Phishing via WhatsApp under the guise of online voting

“Hi! My niece is in a contest! Can you vote for her? It means the world to her”. Messages like this are common on WhatsApp — both in groups and private chats. Many people who aren’t security-savvy will, without a second thought, click to help someone they don’t actually know — and end up losing their account. In a recent investigation we found a new phishing campaign that has already hit WhatsApp users worldwide.

Today we’ll explain how the attack works, the potential consequences for victims, and how to avoid falling for it.

How the attack works

Cybercriminals first prepare for the attack by creating convincing phishing pages purportedly hosting legitimate voting polls — in the example below for young gymnasts, though the scenario can be easily changed. The pages look genuine: they include photos of real participants, Vote buttons and counters showing how many people have voted. Likely using AI and phishing-kits, the attackers easily produce multiple language versions of the same site — we found the identical poll in English, Spanish, German, Turkish, Danish, Bulgarian, and other languages.

Stage One: The Hook. On social networks, in messengers, or by email, the scammers use social engineering to direct you to a fake voting site. The pretext can be very believable, and the message may come from a friend or relative whose account has already been compromised. The request is usually personalized — in the first message the fraudster posing as your acquaintance asks you to vote for a certain contestant because they’re their charge, friend or relative.

First you’re lured to a fake voting page

Stage Two: The Trap. When you click Vote, you’re taken to a page that asks you to quickly authenticate via WhatsApp. All you need do is enter the phone number linked to your messenger.

Next they ask for your phone number associated with WhatsApp. The scammers even pretend to care about your data and “your valuable time”

Stage Three: The Heist. The attackers exploit the one-time code login feature in WhatsApp Web. They enter the phone number you provided, and WhatsApp generates an eight-character single-use verification code. The attackers immediately display that code on the fake site with instructions: open WhatsApp, go to “Connected devices” (never mind that it’s actually “Linked devices” in WhatsApp), and enter the code. For convenience, there’s even a button to copy the code to the clipboard.

For “fast and easy authorization” (read: WhatsApp account takeover) you only need enter the code shown on the site

At the same time, WhatsApp on your phone shows a prompt to link a new device by entering the code. Clicking that opens a warning that someone is trying to connect to your account, and a field to enter the code.

Unfortunately, in their uncontrollable desire to help a complete stranger in the contest, many users don’t carefully read WhatsApp’s warning. They think, “Someone wants to link to my account? That’s so I can vote — looks fine to me” When the careless victim types the code into the app on their phone, the web session initiated by the attackers is activated.

WhatsApp warns you that someone is trying to link to your account, but many users don’t read the warning, and enter the verification code anyway

If you enter that code, the attackers gain full access to your WhatsApp, as if you had logged in yourself — for example, from a computer alongside your phone. The attackers can view all your contacts, read conversations, send and delete messages in your name, and even take full control of the account. That opens up further possibilities for fraud: somehow extracting money from your contacts using your identity, or using your account to spread the same phishing link that trapped you.

What to do if you think you’ve been hacked

If you suspect you’ve fallen for the scam and given attackers access to your WhatsApp account, the first thing to do is open the WhatsApp settings on your smartphone and go to Linked devices. There you’ll see all devices currently logged into your account. If you notice any unfamiliar devices or browsers, click on them to disconnect them from your account. Do this quickly — before the criminals can fully take over your account.

We’ve prepared a detailed guide for such cases: it explains eight signs your WhatsApp account may be hacked, and provides step-by-step instructions on how to regain access even in difficult situations. We also have a similar guide for Telegram users.

How to prevent your WhatsApp account from being hacked

• Never take part in dubious contests or votes — especially if they require messenger authentication. Legitimate polls don’t ask for access to your personal accounts.
• Don’t click suspicious links in messages — even if they seem to come from friends or relatives. Their accounts may have been hacked.
• Never enter personal data on unfamiliar websites — especially those reached via messages or social media links. Always check the URL carefully.
• Don’t ignore browser warnings about unsafe sites, and use Kaspersky Premium on all your devices (both smartphones and computers). Our protection scans links and webpages, blocks phishing and malicious resources, and works in all popular mobile and desktop browsers.
• Enable two-factor verification in your WhatsApp settings. This makes a six-digit PIN code necessary to log in on a new device, making attackers’ job harder even if your number is compromised. However, this doesn’t protect against the attack described above — the one-time code shown to you is, in WhatsApp’s view, already the “second factor”. That’s why the PIN isn’t requested during this login method.
• Use passkeys instead of traditional passwords wherever possible. WhatsApp already supports passkeys for account verification.
• Protect mobile devices from phishing — these are the main targets of messenger attacks. Three-level protection technology detects malicious links and blocks dangerous websites. At the first level, Notification Protection detects and automatically removes malicious links from app notifications, leaving only safe text. Next, Safe Messaging blocks harmful links in SMSs and messenger messages (WhatsApp, Viber, Telegram) before the user clicks them. Finally, Safe Browsing blocks malicious URLs in popular mobile browsers.
• Configure privacy and security on both your smartphone and computer with Privacy Checker — Kaspersky’s free service that gives detailed guides for privacy settings in many popular apps, services, and operating systems.
• Set up WhatsApp and Telegram accounts for maximum protection against hijacking using our step-by-step guide.
• Regularly check the list of connected devices in messengers’ settings. Both WhatsApp and Telegram have sections showing all active sessions, and you can disconnect suspicious ones. In Telegram, you can even enable automatic termination of inactive sessions.
• Only use official versions of messengers downloaded from official app stores (such as Google Play, App Store, or Galaxy Store). Modified versions can contain malware.
• Be extra cautious with desktop versions of messengers — especially on work computers.

How else do attackers target messengers, and how to counter them?

• How to protect WhatsApp and Telegram against hijacking in 2025
• Telegram scams with bots, gifts, and crypto
• Is it the boss — or is it a fraudster? Scams disguised as urgent orders from top brass
• Spyware messengers on Google Play
• What makes a messaging app secure?