So, how did the scammers use voicemail to hack into WhatsApp?

It was shared in the reports that the scammer uses their own devices and try to log in the victim’s WhatsApp account. They would deliberately fail the verification process by keying in wrong codes. When this verification fails, WhatsApp will prompt the victim to perform a voice verification, where a call will be triggered to the victim’s phone to provide the verification code via audio message.

If the victim’s phone is turned off, or the call is missed, this audio message will be directed to the victim’s voicemail account. The scammer will then access the voicemail account of the victim remotely, by using the default PIN used by the telecoms service providers. This will work only if the victims did not change the default PIN for their voicemail account.

The scammer will then use the code provided via voicemail for verification to take over the victim’s WhatsApp account. Once in control, the scammer can enable a two-step verification (2FA) to prevent the victim from regaining control of this WhatsApp account.

Not only will the scammer gain control of all the sensitive information posted via WhatsApp, he can now prey on the victim’s friends and family members, which in this incident, luring them to believe that the victim is the one promoting the idea of the gold bars.

While this may sound ‘too-good-to-be-true’ to some, most would still give it a second thought, especially when it was sent in by a close friend or a relative. To sound more convincing, the scammers explained that these gold bars were sold cheap as they were seized by the Singapore customs (Immigration and Checkpoints Authority) and were on auction. Counterfeit invoices from the Singapore Customs would be provided to lure the victims to do a payment transfer to a list of bank accounts. Some victims were even told to meet the scammers to collect the gold bars.