This article is posted with permission from our partner MacPaw. MacPaw makes Mac + iOS apps that have been installed on over 30 million devices worldwide. Freelancers Union members receive 30 days of free unlimited access to CleanMyMacX and Setapp: https://freelancersunion.org/resources/perks/macpaw/

How often do clients find you on freelance platforms and ask you to continue talking on WhatsApp? Once you’ve been officially hired by using an Upwork or Fiverr contract, it’s generally fine to conduct business on any other messenger. 

However, with many advantages and flexibility of WhatsApp come many possibilities for cybercriminals to take advantage of independent workers. On top of that, since Meta purchased WhatsApp, there have been concerns over privacy and security within the app. 

So, is WhatsApp safe to maintain business communication? Can you use it to exchange sensitive information? Can it be hacked? And how can you make it more secure? Answers Moonlock, a cybersecurity division of MacPaw.

Dealing with risks of identity theft

The use of WhatsApp to communicate with clients at some point involves sharing your personally identifiable information (PII), bank information, or credit card numbers. That’s the kind of sensitive data the hackers are always looking for so they can steal your identity. 

To prevent hackers from intercepting your online communications while you’re sending things like legal documents with your social security number, driver’s license, or passport number, WhatsApp uses end-to-end encryption. It means that everything you send on WhatsApp gets encrypted on your device, including voice calls, text messages, video calls, and shared information. The message can’t be decrypted until it travels through the internet and arrives on the device of the other party. The whole process takes milliseconds of time and is invisible to all users.

End-to-end Encryption ensures that no one, not even WhatsApp, can read or listen to your personal messages and calls 🔒 pic.twitter.com/Nyiegyi4fl

— WhatsApp (@WhatsApp) August 23, 2023

End-to-end encryption makes WhatsApp a reliable platform for private conversations that most likely won’t result in cybercriminals mining your personal information and tracking you. After all, if hackers can’t read your messages, they can’t harm you. But for the exchange of sensitive documents, Moonlock still recommends using encrypted emails instead of WhatsApp. With encryption, email services often add another layer of protection where the other party needs to enter their login credentials before unlocking and reading the information inside. 

Can WhatsApp be hacked?

Unfortunately, end-to-end encryption doesn’t mean that WhatsApp is 100% private or safe. Because of some inherent weaknesses within the app it still may be subject to certain types of threats.

The most common ways to hack WhatsApp

WhatsApp hacking incidents typically fall under two categories. The first one involves scams or posing as clients, friends, or partners to hack into your accounts. The second involves cybercriminals who use ransomware attacks or spread malware to take hold of your information online.

1. Asking for a verification code

Cybercriminals often try to trick WhatsApp users into giving away their verification codes. This is how they take control of their accounts and use them to spread phishing so they can attack other accounts as well. This is a common technique that targets not only individual workers but entire organizations, too. 

Moonlock urges you to be cautious when getting a text message with a WhatsApp verification code, and one of your contacts asks you for the code right after. This could be an attempt by an attacker to trick you into handing over the code. On the bright side, it means the attacker doesn’t have access to your device and can’t read the combination without your assistance. Ignore the message and change the WhatsApp password immediately.

Yet, if a hacker has access to your phone, it becomes incredibly easy for them to hack your WhatsApp account.

2. Hijack through call forwarding

It starts with an attacker reaching out to you and convincing you to call a specific number. According to Malwarebytes, the numbers are not the same but often look like a combination of numbers and asterisks: **67*<10 digit number>. The 10-digit number is always a phone controlled by the attacker.

Once you’re dialing the number, the attacker triggers the verification process, requesting the code via a phone call. But since call forwarding is on, it’s the attacker and not you who receives the code. If you don’t have a two-step verification for WhatsApp, the account takeover is a matter of seconds and is almost irreversible.

3. WhatsApp Web con

The use of WhatsApp on mobile and desktop is one of the reasons freelancers find it convenient to communicate with clients. To access and log in to WhatsApp Web, users will have to scan a QR code with their phone. 

