What Is a Ghost Pairing Attack?
A ghost pairing attack is a social-engineering scam where criminals trick you into linking your WhatsApp account to their device, letting them read your messages and capture two-factor authentication codes without physical access to your phone. This WhatsApp security threat abuses a legitimate feature: linked devices. Instead of pairing your laptop or tablet, you unknowingly approve a two-factor authentication hijack for a stranger’s computer or phone. Because WhatsApp uses end-to-end encryption, the app assumes every linked device is trusted once you approve it. That means the attacker’s device receives the same encrypted chats and codes as yours, turning your own account into a tool for further WhatsApp scam protection bypasses. Worse, the attacker can stay invisible for a long time, quietly watching conversations and waiting for high-value codes, logins, or personal information.
How Scammers Hijack Linked Devices
Ghost pairing starts with a message that appears to be from someone you know, asking for a favor like “please vote for my kid” or “check this photo.” The link leads to a fake page that looks like a social site or login portal and asks you to log in or verify your device. When you follow those prompts, you effectively approve a new linked device on WhatsApp that belongs to the scammer, not you. They download your account and start receiving your chats in near real time. According to security expert Stephen Kho at Avast, over 90 percent of scams like this rely on social engineering, not technical hacking, which makes them hard to notice in the moment. Because WhatsApp pairing is a real feature, your own actions grant the attacker access.
Why Ghost Pairing Bypasses WhatsApp Security
End-to-end encryption protects WhatsApp contents from outsiders, but ghost pairing sidesteps that protection by sneaking in as an insider. Once a device is paired, WhatsApp treats it as yours, so the app securely delivers messages and two-factor codes to the attacker as if they were you. There is no malware, no password cracking, and no need to steal your phone. Instead, the two-factor authentication hijack works because you approve a link you think is harmless. Since the attacker is using a legitimate feature, security alerts are limited, and your chats still show as encrypted. This makes the WhatsApp security threat dangerous: everything looks normal on your screen, while in the background another device mirrors your account. The longer that ghost device stays linked, the more messages and sensitive codes it can intercept.
Practical Steps to Protect Your WhatsApp Account
You can reduce your risk of ghost pairing with a few habits. First, treat links in WhatsApp with suspicion, even from friends. Look closely at the URL and avoid pages with strange spellings or extra letters, such as fake domains that slightly change the app name. If a message “doesn’t sound like” your contact, confirm by SMS or a phone call before you click. Next, enable two-factor authentication inside WhatsApp’s settings and set a strong PIN, so attackers can’t easily take over your account. Regularly review the “Linked Devices” list and remove any device you don’t recognise. This cuts off ghost devices and stops ongoing interception. Finally, remind family and friends about these checks, because compromised contacts are often used as lures for new victims.
How WhatsApp’s Scam Alert Can Help
WhatsApp is working on a Scam Alert feature that adds another layer of WhatsApp scam protection against ghost pairing and similar tricks. Scam Alert analyses messages from unknown contacts on your device to spot patterns that look like scams, without sending your chats to external servers. Your conversations stay private and end-to-end encrypted, and no one who messages you can see that you are using Scam Alert. When a suspicious message is detected, WhatsApp will not block it automatically; instead, it will flag the message and give you options to block the sender or trust them. This keeps you in control while adding an early warning system for shady requests, phishing links, or pairing prompts. Scam Alert will be disabled by default, so you will need to turn it on in settings once it becomes widely available.
