The Sri Lanka Computer Emergency Readiness Team (SLCERT) warned WhatsApp users today not to share any one-time password (OTP) with third parties, as their accounts are at risk of being hacked.
SLCERT Senior Information Security Engineer Charuka Damunupola said that so far 03 incidents have been reported to the team regarding the hacking of WhatsApp accounts.
“A message could be received from a known contact in the WhatsApp contact list claiming to have sent an OTP number and that a link (code) would be received requesting to join a zoom meeting claimed to be a religious discussion,” he said.
“Once receiving the OTP by the requested party, the WhatsApp account will no longer be active for the original user. Then the same process will be continued using the hacked account contacts and they will claim money to restore the account,” he said.
Therefore, Security Engineer Damunupola requested WhatsApp users not to share any received OTPs with other parties to prevent their accounts from getting hacked.
Meanwhile, Samagi Jana Balawegaya (SJB) member Mujibur Rahman filed a complaint today with the Criminal Investigations Department’s (CID) cybercrimes unit regarding the hacking of his WhatsApp account and an online financial scam targeting his close associates.
In recent incidents, users have reported receiving unexpected WhatsApp verification codes. Scammers then contact users, posing as friends or acquaintances, to request the code, which, once shared, grants hackers control over the account.
• A Colombo businessman, who recently fell victim to the scam, described his experience: “I received a message from a friend’s wife, a known contact, who asked how I was doing. After exchanging pleasantries, she mentioned she had sent a code by mistake and needed it back. Assuming it was genuine, I shared the code. My WhatsApp was immediately hacked,” he said. Once his account was compromised, cybercriminals used it to send messages to his contacts, requesting small sums of money under the pretence of financial distress. “A friend even reached out to my wife to check if I was in trouble. Despite reinstalling WhatsApp multiple times, I couldn’t regain access even after 72 hours,” he added. He has since filed a police complaint and reached out to WhatsApp support.
Forensic cybercrime experts explained the two-step approach hackers use: “First, they compromise the user’s WhatsApp account through the verification code, and then target the user’s contacts with requests for financial help.” Victims have reported sending amounts between Rs 50,000 and Rs 100,000, believing they were aiding a friend in need.
• A retired officer shared a similar experience. “I got a call from a foreign number requesting me to join a Zoom call for a religious discussion,” he said. “To join the Zoom call, they said they would send a verification code. I sent them the verification code, and soon after, my WhatsApp account was hacked, and they sent messages to my contacts asking for money, pretending to be me. Unfortunately, some of my friends sent money to them,” he said. “The bank account given was under a name in Gampola. I later found out that the account was also compromised.”
Cyber experts caution users to “always be cautious” when a WhatsApp message requests a verification code. “Any OTP or code received should never be shared”