New Whatsapp OTP Scam Using Call Forwarding Trick

Mobile Networks and Telephones
Advisory ID:
June 10, 2022


Hackers have devised a method to gain control of a victim's WhatsApp account by exploiting an automated "call forwarding" feature that is activated when a number is busy or engaged. All telecom service providers offer this feature. This method also makes use of WhatsApp's option to send a one-time password (OTP) via phone call.

Description & Consequence

The attack is typically launched via vishing, with the hacker convincing the victim to dial a Man Machine Interface (MMI) code that will enable call forwarding when the line is busy or the network is unavailable. These MMI codes typically begin with a '*' or a '#'. The attacker will pose as a representative of a bank, phone company, or government agency, and will sound convincing. When the victim enters this code, all of their phone calls are forwarded to the attacker's phone number. Once the victim enters the code, the hacker will initiate the WhatsApp recovery process for the victim's Whatsapp account on their device, with the option of receiving OTP via phone call. Because the phone is engaged, the code is sent directly to the attacker's phone. The hacker is able to complete the registration process as soon as the OTP is received, taking over the victim's WhatsApp account while they are logged out.

  1. The hacker will have access to the victim’s Whatsapp messages and contacts.
  2. The hacker can send fraudulent messages to the victim’s contacts.
  3. The hacker can enable two-factor authentication (2FA), preventing the victim from regaining access.


  1. If you receive a message from anyone asking you to type a number that starts with a star (*) or a hash (#) symbol, delete the message immediately and do not type it into your phone’s keypad.
  2. Avoid entering any code that is given to you - especially by untrusted individuals!
  3. Do not share phone number publicly.



Related Articles