Blog

Instead of breaking WhatsApp’s security, GhostPairing relies entirely on social engineering. Victims are tricked into approving the attacker’s device themselves, making the attack both effective and difficult to detect.

How the GhostPairing scam works

The scam usually begins with a message that appears to come from a trusted contact. It could say something harmless like, “Hey, is this you in this photo?” or “I just found your picture.” The message includes a link that shows a familiar-looking preview inside WhatsApp, often resembling a Facebook photo or post.

Once clicked, the link opens a fake webpage designed to look legitimate. The page asks the user to “verify” their identity before viewing the content. In reality, this step initiates WhatsApp’s official device-linking flow. Users are prompted to enter their phone number, after which WhatsApp generates a numeric pairing code.

The fake page then instructs the user to enter this code inside WhatsApp, presenting it as a routine security or verification step. By doing so, the victim unknowingly links the attacker’s device to their account.

From that moment, the attacker gains full WhatsApp Web-style access. They can read chats, download media, send messages, and receive new conversations in real time. Crucially, the victim’s WhatsApp continues to work normally on their phone, which means many users do not realise they have been compromised.

Why the scam spreads so easily

Cybersecurity researchers say GhostPairing is especially dangerous because it spreads through trust. Once an account is compromised, attackers use it to send the same malicious links to the victim’s contacts and group chats. Messages coming from known people are far more likely to be clicked, allowing the scam to propagate quickly without mass spam or obvious red flags.

The attack was first observed in parts of Europe, but experts warn that there is nothing region-specific about it. Any WhatsApp user could be targeted.

No hacking involved, just misuse of features

What makes GhostPairing particularly concerning is that it does not exploit a software vulnerability or weaken encryption. The scam uses WhatsApp’s device-linking feature exactly as intended, but manipulates users into approving access under false pretences. Linked devices remain active until manually removed, meaning attackers can retain access indefinitely if the user does not check their settings.

How users can protect themselves

Staying safe from GhostPairing requires awareness rather than technical fixes. Users should regularly check WhatsApp’s Linked Devices section and remove any unfamiliar sessions. Any request to enter pairing codes, scan QR codes, or “verify” accounts through external websites should be treated with suspicion.

Enabling two-step verification adds another layer of protection, and unexpected messages, even from known contacts, should always be verified before clicking links.

Cybersecurity experts warn that scams like GhostPairing highlight a growing shift in digital threats, where attackers focus less on breaking systems and more on exploiting human trust.