The Civil Guard was among the few authorities to flag this scam on its official Twitter account, making the warning feel timely and credible for readers in Canada and the United States. The scammer’s aim is not to harvest bank details outright but to seize control of a user’s WhatsApp account by manipulating a six‑digit verification code. This simple numeric sequence is the key that lets a hacker verify a login on a different device, whether that device is a phone, a computer, or a tablet.
In practical terms, the attacker wants the six digits that WhatsApp uses to confirm a new device. If the code lands in the wrong hands, the malicious actor can connect the victim’s account to their own device and take over the chats, lists of contacts, and access to groups. The code is supposed to be a security measure, but it becomes a vulnerability in the wrong hands. The goal is to prompt the user to share that code, often under the pretense of helping someone in a hurry or fixing a misdirected message.
When the compromised device tries to access WhatsApp, the app sends a request asking the user to enter the six‑digit verification code. If someone receives that request and responds with the code, the attacker can complete the setup on their own device and gain control of the account. This is a classic example of social engineering pitched at a time of urgency, exploiting how people react when they think there is a time pressure or a mistake to fix.
The typical attack narrative goes like this: a message arrives from a supposed friend or a trusted contact, paired with an apology for an accidentally sent six‑digit code. The message explains that the sender is in a rush and asks for the code to be shared to resolve the issue. The ruse relies on panic, politeness, and the belief that the person on the other end is trying to help. In reality, the request is designed to give someone else total control over the account. The Civil Guard emphasizes that this type of request should be ignored, because handing over the code effectively grants access to all chats and contacts on any device that is connected to the account, placing everything at risk (Civil Guard).
The core countermeasure is to treat any six‑digit code as highly sensitive information. No legitimate service will ask for this code from a user via a third party. If a code arrives unsolicited, the safest move is to decline sharing it and to verify the situation directly through official channels. Users should immediately halt any process that involves entering codes, and they should report suspicious messages to the appropriate authorities or to the platform’s security team. This approach helps prevent unauthorized access before it begins and reduces the chance that an attacker gains a foothold on the account (Civil Guard).
Protecting a WhatsApp account requires a calm, methodical response. First, never share the verification code with anyone, even if they claim to be a friend, a family member, or a support agent. Second, enable extra security features offered by the platform, such as two‑step verification, which adds another layer of protection beyond the standard six‑digit code. Third, if an account is believed to be compromised, immediately follow the platform’s recovery steps and notify contacts that may have been affected. These steps help ensure that an attacker cannot prolong their access or pivot into other areas of the user’s digital life (Civil Guard).
For readers in North America, the situation mirrors common scam patterns seen across borders, where attackers rely on social manipulation rather than flashy hacking techniques. Awareness and quick, deliberate action are the defenses that keep accounts secure. The warning from the Civil Guard underscores a simple rule: never disclose the six‑digit code, and treat any demand for it as a potential red flag. By staying informed and following best practices, users reduce the risk of losing control over their personal conversations and contacts.
Ultimately, the most effective defense is a combination of skepticism toward urgent requests and proactive security settings. The six‑digit code is not a token to be shared; it is the gateway that a scammer uses to lock a user out of their own account. By resisting pressure, verifying identity through official channels, and keeping security features up to date, readers can protect their messaging accounts from this kind of intrusión and safeguard their digital presence (Civil Guard).