WhatsApp & SMS Scams: Hijacked Accounts and Spoofed Messages
Messaging scams exploit the trust we place in WhatsApp and SMS. Some hijack your account to impersonate you to your contacts; others spoof a brand's sender ID or send links that install malware or steal logins.
Because messages appear to come from people or organisations you know, these scams are highly persuasive. The defences are practical: protect your verification codes, treat links with suspicion, and verify any money request through a second channel.
How the scam works
- 1Account takeover: a scammer triggers a WhatsApp registration code to your number, then poses as a friend or service to ask you to share the 6-digit code.
- 2Once they have the code, they register your account on their device and message your contacts asking for money or more codes.
- 3Smishing: an SMS that appears to come from a bank, courier or government agency contains a link to a fake login page.
- 4Spoofing: scammers fake the sender name so the message lands in the same thread as genuine alerts.
- 5The link harvests your credentials and OTPs, or prompts you to install an app that grants the scammer control of your device.
Common warning signs
- Anyone asking you to share a verification or OTP code, for any reason.
- Urgent requests for money from a contact whose writing style or number seems slightly off.
- SMS links urging you to verify, unlock, or claim something immediately.
- Messages mixing a real-looking sender name with an unfamiliar link.
- Requests to install an app or APK from outside the official app stores.
Real-life examples
The following scenarios are fictional and generalised for illustration only.
The shared code
A student gets a WhatsApp from a friend saying they accidentally sent a code to the wrong number and asking her to forward it. She shares the 6-digit code, and minutes later loses access to her own WhatsApp while the scammer messages her contacts for money.
The courier link
A shopper receives an SMS about a held parcel with a link to pay a small redelivery fee. The page mimics a courier and a bank login. After entering card details and an OTP, an unauthorised transaction appears on her statement.
How to protect yourself
- Never share OTPs or WhatsApp registration codes with anyone, even people you trust.
- Turn on WhatsApp two-step verification to add a PIN that blocks takeovers.
- Do not tap links in unexpected SMS or chat messages; open the official app or type the URL yourself.
- Verify any money request by calling the person on a known number before sending anything.
- Install apps only from official app stores and review the permissions they request.
- Keep your phone's operating system and apps updated to patch security holes.
What to do if you become a victim
- 1If your WhatsApp is taken over, re-register with the code sent to your number to log the scammer out, then enable two-step verification.
- 2Warn your contacts that your account was compromised so they ignore any money requests.
- 3If you entered banking details, contact your bank immediately and change passwords.
- 4Run a security scan and remove any app you installed at the scammer's request.
- 5Lodge a police report and call 1799.
Frequently asked questions
Explore our financial education resources
Borrow smart and stay safe. Compare loan options through a trusted platform, and read our guides on responsible borrowing in Singapore.
Related articles
Phishing Scams: Fake Pages Built to Steal Your Logins
Phishing uses convincing fake emails, websites and login pages to capture passwords and OTPs. Learn to recognise and resist it.
ReadGovernment Impersonation Scams: When the Caller Claims to Be an Official
Scammers pose as the police, MOM, IRAS or ICA to frighten you into paying or sharing data. Learn how to respond calmly and safely.
ReadCredit Card & Banking Scams: Protecting Your Money and Cards
Fake bank alerts, card-not-present fraud and unauthorised transactions explained, with practical steps to secure your accounts.
Read