Liam O'ConnellA new WhatsApp account-takeover attack that requires no stolen password has been confirmed targeting Australians in 2026 — and cybersecurity specialists say most users have no idea it is happening until it is too late. The scam, dubbed "GhostPairing" by researchers at Avast, exploits WhatsApp's own legitimate device-linking feature to hand criminals full access to your messages, photos and contacts without ever locking you out of your phone.
What Is the GhostPairing WhatsApp Scam?
The attack begins with a message that appears to come from a trusted contact — a friend, family member or colleague. The message typically says something like "Hey, I found a photo of you" and includes a link. When the recipient clicks through, they land on a convincing fake Facebook-style page that asks them to "verify" before viewing the image.
Here is the trap: the page generates a legitimate WhatsApp pairing code and tells the victim to enter it. By doing so, the user unknowingly adds the attacker's browser as a linked device on their account. WhatsApp's multi-device feature, designed for convenience, has been weaponised. The attacker now has a persistent, silent window into every message sent and received — without changing the account password or triggering any obvious alert.
Security researchers confirmed the attack does not rely on broken encryption, SIM-swapping or phishing for credentials. It abuses a real, intended function of the app. That is what makes GhostPairing particularly dangerous: the victim's phone shows no warning, and the account appears completely normal.
Why Australians Are Particularly Exposed
Australia is among the top ten countries globally for WhatsApp adoption among messaging platforms. Millions of Australians use WhatsApp daily for personal banking references, business communications and family coordination — making the data accessible via a compromised account extremely valuable.
According to the ACCC's Scamwatch, Australians reported losing over $3.1 billion to scams in 2025, with social media and messaging platforms accounting for a growing share of contact points. The "GhostPairing" method is especially insidious because it bypasses the password-protection awareness that most digital safety campaigns emphasise. You can have a strong, unique password and two-factor authentication via SMS and still be vulnerable.
Beyond GhostPairing, Australian users are also contending with a surge in WhatsApp job scams in 2026. Fraudsters contact users — often targeting students, new migrants and those recently laid off — with messages from unknown international numbers offering simple online tasks that pay well. Victims are quickly asked to deposit funds to "unlock higher earnings," money they never see again.
The "Hi Mum" or family impersonation scam remains active too. A fraudster poses as a son or daughter claiming their phone is broken and they urgently need cash transferred. According to the Australian Cyber Security Centre, these scams have continued to evolve with more convincing language and longer grooming periods before the money request is made.
The Linked Devices Loophole — and How to Close It
Most Australians have never checked the "Linked Devices" section of their WhatsApp settings. This is precisely where a GhostPairing attacker establishes their foothold. The compromised device appears as a listed linked browser session — often with a generic name like "Chrome on Windows" — that can be months old before the victim notices.
The fix is straightforward but requires forming a new habit:
- Open WhatsApp → Settings → Linked Devices
- Review every active session. Note the device name, browser and the date it was linked
- Tap any unfamiliar session and select "Log out"
- Repeat this check monthly or whenever you receive an unexpected "verify" prompt online
Enabling WhatsApp's two-step verification PIN (Settings → Account → Two-Step Verification) adds a secondary barrier. While it does not directly block device linking, it complicates the attacker's ability to re-register your number on a new device if they escalate their attack.
What to Do If You Suspect Your Account Has Been Compromised
If you believe your WhatsApp account has been accessed without your consent, act immediately:
- Log out all linked devices via Settings → Linked Devices → Log Out All Devices
- Report the scam to Scamwatch at scamwatch.gov.au — reports help the ACCC track emerging attack methods and warn others
- Notify your contacts — attackers use compromised accounts to send the same phishing message to your entire contact list, perpetuating the chain
- Contact your bank if any financial information was shared via WhatsApp conversations now exposed to the attacker
- Screenshot the suspicious session before logging it out, in case you need evidence for a police report or insurance claim
If your account is being used to send scam messages to others, you may face an awkward social and reputational fallout. An IT security specialist can help you document the intrusion timeline, secure all connected accounts and advise on whether to notify affected contacts formally.
The Role of an IT Specialist After a WhatsApp Breach
Many Australians assume a compromised messaging account is a minor inconvenience. It rarely is. WhatsApp conversations often contain tax file numbers, Medicare details, home addresses, banking references and sensitive family information shared informally over years. A skilled IT specialist will conduct a forensic review of what data was likely exposed during the breach window, prioritise which accounts need immediate password resets, and assess whether the attacker escalated access to linked email or cloud storage accounts.
Cybersecurity professionals can also help businesses. If a compromised WhatsApp account was used for client communications, there may be professional obligations to notify affected parties — depending on the Privacy Act 1988 and the Notifiable Data Breaches scheme. Failing to report an eligible data breach to the Office of the Australian Information Commissioner can result in civil penalties.
Scams on messaging platforms are growing more sophisticated each year. The GhostPairing attack demonstrates that technical literacy alone is no longer sufficient protection. Knowing what the attack looks like, where to check and who to call when something goes wrong is the real defence.
Disclaimer: This article provides general information only and does not constitute legal or professional cybersecurity advice. If you have been targeted by a WhatsApp scam, consult a qualified IT security specialist for guidance specific to your situation.
Australians searching for qualified IT security experts can connect with verified specialists through ExpertZoom to get personalised advice on account security and digital breach response. If you have been targeted by investment fraud linked to messaging platforms, the ASX investment scam guide outlines your financial recovery options.
