A new and dangerous scam is targeting WhatsApp users by misusing the app’s device-linking feature. Cybersecurity experts have flagged this attack, called GhostPairing, as highly deceptive because it does not involve stealing passwords, SIM cards, or verification codes. Instead, users are tricked into approving access themselves. The scam spreads quietly through trusted contacts and is hard to notice once activated.
Experts warn that this method exposes serious risks in how people understand device-pairing features on popular messaging apps.
GhostPairing WhatsApp Scam Explained: How Accounts Get Hijacked
According to cybersecurity researchers at Gen Digital, the scam starts with a harmless-looking message from a known contact. Messages like “Hey, I just found your photo!” are designed to spark curiosity. The message includes a link that appears with a Facebook-style preview inside WhatsApp, making it look safe.
When the link is clicked, users are taken to a fake webpage that looks like a Facebook photo viewer. Before showing the image, the page asks users to “verify” their identity. This is where the trap is set. The page secretly initiates WhatsApp’s official device-linking process.
Users are asked to enter their phone number, after which WhatsApp generates a numeric pairing code. The fake site then tells users to enter this code in WhatsApp, claiming it is a normal security step. Once the code is entered, the attacker’s device is approved without the victim realising it.
This gives hackers full WhatsApp Web access. They can read chats, download photos and videos, send messages, and receive new messages in real time. The victim’s phone keeps working normally, making the attack very difficult to detect.
WhatsApp Security Alert: Why GhostPairing Is Hard To Detect
Experts say GhostPairing is especially dangerous because it does not break encryption or exploit software bugs. Everything works exactly as designed. The scam relies purely on social engineering and human trust.
The campaign was first noticed in Czechia, but researchers warn it can spread globally. Once an account is compromised, attackers send the same fake link to the victim’s contacts and group chats, allowing the scam to spread fast through trusted networks.
Linked devices stay connected until users manually remove them. This means attackers can maintain access for long periods without being noticed.
To stay safe, users should regularly check Settings > Linked Devices, remove unknown sessions, avoid entering pairing codes from websites, enable two-step verification, and double-check unexpected messages, even from known contacts. Vigilance remains the strongest defence against such trust-based scams.
