WhatsApp Security

<  Back to Fact Sheets
WhatsApp Security

WhatsApp is a free internet-based text and voice messaging service that launched in 2009 and is currently owned by Meta. There are estimated to be over 2 billion users which makes it attractive for scammers and cybercriminals as a hacking target and deception channel. By implementing two-step verification and being conscious of the scam risks, you can mitigate the chances of becoming a victim.

Preventing WhatsApp scams and account takeover
  • Never respond to requests for help, such as providing money, even if the message appears to come from a friend or family member. Make alternative contact with the person.
  • Never share your 6-digit code with anyone when you sign into WhatsApp.
  • Set up two-step verification on your account (find out how with WhatsApp's About two-step verification).
  • Review your Privacy Settings and consider reducing visibility about you (such as your status, profile picture, and live location sharing).
  • Set up a Screen Lock for WhatsApp on your Smartphone (such as  FaceID or TouchID) under your device settings.
  • Control who can add you to groups under Settings/Account/Privacy and changing “Who can add you to groups” to “Nobody”.
  • Do not click on links as these can lead to malware and related phishing attempts.
Detecting issues with your WhatsApp account
  • Check to see if another device has used your account under “Linked Devices” (vertical ellipses – three vertical dots in top right of the app).
  • Install anti-spyware and anti-virus applications on your Smartphone that uses WhatsApp.
  • Indicators of compromise can also include messaging about authentication requests.
  • Check messages that you have sent to see if you have any messages you did not send.
  • Review your contacts. Often hacked WhatsApp accounts include contacts the legitimate user knows nothing about.
Responding to a hacked WhatsApp account
  • Send a message to your contacts to let them know you are having issues with your WhatsApp account and that any requests from you should not be actioned.
  • Log out of all computers from your phone that is using your WhatsApp account.
  • WhatsApp advises that as soon as you log back in to your account, all other sessions are logged out.  
  • If this does not work then one of two things has probably happened:
  1. The hacker may have set up two-step verification on your account. You will need to wait 7 days before you can sign in without the two-step verification code (note the criminal was logged out when you entered the six-digit PIN); and/or
  2. You have spyware or malware on your device. You will need to either revert your device from a backup made before the date you believe it was hacked or do a complete factory reset. Make sure you back up any files or photos you want to keep before you do this.

For additional support or information, contact IDCARE by submitting a Get Help Form or call 1800 595 160 (Aus) or 0800 121 068 (NZ).


Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

  • IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
  • The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
  • While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
  • IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
  • If you would like to provide feedback please use our Feedback Form.


IDCARE is here to provide you with specialist support and guidance when faced with a cyber and identity related issue. Contact one of our Identity & Cyber Security Case Managers to learn more about our Support Services and how we can help you.   

Get help

Submit a web request

Call Centre Icon


1800 595 160

Mon - Fri: 8am - 5pm AEST

QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA08 7078 7741

Call Centre Icon

call our NEW ZEALAND

0800 121 068

Mon - Fri: 10am - 7pm NZST

AKL: 09 884 4440