Media Statements

Privacy Commissioner’s Office Urges the Public and Organisations
to Guard against WhatsApp Account Hijacking

In the past month, the Office of the Privacy Commissioner for Personal Data (PCPD) received data breach notifications from a total of five social welfare organisations and schools, reporting that their accounts on the instant messaging application WhatsApp used for communication with service users, students and/or parents of students had been hijacked. The fraudsters then impersonated the organisations and used the hijacked WhatsApp account to send messages to the contacts in the address books, attempting to swindle them. The incidents involved the personal data of nearly 900 individuals and the affected data included names and mobile phone numbers of service users, students, parents of students and/or staff members. On the PCPD’s advice, the organisations concerned have notified the affected individuals.

“WhatsApp account hijacking” generally refers to fraudsters impersonating victims’ friends and relatives and sending messages to them requesting them to forward the registration codes of their WhatsApp accounts; or using fake WhatsApp websites to obtain the victims’ telephone numbers and the registration codes of their WhatsApp accounts. The fraudsters then gain access to the victims’ WhatsApp accounts and impersonate the victim to send messages to contacts in the address book of the account for swindling money or personal data.
 
In this regard, the PCPD reminds members of the public and organisations to be cautious of WhatsApp account hijacking. The PCPD recommends the public taking the following measures to protect personal data privacy:

1. Enable two-factor authentication on WhatsApp;
2. Regularly check linked devices in WhatsApp settings and log out any devices that are no longer in use or unknown to the user;
3. Never disclose any passwords or registration codes to others;
4. When searching for the web version of WhatsApp on the internet, be careful with the links and do not click on fake WhatsApp web versions by mistake;
5. Never download and use the WhatsApp application from unofficial sources;
6. Authenticate the identity of the senders first when you receive messages about borrowing or remittance requests or asking for your personal data on WhatsApp; and
7. Be alert when you receive unsolicited or suspicious text messages. Do not click on the links or disclose personal data arbitrarily.

Anyone who suspects that his/her personal data has been leaked may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk).
 
For more information about WhatsApp account hijacking, please refer to:

• “Cyberdefender” platform of the Hong Kong Police Force (https://cyberdefender.hk/en-us/whatsapp_scam/)
• The Hong Kong Computer Emergency Response Team Coordination Centre (https://www.hkcert.org/blog/hkcert-alerts-the-public-on-preventive-measures-against-whatsapp-account-theft)
• WhatsApp Help Center (https://faq.whatsapp.com/1131652977717250/?locale=en_US)

－End－