WhatsApp OTP Scam in Indonesia: How Account Takeover Works and How to Stop It

If you use WhatsApp in Indonesia, you have probably seen this kind of message before.

“Maaf, saya salah kirim kode. Tolong forward kode yang barusan masuk ke nomor saya.”

A few seconds earlier, WhatsApp sent a real six-digit code to your phone. The person texting you sounds polite, rushed, embarrassed, or maybe even familiar. They are not asking for your password. They are not sending a strange APK file. They just want you to “help” by forwarding a code.

That is why this scam works.

The code is real. The WhatsApp message is real. The scam is the story around it.

If you forward that code, the attacker can register your WhatsApp number on their device. In many cases, you get logged out almost immediately. After that, your account becomes a tool for the next scam: asking your contacts for money, sending fake emergency messages, or tricking more people into forwarding their own OTP codes.

This is not a “stupid people fall for scams” problem. I have seen careful people almost fall for this. People who use password managers. People who know what phishing is. People who usually warn their parents about scams.

The real trick is not technical. It is social pressure mixed with bad timing.

---

Why this scam is such a problem in Indonesia

WhatsApp is not just a chat app here. For many Indonesians, it is the default place for family groups, office coordination, school announcements, seller-buyer chats, courier updates, community groups, and even small business orders.

That makes a stolen WhatsApp account valuable.

According to public reporting that cites Indonesia Anti-Scam Centre data, IASC received hundreds of thousands of fraud reports between late 2024 and early 2026, with reported losses reaching trillions of rupiah. OJK-related reporting has also discussed thousands of account takeover complaints and large-scale blocking of bank accounts linked to scam activity.

The exact numbers will keep changing, but the pattern is clear: WhatsApp remains one of the easiest channels for scammers to abuse because trust is already built into the contact list.

When a random number asks for money, most people ignore it.

When your cousin, your boss, your old school friend, or your parent’s WhatsApp account asks for help, people pause. And that pause is where the scammer gets in.

---

How the WhatsApp OTP takeover usually works

The attacker starts by opening WhatsApp on their own phone and entering your phone number.

That triggers WhatsApp’s normal registration process. WhatsApp sends a six-digit verification code to your number by SMS or in-app notification.

At this point, nothing on your phone has been hacked.

No malware is needed. No SIM swap is needed. No password leak is needed. The attacker is simply abusing the normal login flow.

Then they message you with a story.

Common versions in Indonesia include:

• “Sorry, I accidentally sent my code to your number.”
• “This is for a customer order, can you send the code back?”
• “My phone is broken, please help me receive the code.”
• “This is from a minimarket/game voucher/customer service process.”
• “I’m your friend/family member, please forward the code quickly.”

The message usually creates urgency. They do not want you to think. They want you to react.

If you send the code, the attacker enters it on their WhatsApp registration screen. WhatsApp treats that as proof that they control the number. Your session may be logged out, and the attacker gets access to your account.

If you had WhatsApp two-step verification enabled, the attacker still needs your six-digit PIN. If you did not enable it, the takeover is much easier.

---

What happens after your account is taken

The first goal is usually not to read your old gossip. The attacker wants to make money before you recover the account.

The scam normally moves fast.

1. They message your contacts

Your hijacked account is used to message people who already trust you.

The attacker may send the same OTP trick to your contacts:

“Maaf, saya salah kirim kode. Tolong kirim balik ya.”

This works better than cold scam messages because the message comes from your name, your photo, and your real number.

2. They ask for emergency money

This is the classic “pinjam dulu” scam.

The attacker sends something like:

“Mas, bisa transfer dulu? Lagi urgent. Nanti saya ganti.”

In Indonesia, people often help family, coworkers, and friends quickly. That is a good social habit. Scammers abuse it.

They may ask for small amounts first because small amounts feel believable. Once one person pays, they move to the next.

3. They collect useful personal data

A WhatsApp account can contain more than chat.

It may include:

• bank receipt screenshots
• KTP photos
• family information
• business chats
• customer details
• voice notes
• delivery addresses
• group chat history
• private photos or documents

Even if the attacker only controls the account for a short time, they can copy enough information to use in later scams.

---

The newer version: no OTP forwarding needed

There is another version of this scam that is even sneakier.

Instead of asking for your OTP, the attacker tricks you into linking their device to your WhatsApp account.

