WhatsApp and Telegram account hijacking: How to protect yourself against scams

Cybercriminals around the world keep honing their schemes to steal accounts in WhatsApp, Telegram, and other popular messaging apps – and any of us could fall for their scams. Only by becoming a victim of such an attack can you fully appreciate how vital a tool instant messaging has become, and how diverse the damage from hacking a WhatsApp or Telegram account may be. But better not to let it come to that, and to learn to recognize key hijacking scams in order to prevent them in time.

Why hijack your WhatsApp or Telegram account?

A stolen account can be appealing because of its content, access rights, or simply the fact that it’s verified, linked to a phone number, and has a good reputation. Having stolen your Telegram or WhatsApp account, cybercriminals can use it in a variety of ways:

• To send spam and phishing messages on your behalf to all your contacts – including private channels and communities.
• To write sob stories to all your friends asking for money. Worse yet – to use AI to fake a voice or video message asking for help.
• To steal accounts from your friends and family by asking them to vote in a contest, “gifting” them a fake Telegram Premium subscription, or employing some other fraudulent scheme – of which there are many. Coming from someone the recipient knows, messages like this tend to inspire greater trust.
• To hijack a Telegram channel or WhatsApp community you manage.
• To blackmail you with the contents of your chats – especially if there’s sexting or other compromising messages.
• To read your chats quietly, which may have strategic value if you’re a businessman, politician, military or security officer, or civil servant.
• To upload a new photo to your account, change your name, and use your account for targeted scams: from flirting with crypto investors (pig butchering) to requests from the victim’s boss (boss scams).

Due to this variety of applications, criminals need new accounts all the time, and anyone can become a victim.

WhatsApp, Telegram, and QQ quishing

Scammers used to steal accounts by tricking people into giving them text verification codes (required to log in), or by intercepting these codes. But since this method is no longer as effective, the focus has shifted to trying to link an additional device to the victim’s account. This works best when using phishing schemes based on QR codes – known as quishing.

Attackers either put up their own ads or carefully stick malicious QR codes on top of someone else’s to overlay the legitimate code. They can also print a QR code on a flyer and drop it in a mailbox, post it on a social network or website, or simply send it by email. The pretext can be anything: an invitation to join a neighborhood chat; connect to an office, campus, or school community; download a restaurant menu or claim a discount; or view cinema showtimes or extra information on movies and other events.

The code alone can’t cause your account to be hijacked, but it can lure you to a scam website containing detailed instructions telling you where to click in the messaging app, and what to do after that. The site shows you another, dynamically generated, QR code, which the attackers’ server requests from WhatsApp or Telegram when it asks the service to link a new device to your account. And if you, determined to enjoy every benefit civilization has to offer, decide that another code won’t hurt and follow the instructions, then the device used by the attackers will get access to all your data in the app. In fact, you can see it in the “Devices” or “Linked devices” sections of Telegram or WhatsApp, respectively. However, this attack is designed for those who aren’t very familiar with messaging app settings, and who might not check such submenus regularly. Incidentally, users of QQ, China’s most popular messaging app, are also targeted by similar attacks.

Malicious polls, fraudulent gifts, and girls… undressing

Aside from QR codes, scammers may also attack you by sending seemingly harmless links, such as those for “people’s choice” votes, instant lotteries, or giveaways. On Telegram, they like to mimic the interface used for receiving a Premium subscription as a gift.

Typically, you get to such pages through messages from friends or acquaintances whose accounts have already been compromised by the same scammers. The homepage is always full of catchy phrases like “vote for me” and “claim your gift”.

A variation on the scam involves messages from a “messaging app security service”. You might get contacted by someone using a name like “Security” or “Telegram security team”. They offer to protect your data by transferring your account to a secure account clicking a link and enabling “advanced security options”.

Lastly, you could get an ad for a service or bot that offers something useful or fun – like an AI chatbot or a… nude generator.

