Cybersecurity threats may evolve in presentation, but the underlying tactics often remain familiar. A new example of this pattern has emerged on WhatsApp, where attackers are exploiting the platform’s device-linking feature to hijack user accounts through a phishing-style campaign dubbed “GhostPairing.”
According to Gen Digital — the parent company of Norton, Avast, and AVG — the attack works by manipulating users into unknowingly assisting hackers with a legitimate WhatsApp login process. Victims typically receive a message from a known contact claiming that a photo of them has been found online, along with a link. While the preview appears to point to a Facebook page, it actually leads to a convincing fake website that prompts users to “verify” their account to view the image.
Once on the fraudulent site, users are asked to enter their phone number. This triggers WhatsApp’s real login process on the attacker’s end, causing an authentic verification code to be sent directly to the victim’s phone. The fake site then asks the user to input that code. If they comply, the attacker captures the code and uses it to complete WhatsApp’s device-linking process, granting full access to the account without needing a password.
With access secured, attackers can read past conversations, monitor new incoming messages, and send messages to contacts while posing as the victim. This allows the scam to spread further, as compromised accounts are used to target additional users in the same way. Unlike traditional phishing attacks that focus on stealing passwords, GhostPairing adapts to WhatsApp’s login mechanics, making it harder for users to recognize what’s happening.
Despite its sophistication, the campaign shows familiar warning signs. Legitimate Facebook content would never require WhatsApp login verification, and users should be wary of unexpected links — even when they appear to come from trusted contacts. Security experts recommend ignoring such messages, verifying suspicious claims through another communication channel, and never sharing login codes unless the site has been confirmed as official.
Users concerned about potential compromise can check active connections by navigating to Settings > Linked Devices in WhatsApp. Similar checks are available across major platforms such as Google, Apple, Microsoft, and Meta services, and reviewing them periodically is considered a simple but effective security habit.