This abuses WhatsApp’s linked devices feature, the same feature used for WhatsApp Web or desktop login.

The message might say:

• “I found your photo online.”
• “Is this you in this video?”
• “Your photo is being shared here.”
• “Please check this link.”

The victim clicks a link and is pushed into a fake verification flow. In some versions, they are tricked into scanning a QR code or approving a linked device process.

If they approve it, the attacker may be able to read messages from a linked session without fully taking over the account. That means the victim might not notice right away.

This is why “never share your OTP” is important, but not enough.

You also need to check your linked devices.

---

The three defenses that actually matter

There are many small tips people share about WhatsApp safety, but these three are the big ones.

1. Turn on two-step verification

Open WhatsApp and go to:

Settings → Account → Two-step verification → Enable

Set a six-digit PIN and add a recovery email.

This PIN is different from the SMS OTP. The SMS code proves access to your phone number. The two-step verification PIN adds a second lock when someone tries to register your WhatsApp number on a new device.

If a scammer gets your OTP but does not know your PIN, the takeover becomes much harder.

Do not use an obvious PIN like:

• 123456
• your birthday
• your phone number
• repeated numbers
• your house number

Use something you can remember but other people cannot guess.

2. Check linked devices

Open WhatsApp and go to:

Settings → Linked devices

Look at the list.

If you see a device you do not recognize, log it out.

I like checking this once a month. It takes less than a minute. It is also the best way to catch the linked-device version of the scam.

If you ever clicked a weird “photo” or “video” link and then felt something was off, check linked devices immediately.

3. Never forward any OTP to anyone

This rule is simple:

Kode OTP tidak pernah perlu di-forward ke siapa pun.

No friend, cashier, courier, bank staff, customer service agent, family member, or WhatsApp employee needs the OTP that arrived on your phone.

The only normal use of an OTP is for you to type it into the app or website that you personally opened.

If someone asks you to forward, screenshot, read aloud, or copy a six-digit code, treat that request as the scam.

Even if the message comes from someone you know.

Especially if the message comes from someone you know.

---

What to do if your WhatsApp was already taken

Move quickly. The first few hours matter.

Step 1: Re-register your number

Open WhatsApp on your own phone and register your number again.

WhatsApp will send a new verification code. Enter it.

If successful, this should log the attacker out.

If you had two-step verification enabled, you will need your PIN. If you did not, WhatsApp may make recovery slower depending on the situation.

Step 2: Warn your contacts from another channel

Use Instagram, Facebook, Telegram, SMS, phone calls, or another family group to tell people:

My WhatsApp was compromised. Do not send money, do not forward OTP codes, and ignore messages from my WhatsApp number from the last 24 hours.

Keep it short. People need to understand the warning fast.

Step 3: Check linked devices

After you recover access, go to:

Settings → Linked devices

Log out anything you do not recognize.

Step 4: Enable two-step verification

Do this immediately after recovery.

Settings → Account → Two-step verification → Enable

Step 5: Report the scam

If money was involved, report it quickly.

For Indonesia, you can report financial scams through the Indonesia Anti-Scam Centre:

https://iasc.ojk.go.id/

You should also contact your bank or payment provider as soon as possible if a transfer happened.

---

A simple family rule that works

If you want one sentence to teach your parents, kids, coworkers, or family group, use this:

Kode OTP tidak pernah perlu dikirim ke siapa pun.

That one rule stops a lot of WhatsApp takeover attempts.

You do not need to make your family paranoid. You just need to give them a rule that is easy to remember when someone is rushing them.

Scammers win when people feel pressured.

Slow down. Do not forward the code. Check linked devices. Turn on two-step verification.

That is the whole playbook.

---

Quick checklist

Use this checklist today:

• Turn on WhatsApp two-step verification
• Add a recovery email
• Check WhatsApp linked devices
• Log out unknown linked devices
• Tell family members not to forward OTP codes
• Warn your contacts if your account was taken
• Report financial scam cases through IASC or your bank

---

Sources and Further Reading

• Indonesia Anti-Scam Centre
• Otoritas Jasa Keuangan
• UGM: Digital scam tactics via WhatsApp grow more sophisticated
• Tempo: OJK receives 2,688 account takeover fraud complaints
• Avast: WhatsApp takeover scam that does not need your password
• WhatsApp Help Center: About registration and two-step verification