There’s another potential scam scenario for Telegram: since 2018, the service has offered website owners authentication of visitors using the Telegram Login Widget. It’s a real, functioning system, but scammers take advantage of the fact that few people know how this authentication is supposed to work – replacing it with a phishing page to steal information.

In any of these scenarios, once you’re through the enticing landing page, you’ll be asked to “sign in to your messaging app”. This procedure might involve scanning a QR code or simply entering your phone number and the OTP code on the website. This part of the website is typically disguised as a standard WhatsApp or Telegram authentication interface – creating the illusion that you’ve been redirected to the official website for login. In reality, the entire process is happening on the attackers’ own site. If you comply and enter the data or scan the code, cybercriminals will immediately gain control of your messaging app account. Your only reward? Some kind of thank-you message like your premium subscription will activate within 24 hours (it won’t; who knew?!).

Hacking a smartphone with a fake WhatsApp or Telegram app

An old yet still effective way to hijack accounts is by using trojanized mods; that is – modified versions of messaging apps. This threat is especially relevant for Android users. You can come across ads touting “improved” versions of popular messaging apps on forums, in groups chats, or simply in search results. WhatsApp mods often promise the ability to read deleted messages and see the statuses of those who hid them, while Telegram fans are promised free Premium features.

Downloading and installing a mod like this infects your phone with malware that can steal the messaging account along with all the other data on the device. Interestingly, Android users can encounter spyware-infected mods even in the “holy of holies”: the official Google Play store.

What happens to a hijacked Telegram or WhatsApp account?

The fate of your hijacked account depends on the attackers’ intentions. If their goal is espionage or blackmail, they’ll just quickly download all your chats for analysis, and you may not notice anything at all.

If cybercriminals want to send fraudulent messages to your contacts, they’ll immediately delete sent messages by using the “delete for me only” feature to make sure you don’t notice anything for as long as possible. However, sooner or later, you’ll start receiving messages from surprised, outraged, or simply vigilant friends, or you yourself will notice traces of an unauthorized presence.

Another consequence of hacking may be the messaging service’s reaction to the spam. If recipients report your messages, your account may become restricted or blocked – preventing you from sending messages for several hours or days. You can appeal the restrictions by using a special button, such as “Request a Review” in the message from the moderators, but it’s best to first ensure that you have exclusive control over your account and wait at least a few hours afterward.

Telegram treats all devices linked to an account equally, which means scammers can take over your entire account and kick you out by disconnecting all your devices. However, to do this, they’d need to remain logged in unnoticed for a whole day: Telegram has a 24-hour waiting period before one can log out other devices from a newly connected account. If you’ve been locked out of your own Telegram account, read our detailed recovery guide.

On WhatsApp, the first device you use to log in to your account becomes the primary one, and other devices are secondary. This means hackers can’t pull off that trick there.

How to protect yourself from WhatsApp and Telegram account hijacking

You can find detailed instructions on how to secure your Telegram, WhatsApp, Signal, and Discord in our separate guides. Let’s go over the general principles again:

• Be sure to enable two-factor authentication (also variously known as “cloud password” or “two-step verification”) in the messaging app, and use a long, complex, and unique password or passphrase.
• On WhatsApp, you can choose a passkey instead of a password. This protection is more reliable.
• Avoid taking part in giveaways and lotteries. Don’t accept gifts that you didn’t expect – especially if you need to log in to some websites through the messaging app to receive them.
• Learn how legitimate authorization through Telegram looks, and immediately close any websites that look different. To put it simply, during a legitimate authorization process, all you need to do is click the “Yes, I want to go to such-and-such website” button within the Telegram chat with the bot. No scanning or entering of codes is required.
• Check your WhatsApp and Telegram settings regularly to see what devices are connected. Disconnect any that look old or fishy.
• Always use official messaging apps downloaded from trusted sources like Google Play or the App Store, Galaxy Store, Huawei AppGallery, and other major app stores.
• Be more careful with desktop messaging clients – especially at the office.
• Use a reliable protection system on all your devices to avoid visiting phishing sites or installing malware.