WhatsApp has established itself as the main messaging app in Spain and much of Europe, and precisely for that reason it has also become one of cybercriminals' favorite channels. In recent months, cybersecurity experts, consumer organizations, and law enforcement agencies have warned of a New WhatsApp scam especially dangerous because it can go completely unnoticed by the victim.
This fraud, known as ghost pairing or “phantom pairing”It exploits a legitimate WhatsApp feature that allows the use of the same account on multiple devices simultaneously. The trick involves deceiving the user into being the one who Link your WhatsApp account to the scammer's devicewithout realizing that she is opening the door to all of their conversations, photos, and contacts.
What is ghost pairing and why is it so dangerous?
The so-called ghost pairing is based on the device pairing offered by the application itself: the same WhatsApp account can be used on secondary mobile phones, computers, or tablets via WhatsApp Web or the desktop app. This feature, designed to facilitate the use of the app, has become the central element of a silent scam which allows the criminal to "clone" the victim's account.
Unlike other classic WhatsApp scams, where attackers try steal your account and leave you out By blocking your access, the goal of ghost pairing is to maintain an active parallel session. The scammer manages to connect to your account as if it were another device, and while you continue using WhatsApp normally, they can... read everything you write and receive without causing any apparent warning.
Cybersecurity specialists and consumer organizations like FACUA have warned that, in practice, this technique acts as a “silent hijacking” of the accountThere's no need to duplicate the SIM card or know your mobile password: simply manipulate the user into completing the linking process, believing they are performing a legitimate procedure.
The result is that the cybercriminal shares, in real time, the same access you have to the app. They can see old conversations, follow new ones, download files, and navigate your contact list—all of this. without raising suspicion Because you still see your WhatsApp working completely normally.
How the scam starts: messages that seem legitimate
The first step in this fraud is always a message that seems completely innocentIt might arrive as an SMS, a WhatsApp notification, or even from another social network, but the goal is the same: to take you to a website controlled by the scammer or to make you share a verification code.
In many cases, the message seems to come from the person himself. WhatsApp or a known serviceThe text usually warns of a supposed security problem with your account, that you've logged in on another device, or that you "must verify your identity" to protect it. The tone plays on urgency and concern for your privacy, so the user tends to act quickly.
Other times, the deception comes as a message of someone from your contact listIt could be a family member, a friend, or an acquaintance who is seemingly writing to you to say something like: "Hey, I think I sent you a code by mistake, can you resend it?" or “look at this photo of yourself, click on this link.” In reality, it could be an already compromised account that the criminals are using to continue spreading the scam.
A format detected by FACUA and security companies like Gen Digital begins with a message claiming that you have been tagged in a Facebook photo or in a photo contestThe included link leads to a website that mimics the social network's login page, with the aim of making the victim feel they are in a trusted environment and follow the steps without suspicion.
Videos are also circulating on TikTok and other platforms warning of messages supposedly sent by WhatsApp to “confirm that your account is at risk”The hook is always the same: making you believe you are protecting your privacy when, in reality, you are allowing third parties to access your account.
The role of fake links and websites that mimic well-known services
When the user clicks on the link in the message, they are redirected to a Fake page that perfectly imitates to a real service: usually Facebook, but it could also be a fake WhatsApp support website or even one from a well-known organization. The design copies typical logos, colors, and text to make the environment feel familiar.
On that page you are asked to enter your phone number and then you are instructed to complete a “verification” using a QR code or a numerical codeTo the user, it seems like a normal step to confirm that they are the account owner or that they are "human," as seen in some fake forms.
The key is that this supposed verification has nothing to do with protecting the user: what it actually does is to guide you through the legitimate process of linking WhatsApp devicesIn other words, step by step, the form causes the user to open WhatsApp, enter a linking code, or scan a QR code that is actually associated with the cybercriminal's browser or device.
WhatsApp's own system, both in its web version and in the Windows application, allows you to link the account using the phone number and a verification code or QR codeIt is precisely this legitimate option that is exploited in ghost pairing: the victim believes they are logging into a trusted website, but in reality is authorizing a new device under the control of the scammer.
At the end of the process, everything seems to have gone well: the fake page may even display a generic success message or redirect to another harmless website. The user receives no strange alerts, sees no changes in their WhatsApp, and notices nothing unusual. However, from that very moment, the attacker has an active session of your account running in the background.
What can a cybercriminal do once inside your account?
Once the phantom pairing is complete, the scammer then has, via WhatsApp Web or the desktop application, virtually the same privileges as the legitimate userThis includes viewing chat history, receiving new messages, and accessing sent and received files.
Among the most common actions The following stand out among those that have been detected:
- Read all conversations, both individual and group, including older ones that are still stored in the account.
- Download photos, videos, voice notes, and documents that have been shared through the application.
- Access the contact listThis allows for the identification of family members, friends, and co-workers who may be susceptible to being deceived later.
