In April, a vulnerability was discovered in WhatsApp that allowed anyone with a phone number and access to your screen to take over your account

And now, it appears that this WhatsApp flaw can be used as a weapon to trick your account without the attacker ever seeing your screen

This information was brought to our attention by a tweet from a young Paraguayan who posted a screenshot of a phishing message in Spanish that appeared to be from WhatsApp

We have not been able to confirm if the message is authentic and have not heard of any other incidents related to this scam, but the method of attack makes sense and would be fairly easy for the attacker

Our Spanish is pretty rusty, but thanks to my colleague Kate Kozuch and Google Translate, the message claims to be from the "WhatsApp support team" and states that someone registered your WhatsApp account using your phone number

The message further states that the recipient was sent an "identity verification request" via SMS

As a standard feature of WhatsApp's two-factor authentication (2FA) method to prevent account theft, a six-digit one-time use code is sent to the old phone number to verify that the account holder has applied for a number change or to migrate their WhatsApp account to a new phone number ]

The problem, as we reported in April, is that the 2FA code sent via text will appear on the old phone's screen by default, whether it is locked or not Anyone who can see your screen for a few seconds after requesting a (phony) number change or device change can steal your account

Fortunately, as we explained in April, it is very easy to avoid falling victim to this scam: simply add a PIN to your WhatsApp account

Go into your phone's WhatsApp settings, tap on your account, and tap on two-step verification; a six-digit PIN will be created and will need to be entered when you transfer your WhatsApp account to a new phone

In this new method, reported by a Paraguayan man, the attacker does not need to see your screen because he tricks you into entering the code himself

The message quickly deviates into the realm of pure fraud, stating that "failure to pass verification or abandoning the attempt will result in indefinite suspension"

This is a classic trust scam call to action, threatening to deny service unless you act now In reality, WhatsApp will never suspend an account for failing to confirm a change request

The original poster did not post the entire message, but implies that the message sender will be asked to forward a one-time 2FA code If you do so, the message sender can hijack your WhatsApp account

"This is #FAKE," wrote the WABetaInfo Twitter account, while a contributor in Paraguay asked for help" WhatsApp never sends you messages on WhatsApp, and if they do (for global announcements, but it's soooo rare), you'll see a green confirmed indicator WhatsApp never asks for your data or authentication codes "