If anybody who wants to get a hold of your private information has access to your phone, it’s easy for them to use WhatsApp Web to log in to your account and steal it. For this reason, Moonlock recommends not leaving your phone and laptop unsupervised in shared working spaces and always locking them when you step away for a minute.

Attackers can also extract the QR code from WhatsApp Web and place it on a malicious webpage. If a user scans it with WhatsApp or a phone camera, the QR code can help steal user credentials and provide access to their account.

4. “Monitoring” is a fancy word for “spyware”

Marketed as a parental control for WhatsApp, FlexySpy, mSpy, and KidsGuard, essentially are spyware. With these third-party apps, people can get remote access to everything that’s being sent via WhatsApp on somebody else’s phone. All they need to do is have your phone for a brief moment – that would be enough to install the spyware and see through the entire chat history, logs, files, and messages.

5. Hacking tools and malware

The dark web offers plenty of tools for hacking. These days, it’s not even necessary to have a lot of skill to break into somebody’s account – it would be enough to purchase malicious software online and find a way to distribute it.

For example, researchers from CheckPoint found hidden malware in an Android app on Google Play. Disguised as a Netflix enabler, the app monitored WhatsApp notifications and sent automatic replies to every incoming message. Replies lured users to click on a link with a free Netflix offer, spreading malware further and stealing their data. 

How to make your WhatsApp account more secure

For each malicious action of cybercriminals, there’s an opposite reaction from WhatsApp security researchers and every single WhatsApp user. Tracking red flags and following a few simple rules while using the app for business will help us all make WhatsApp experience safe and secure.

Check for signs of a hack

1. Strange devices linked

If somebody else uses your WhatsApp account on another device, you’ll no it pretty fast. Open WhatsApp on your phone > Go to Settings > Tap on Linked Devices. That’s where you can see all phones and desktops that have your account open. Remove those that you don’t recognize.

2. Suspicious messages and notifications

Don’t ignore notifications with verification codes that you didn’t request. That’s not some bug of WhatsApp but rather an attacker trying to get into your account. 

Messages that you don’t remember sending and contacts you don’t remember adding are also reasons to ring the alarm. Once hackers access your WhatsApp information, they might start using it to distribute phishing, other types of scams, and malware. Moonlock reminds you to immediately change your password and check Linked Devices in Settings.

3. Drained battery and phone slowing down

As happens with spyware and malware that pose as legitimate apps, you don’t know right away if your phone is infected. Hidden applications like that drain your battery and use a lot of cellular data, so if you see that happening more often than usual, that’s a red flag you can’t ignore.

For iPhones, check Background App Refresh option to see if you have fallen victim to spyware or other hacking apps. Go to Settings > Select General > Tap on Background App Refresh > Look through the list of apps and toggle them off if you don’t need them working in the background. 

Once you stumble upon an app you don’t recognize, delete it at once. 

Follow simple cybersecurity rules

1. Enable two-factor authentication

With two-factor authentication, you add an extra layer of protection to WhatsApp and prevent cybercriminals from stealing your account. Open WhatsApp > Go to Settings > Choose Account > Tap on Two-Step Verification >  Turn On > Create a unique 6-digit PIN with a combination that you haven’t used in other apps.

2. Keep an eye on scam trends

Cons and scams are older than the internet. Even though most of us get on the hook through emails, calls, and messages, most of these schemes are simply variations of old criminal trickery. 

Following the news about recent privacy scandals and phishing attacks will help you learn the hackers’ playbook and protect your accounts. Last year, Moonlock prepared a list of 8 most common scams on WhatsApp that all users should watch out for. Subscribe to Moonlock Newsletter to be in the loop of the latest hacking trends and avoid them.

3. Limit privacy settings

WhatsApp lets you hide information about your account from other users. You decide who can see your current location, groups, online status, and profile photo. To change these settings, open WhatsApp > Go to Settings > Privacy. 

The WhatsApp Help Center advises blocking and reporting anyone involved in illegal or suspicious behavior on the app. Even though Moonlock mentioned several methods to hack a WhatsApp account, being knowledgeable and taking the right steps can help prevent most of them.