The WhatsApp 6-digit code scam: how a single number can give an attacker your account

Someone you know sends a panicked message: 'I sent you a 6-digit code by mistake, can you forward it back?' Don't. Here's how the WhatsApp account-takeover scam works, real cases, and exactly what to do.

It always starts the same way: a contact in your WhatsApp — your cousin, your friend from work, your old classmate — sends you a panicked message. "Sorry, I accidentally sent a 6-digit verification code to your number. Can you send it back?"

You glance at your SMS. Yes, a code from WhatsApp just arrived. It looks legitimate. Your friend sounds embarrassed. So you forward it.

In the next five seconds, you have just lost your WhatsApp account to a stranger. By tomorrow, that stranger will be using your identity to run the same scam on everyone in your contacts.

This is the WhatsApp 6-digit code scam — and according to France's national cybersecurity agency Cybermalveillance.gouv.fr, account-hijacking assistance requests grew +47% in 2024, with over 430,000 article consultations on the topic. It is now one of the top three threats handled by the agency.

What the scam actually looks like

The message usually arrives from a number you know — because the attacker has already taken over a friend's account higher up the chain. Common patterns:

"Salut, j'ai envoyé un code par erreur à ton numéro, tu peux me le renvoyer ? C'est pour mon compte qui est bloqué"

"Hi, I sent you a 6-digit code by mistake, can you forward it? My SIM card got blocked"

"Tu as reçu un SMS avec un code de WhatsApp ? Envoie-le moi vite, j'en ai besoin pour réactiver mon compte"

The same minute, an actual SMS arrives on your phone:

"Your WhatsApp code: 123-456. You can also tap on this link to verify your phone: v.whatsapp.com/123456. Don't share this code with others."

That last sentence — "Don't share this code with others" — is WhatsApp telling you exactly what's happening. The attacker has typed your phone number into WhatsApp's login page on their device. WhatsApp sent you the code to confirm it's really you. If you give it to the attacker, you've authorized them to log in as you. Your account moves to their phone. Your old session ends.

Why it works — the social engineering

The genius of this scam isn't technical, it's emotional:

It comes from someone you trust. The previous victim's account is already compromised, so the message arrives from a real contact name and a real history of conversations.
It sounds harmless. "I sent you something by mistake, can you give it back?" doesn't trigger your fraud reflex. It's not asking for money or login credentials — just a number.
The story is plausible. A "blocked SIM card", a "lost phone", a "double verification" all sound like things that genuinely happen.
Time pressure is light but present. "Quickly, I need this for my account" — gentle enough not to spook you, urgent enough to bypass careful reading.
The code looks legitimate. Because it is legitimate. WhatsApp really did send it. The attacker just initiated the request.

The French national agency calls this the #1 vector for account takeover in 2024, with the takeovers then being used to push cryptocurrency investment scams to the victim's entire contact list — a +109% growth in 2024.

Real cases

France, 2024: Cybermalveillance.gouv.fr's 2024 annual report (PDF) details how attackers impersonating a friend ask the victim to forward an SMS code "linked to a blocked SIM card" — once received, the attacker takes over WhatsApp, Instagram, or Snapchat. The agency now ranks this scam as the most common assistance request by individuals.
Morocco, 2023-2024: Médias24 reports a national wave of WhatsApp takeovers, prompting the DGSN to launch the E-Blagh platform on May 18, 2024 — a 24/7 online portal for reporting cybercrime including WhatsApp scams.
Belgium, 2024: Belga News Agency reports phishing — of which the 6-digit code scam is a major sub-category — netted fraudsters nearly €50 million in Belgium in 2024 alone.
Worldwide: Bitdefender's HotForSecurity blog documents the same pattern globally, often coupled with the "Hi Mum, lost my phone" variant that follows the takeover.

Red flags — what should make you stop

If you spot any one of these, treat the message as a scam by default:

An SMS code arrives unprompted — you didn't try to log in anywhere
A contact asks you to forward a code "received by mistake"
The reason given involves a lost phone, blocked SIM, or expired account
The contact insists on doing it through WhatsApp, not calling you on the phone or meeting in person
They sound slightly off — different turn of phrase, more formal or less formal than usual, no inside jokes

The single hardest rule, with no exceptions: no legitimate friend ever needs a verification code from your phone. The codes WhatsApp sends to your number are designed exclusively for you to use on your device. There is no scenario where forwarding one helps someone else.

What to do if you receive this message

Do not forward the code. Period. Even if the contact is your mother, your boss, or your best friend — the code stays on your phone.
Call the contact on their known phone number (not via WhatsApp). Verify they actually sent the message. 9 times out of 10 their account is already compromised.
Warn them if they don't yet know. Their account has been stolen and they need to recover it (see below).
Report the message as spam directly inside WhatsApp (long-press the message → Report).
If you are in Morocco, report on the official E-Blagh platform. In France, Cybermalveillance.gouv.fr hosts an online complaint flow. In Belgium, use safeonweb.be.

If you already forwarded the code (don't panic)

You have a few minutes before the attacker fully locks you out. Move fast:

Reinstall WhatsApp on your phone and re-register with your number. The very act of you re-verifying kicks the attacker's session out.
Turn on Two-Step Verification immediately: Settings → Account → Two-step verification → Enable, and set a 6-digit PIN. Now even if the attacker tries again, they'll also need your PIN.
Add an email to your two-step verification so you can recover it.
Alert all your WhatsApp contacts — broadcast a message warning that you were compromised. Otherwise, they'll receive the same scam from "you".
If money was sent via your account or asked from your contacts, file a police complaint immediately. In France: Pré-plainte en ligne. In Morocco: nearest commissariat or the DGSN E-Blagh platform.

Turn on Two-Step Verification now — even if nothing has happened

WhatsApp's Two-Step Verification is the single most important defense. Once enabled:

Anyone trying to register your number on a new device will also need a 6-digit PIN that only you know
That PIN is not sent by SMS, so even if your SMS is intercepted, the attacker is stuck
It takes 30 seconds to enable and almost never bothers you afterwards

Settings → Account → Two-step verification → Enable. Do it now. If you read nothing else in this post, do that.

Get a second opinion in 5 seconds

If you're staring at a message right now and you're not sure if it's a scam, forward it to Digiscam on WhatsApp or paste it into the check box on our homepage. Our AI checks the pattern in seconds, with the same red-flag heuristics official agencies use — free, anonymous, in English, French, and Arabic.

Don't forward the code. Don't trust the message. Verify first.

Sources: Cybermalveillance.gouv.fr 2024 annual report (PDF) · Belga News Agency — Belgium phishing losses 2024 · Médias24 — DGSN E-Blagh launch · Bitdefender — Hi Mom Hi Dad scam