Big WhatsApp Scam Warning: ‘GhostPairing’ Lets Hackers Take Over Your Account Without OTP – How To Stay Safe

A new scam has been rolled out in the market targeting WhatsApp users. Through this sophisticated new scam hackers exploit the app’s device-linking feature to gain full access to victims’ accounts. The cybersecurity experts have warned that the campaign, called GhostPairing. This allows attackers to hijack accounts without stealing passwords, SIM cards, or OTPs. 

The GhostParing relies entirely on social engineering, tricking users into approving a malicious device themselves. This method is tough to detect and spread quickly through trusted contacts and raises serious questions about how device pairing features are designed and understood. 

How hackers work 

As per experts and reports, the scam begins with a seemingly innocent message from a trusted contact, such as “Hey, I just find your photo!” The message contains a link that displays a Facebook-style preview inside WhatsApp. 

Clicking the link leads users to a fake webpage resembling a Facebook photo viewer, which prompts users to ‘verify’ before seeing the content. In reality, this step triggers WhatsApp’s official device-pairing process. Users are asked to enter their phone number, after which WhatsApp generates a numeric pairing code. The fake page then instructs users to enter this code in WhatsApp, presenting the process as a routine security check. 

 After entering the code, victims unknowingly approve the attacker’s device. This grants the hackers full WhatsApp Web access, enabling them to read messages, download media, send messages as the victim, and receive new messages in real time, all while the phone continues to function normally, making the breach difficult to notice. 
 

How to stay safe 

To protect against GhostPairing, users are advised to follow these steps 

Cybersecurity experts warn that vigilance is essential, as attacks like GhostPairing exploit human trust rather than technical vulnerabilities.