ISLAMABAD: Pakistan has issued a nationwide cyber alert after a sharp increase in WhatsApp account hijackings, warning that the attacks are widespread and affecting users across all age groups and professions.
In an advisory, National Cyber Emergency Response Team said hackers are not exploiting technical flaws in WhatsApp itself but are instead relying on social engineering tactics that manipulate users into giving up access to their accounts.
According to the alert, attackers commonly trick users into sharing one-time passcodes, alter call-forwarding settings, send phishing links, or circulate malicious QR codes that link victims’ WhatsApp accounts to other devices. Once compromised, these accounts are often used to impersonate the victim, scam contacts, access private conversations, and spread harmful content.
The advisory warned that the consequences of account hijacking can include identity theft, financial losses, data exposure, reputational harm, and serious privacy violations. It also highlighted risks for organisations whose employees use WhatsApp for work, noting that sensitive business information could be exposed or misused.
National CERT said all versions of WhatsApp are vulnerable to these attacks, including Android, iOS, WhatsApp Business, Web, and Desktop. The threat level has been classified as high, with officials stressing that most successful breaches require user interaction, such as sharing a verification code or scanning a QR code. Accounts without two-step verification are particularly at risk.
Users have been urged to enable WhatsApp’s two-step verification with a recovery email, regularly review linked devices, and never share verification codes or PINs. The advisory also cautioned against responding to urgent messages requesting money or codes and advised avoiding links from unknown or unsolicited sources.
For users whose accounts have already been compromised, National CERT outlined a recovery process that includes reinstalling WhatsApp, re-verifying the phone number, and resetting security settings. In cases where attackers activate two-step verification without a recovery email, victims may face a mandatory seven-day lockout before full access is restored.
The cyber authority advised affected users to immediately inform their contacts, report the incident to WhatsApp, and closely monitor for signs of financial fraud or data misuse, urging the public to remain vigilant as cybercriminal tactics continue to evolve.
