According to Zuk, the hacker can select an option stating that their pin code never arrived, which would then prompt WhatsApp to call you to relay the code instead. The problem arises if you allow the call to go to voicemail, as the app’s automated system will share that information there.
The attacker would then attempt to get into your voicemail system using its default pin code, which might be the last four digits of your phone number, depending on your carrier. If you didn’t set up two-factor authorization, they would then do so in an attempt to keep you locked out, at least until you can work through the breach with WhatsApp directly (a process that isn’t always immediate).
It’s an approach that’s so deceptively simple that many of us wouldn’t second guess reinforcing against it, especially considering the growing legion of those who have banished the use of voicemail from their lives in favor of texting and social media. Thankfully, there are some easy precautions against this sort of attack, and we’ll walk you through them.