WhatsApp GhostPairing Attack — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 28, 2026

Severity: CRITICAL | View Full Scam Details

Beware of the WhatsApp GhostPairing Attack in India 2026: A Critical Phishing Scam

The WhatsApp GhostPairing Attack is emerging as a critical threat to millions of users in India, risking their chat privacy and financial security.

What Is the WhatsApp GhostPairing Attack?

The WhatsApp GhostPairing Attack is a sophisticated phishing scam targeting WhatsApp users across India. In this scam, fraudsters send messages or links masquerading as official communications from WhatsApp or trusted contacts. These links often claim urgent account verification or security upgrades related to popular Indian services such as Aadhaar authentication or UPI transactions.

Once a victim clicks the malicious link, the scammer manipulates the WhatsApp Web “pairing” process without the user’s knowledge — a technique called “ghost pairing.” This unauthorized linking connects the user’s WhatsApp account to the scammer’s device. As a result, the attacker can read all messages, send messages impersonating the user, and potentially extract sensitive information.

According to reports made to Indian cybercrime authorities such as CERT-In and the Indian Cyber Crime Coordination Centre (I4C), this phishing method is becoming increasingly widespread, targeting users in metropolitan hubs and smaller towns alike. The Reserve Bank of India (RBI) has also highlighted risks associated with WhatsApp account hijacking, which can lead to fraudulent UPI transactions and financial loss.

How This Scam Works — Step by Step

1. Initial Contact: The victim receives a WhatsApp message or SMS appearing to come from WhatsApp support, Facebook, or even a trusted contact. The message prompts urgent action, such as "Verify your account now" or "Upgrade security to protect your UPI payments."

2. Malicious Link: The message includes a link that leads to a fake but convincing website that mimics WhatsApp’s interface or an official verification page.

3. Phone Number Request: The victim is asked to enter their mobile number to start "verification," often framed as Aadhaar KYC or UPI app security enhancement.

4. OTP Prompt: The scammer triggers a WhatsApp Web pairing request. The victim receives a legitimate six-digit WhatsApp Web OTP (linking code) on their device.

5. Deception and Entry: The malicious site tricks the victim into entering this OTP to "complete verification." In reality, this OTP pairs the victim’s WhatsApp account to the scammer’s browser or device.

6. Ghost Pairing Established: Without the victim’s knowledge, the scammer gains full access to read and send messages, including OTPs for banking apps, UPI PIN reset codes, and Aadhaar-related messages.

7. Financial Theft: Using this access, fraudsters may initiate fraudulent UPI transactions or social engineering attacks targeting the victim’s contacts, multiplying the scam's damage.

Real Warning Signs to Watch For

• Unexpected WhatsApp messages claiming urgent account verification or security upgrades.
• Links that look suspicious or deviate from official WhatsApp URLs.
• Messages asking to enter OTPs (especially the six-digit WhatsApp Web code) on any third-party website.
• Requests for personal details like Aadhaar number or bank information through WhatsApp.
• Messages that appear to come from your contacts but have unusual wording or links.
• Notifications that your WhatsApp Web session is active on an unknown device.
• Receiving OTPs you did not request, especially related to WhatsApp or banking apps.

What Happens to Victims

Victims of the WhatsApp GhostPairing Attack can suffer significant financial loss. Since scammers can read messages and OTPs, they may misuse UPI apps like Google Pay, PhonePe, or Paytm to transfer money out of victims’ accounts. In India’s digital ecosystem, where UPI transactions are instantaneous and generally irreversible, victims often face difficulty recovering stolen funds.

Additionally, the emotional impact includes loss of privacy, betrayal of trust (when the scammer impersonates the victim’s contacts), and the stress of dealing with identity misuse involving Aadhaar or bank details. Victims may also encounter SIM swap fraud attempts following such intrusions, magnifying the damage.

What RBI and CERT-In Say

The Reserve Bank of India (RBI) has issued warnings emphasizing that WhatsApp account compromises can lead to financial fraud, especially through UPI transactions. RBI advises users never to share OTPs or verification codes with anyone, even if requested under urgent pretexts.

CERT-In and the Indian Cyber Crime Coordination Centre (I4C) consistently caution users against clicking unknown links and encourage reporting suspicious activities via the 1930 cybercrime helpline. These agencies underline the importance of using official apps and websites for sensitive transactions and urge vigilance against phishing links sent over popular messaging services.

How to Protect Yourself

1. Never Share OTPs: Do not share the six-digit WhatsApp Web verification code or any OTP with anyone — not even family or friends.

2. Avoid Clicking Unknown Links: Ignore or delete messages containing links claiming urgent WhatsApp verification or Aadhaar/UPI-related security checks.

3. Check WhatsApp Web Sessions: Regularly monitor active WhatsApp Web sessions through WhatsApp Settings > Linked Devices and log out of any unfamiliar devices.

4. Use Two-Step Verification: Enable WhatsApp’s two-step verification PIN for an extra layer of account security.

5. Verify Messages with BharatSecure.app: Confirm suspicious messages or links using BharatSecure.app’s verification tool.

6. Update Apps Regularly: Keep WhatsApp and other apps updated to benefit from the latest security patches.

7. Report Immediately: If you suspect ghost pairing or account compromise, report the incident promptly to cybercrime authorities via the 1930 helpline and file a complaint on cybercrime.gov.in.

What to Do If You've Been Targeted

If you believe your WhatsApp account has been ghost paired or compromised:

• Immediately log out all linked devices from WhatsApp Settings > Linked Devices.

• Change your WhatsApp two-step verification PIN and phone lock password.

• Contact your bank to freeze or monitor your linked UPI accounts for unauthorized transactions.

• File a cybercrime complaint on cybercrime.gov.in and call the 1930 cybercrime helpline to report the incident.

• Notify your mobile service provider to check for SIM swap attempts and secure your mobile number.

• Inform your trusted contacts to beware of suspicious messages appearing to come from your account.

Frequently Asked Questions

Q: Can scammers steal money just by ghost pairing my WhatsApp?
A: While ghost pairing itself does not directly transfer money, scammers can read incoming OTPs and messages related to your UPI app or bank transactions, enabling them to initiate fraudulent payments or reset account credentials.

Q: How do I know if my WhatsApp is ghost paired?
A: You might see notifications that WhatsApp Web is active on unknown devices in your WhatsApp Settings. Also, unexpected message reads or messages sent without your knowledge are red flags.

Q: Can I recover money lost due to this scam?
A: Recovering stolen funds is difficult because UPI transactions are mostly irreversible. However, immediately reporting to your bank, the RBI’s complaint mechanism, and law enforcement increases the chance of limiting damage.

Stay alert and protect your WhatsApp account from ghost pairing attacks by verifying messages at BharatSecure.app and reporting suspicious activity via the 1930 cybercrime helpline.

Disclaimer: This article describes a pattern of fraud reported in public sources for public-safety awareness. It is not legal, financial, or medical advice. To request correction or removal of any content, write to hello@bharatsecure.app.