'Ghost pairing' - how hackers gain control of your WhatsApp

You never open links sent to you by strangers? Good. But cybersecurity experts say you also need to be sceptical if you receive a WhatsApp message from a friend or relative with a link meant to make you curious and tap on it.

That's because there's an increasing risk that the message may not actually be from who you think it is, but from hackers who have gained access to the person's WhatsApp account and now want to break into yours too.

Alarm bells should be ringing if you click on the link and are taken to a website where you are asked to confirm your identity with your phone number, say specialists at Germany's BSI authority for IT security.

In a phishing scheme known as "ghost pairing", you can expect to see a website that closely imitates social media platforms such as Facebook or Instagram and asks for your mobile number. Enter it in, and you will enable the attackers to use your number to start WhatsApp's "Link a device via phone number" function.

WhatsApp then sends an eight-digit pairing code by SMS. Anyone who enters this code on the phishing page, thereby passing it on to the attackers, enables them to remotely pair a device with their own account and access all messages, media and contacts.

WhatsApp advises users to check regularly which devices are linked to their account. This is easy to do in WhatsApp's settings under "Linked devices", where devices can be logged out at any time. Linked devices are only logged out automatically if they have been inactive for 30 days, according to WhatsApp.