In recent weeks, if you are a WhatsApp user in Hong Kong, you might receive the following message from friend:
Hello Sorry, I sent you a 6-digit SMS code by SMS by mistake. Can you pass it on to me? It is urgent
At the same time, a SMS message containing the code is sent to you by WhatsApp.
A friend in need is a friend indeed. It seems okay to give a helping hand to your chatmate. If you forward the verification code, your WhatsApp account will be jihacked.
It is actually a phishing scheme exploiting the security loophole of WhatsApp, the instant messaging app owned by Facebook. Scammers will have full access to the victims’ messages and contacts. The compromised WhatsApp accounts will be used to spread the spam in the name of your “friend”.
According to online research, such form of WhatsApp jihacking was first warned by the Macau Police in March 2019. The Civil Guard of Spain also reported the Spanish version of the spam in February 2020:
Hola, lo siento, te envié un código de 6 dígitos por SMS por error, ¿me lo puedes pasar, por favor? Es urgente