- Sending messages impersonating yourselfby asking for money, sharing new fraudulent links, or requesting codes that will allow the fraud to be extended to more accounts.
The real risk is that the victim You never lose control of your accountUnlike other scams where the user is kicked out of the app and can no longer log in, here they continue using their WhatsApp as usual, making it much harder to detect the problem in the short term.
During that time, the cybercriminal can search the chats for especially valuable information: card numbers, bank details, written-down passwords in conversations with family members or screenshots of emails and bank statements. It can also collect intimate photos, personal documents, and any other sensitive content.
With that information in hand, attackers can go beyond simply gaining access to WhatsApp: they can use the data to steal money, access email accounts, or commit other fraudsand even resort to extortion if they find compromising material. All of this is supported by the fact that they have had a prolonged window of time to spy without being detected.
Furthermore, the ability to send messages on behalf of the victim facilitates the spread of deceptionA contact who receives a link or a request for financial help from a known number is much more likely to fall into the trap, thus perpetuating the chain of scams.
Other variations of WhatsApp scams that exploit trust
Although ghost pairing is one of the most worrying trends right now, it's not the only one. New WhatsApp scam which is being investigated in Spain and other European countries. Law enforcement agencies have also detected campaigns where criminals impersonate others. banks, online stores or technical services to gain access to sensitive information.
In one of these variations, the victim receives a message in which someone identifies themselves as employee of your financial institution or from the security department of an online store. They claim there is a problem with their account, a fraudulent charge attempt, or a security breach that needs to be resolved as soon as possible.
In the middle of that conversation, the fake worker proposes to help "protect the money" and It requests that the user share their mobile screen. or from their computer through specific applications. This technique, while not exactly ghost pairing, follows the same logic: exploiting trust and urgency to get the user to hand over control.
If the victim logs in and starts typing passwords or verification codes while sharing the screen, The scammer can see every move in real timeThis makes it easy for them to copy passwords, enter data into online banking, or authorize transfers without the person being fully aware of what is happening.
In both ghost pairing and these “screen sharing” scams, the pattern is repeated: trust is exploited in recognized brands, close contacts, or alleged official messagesAnd they play on the victim's haste and fear of losing money so that they act without thinking too much.
How to detect if your WhatsApp account is linked to a strange device
The good news is that the application itself offers tools for Check if someone has linked your account to a device you don't recognize. The key section is "Linked Devices," available on both Android and iPhone.
On Android phones, simply tap on the icon of the three dots from the upper right corner From the main WhatsApp screen, select the "Linked Devices" option. On iPhone, this can be found at the bottom of the app, in the "Settings" icon, where the same section also appears.
Upon entering, a list of all the computers, browsers and desktop apps that have a session logged into your account. If that list shows a device you don't recognize, or a session logged in from a city or browser that doesn't look right, it's very likely a Unauthorized access.
In those cases, it is recommended to tap on that device and choose the option to “Log out” or “Delete”This immediately revokes the cybercriminal's access. It's also advisable to check the list again after a few minutes to confirm that no suspicious sessions reappear.
If, in addition, you've noticed strange behavior on your account—such as messages you don't remember sending, contacts telling you that you've shared unusual links, or notifications of verification attempts—it's wise to take it a step further and turn on XNUMX-step verificationin addition to changing passwords associated with other services where you may have reused data.
Key tips to avoid falling into ghost matchmaking
Authorities and experts agree on several basic recommendations for minimize risk to avoid falling for ghost pairing or other similar scams that spread through WhatsApp:
- Never share WhatsApp verification codesDo not send a code via text message or phone call, even if someone you trust asks for it. If you receive a code you weren't expecting, ignore it.
- Be suspicious of any message that asks you to return a code, click on an urgent link, or "verify your account" outside of the application itself.
- Avoid entering codes or scanning QR codes. that do not come from official WhatsApp channels or services that you have requested yourself.
- Check the "Linked Devices" section frequently and close any session you don't remember starting.
- Activate XNUMX-Step Verification in WhatsApp settings to add an extra layer of security to your account.
- Be wary even of links that come from known contactsThey may have been victims before you and are unknowingly forwarding the scam.
FACUA and other consumer protection organizations insist that WhatsApp It does not request codes or verify identities. through external links or forms outside the app. Any message stating otherwise should raise red flags.
Furthermore, law enforcement agencies recommend that, at the slightest suspicion of having been the victim of a scam, one should... I hereby file this complaint The sooner the better, and preserve all possible information: screenshots of messages, links received, and any data that may help investigators track the campaign.
In a context where WhatsApp has become a central part of daily life, from personal conversations to work-related tasks, these New scams based on ghost pairing They demonstrate that monitoring bank transactions isn't enough: it's also crucial to control who can access our conversations and what permissions we grant almost without thinking. Maintaining a healthy dose of skepticism, regularly checking linked devices, and resisting the pressure of urgent messages have become key to continuing to use the app with peace of mind.
