapped, get a replacement SIM from your carrier first, then re-register. Whoever controls the phone number controls the account.
If no recovery email was linked, WhatsApp enforces a 7-day waiting period before you can register the number without the PIN. If a recovery email was set, you can reset the PIN through that email immediately. Once you re-register, the PIN the attacker set is cleared.
Re-registering keeps your chats if you have a backup in Google Drive or iCloud (or a recent local backup). Messages exchanged while the attacker controlled the account are usually lost. Turn automatic backups back on right after you recover.
Yes — once you re-register, the attacker is signed out automatically because WhatsApp allows only one phone per number. Then enable two-step verification with a recovery email, remove unknown Linked Devices, add a carrier port-out PIN, and never share a code again.
Comments
Got the classic "hey can you send me the code I texted you by mistake" from a friend's account and stupidly sent it. Locked out two minutes later. Re-registering and entering the new SMS code kicked them straight off — took maybe five minutes. The tip about turning on two-step verification with an email afterwards is gold, wish I'd done it before.
My phone lost all signal and I couldn't get the code — turned out to be a SIM swap. I called IT Cares; they got on a remote session, helped me deal with my carrier to restore the number, recovered WhatsApp, and then checked my email and bank logins because the same number was attached to everything. Huge relief, worth every dollar.
Leave a Comment