VYPR
researchPublished Jul 16, 2026· 1 source

WhatsApp GhostPairing Scams Hijack Accounts Via Social Engineering

Scammers are using a social-engineering tactic called GhostPairing to hijack WhatsApp accounts by tricking users into approving a new linked device, bypassing the need for passwords or verification codes.

A new social-engineering technique, dubbed GhostPairing, is enabling scammers to hijack WhatsApp accounts without needing to steal passwords or verification codes. Instead of exploiting technical vulnerabilities, this scam cleverly abuses WhatsApp's legitimate device-linking feature. Attackers trick unsuspecting users into approving a new connected device, granting them persistent access to read messages, monitor conversations, and impersonate the account owner.

This method poses a significant risk as a linked device allows attackers to gain a window into a victim's chats. This access can then be leveraged for various fraudulent activities, including payment fraud and identity theft. The compromised account can be used to approach the victim's contacts with urgent requests, exploiting the trust associated with a known WhatsApp profile. This tactic aligns with a broader trend observed by security researchers, where criminals are shifting their focus from overt malicious files to exploiting trusted digital spaces and legitimate functionalities.

GhostPairing begins not with a technical exploit, but with deception. Scammers initiate contact through various channels, such as direct messages, social media, or fake support requests. They then guide the victim towards a QR code or a device-linking request that appears harmless. The ultimate goal is to persuade the victim to use WhatsApp's companion-device workflow to add an attacker-controlled device to their account.

Once the new device is approved by the victim, the criminal gains unauthorized access. This access is persistent, allowing them to quietly observe conversations before launching any fraudulent activities. This stealthy approach makes the compromise difficult to detect immediately. Previous scams involving WhatsApp's device linking feature have demonstrated how social engineering can effectively turn a normal account management function into a pathway for full account takeover.

The implications of a hijacked WhatsApp account are far-reaching. Attackers can impersonate the victim to request money from friends or colleagues, extract sensitive information from chats, or use the gathered intelligence to make future malicious communications more convincing. For businesses, a compromised employee account can facilitate invoice scams, executive impersonation, and targeted phishing attacks against partners, disrupting operations and causing financial losses.

To defend against GhostPairing and similar scams, users must exercise extreme caution. Unexpected QR codes, requests to scan a code, or instructions to "verify" or "secure" an account should be treated as significant red flags. WhatsApp does not require users to link unfamiliar devices to maintain account activity, and any request that creates a sense of urgency should be independently verified through a trusted channel.

The most critical defensive measure is to regularly review the 'Linked Devices' section within WhatsApp's settings. Users should immediately disconnect any unfamiliar or suspicious sessions. Additionally, enabling two-step verification, securing phones with screen locks, and never sharing verification codes or screen access with unsolicited support personnel are essential practices. These steps, combined with user vigilance, form the strongest defense against social engineering tactics like GhostPairing.

Organizations should reinforce these practices by implementing policies that require staff to independently verify unusual payment or data requests through separate, trusted channels, rather than relying solely on the authenticity of a message from a seemingly familiar account. While platforms may introduce new security tools, user awareness and cautious behavior remain paramount in thwarting these evolving social engineering threats.

Synthesized by Vypr AI