Technology is advancing by leaps and bounds, and unfortunately, so is the sophistication of cybercriminals. Today, accessing personal and financial information no longer requires a super-talented hacker, but simply a small oversight on your part. A simple word or a six-digit code can be the key that opens your digital life to large-scale theft.

The growing sophistication of phone and digital scams has transformed the way cybercriminals access personal and financial information, using techniques that turn a simple oversight into the gateway to large-scale theft.

For the average user, staying safe means stopping viewing frauds as something distant and understanding the two major golden rules of current cybersecurity. According to experts and help centers like the National Cybersecurity Institute of Spain (INCIBE) and WhatsApp, two elements have become the main targets of attackers: the word “yes” and the verification code of the popular messaging application.

si suplantacion eng

Why Saying "Yes" on a Call Can Be a Risk

The first major danger is called vishing, a variant of telephone fraud that exploits social engineering to manipulate you. Social engineering is the science of deceiving people into handing over their information, and fraudsters are masters at it.

Attackers often call from unknown numbers (or sometimes numbers that appear to be from your bank or a service company), adapting their speech to create an atmosphere of urgency or confusion. Their main goal is simple: to get you to say the word "yes."

The Vishing Strategy

Criminals seek an affirmative answer during the call. In most cases, the conversation starts with seemingly innocuous questions or ones that seek a simple validation:

  • “Are you the account holder?”
  • “Can you confirm that you received the notification?”
  • “Are you authorizing a transaction at this time?”

No matter how harmless the question seems, if you answer with a "yes," the cybercriminals have what they wanted. INCIBE has warned that a simple answer with the word “yes” can be recorded and subsequently used to validate transactions without the owner's consent.

This recording allows attackers to simulate biometric or verbal authorizations to banks or online services. If you have services configured to accept a verbal confirmation, that recording of your voice saying "yes" can facilitate identity theft and the execution of unauthorized movements in your account. The worst part is that the victim only becomes aware of the fraud upon receiving unusual notifications or checking their bank account and detecting unknown transactions.

Therefore, the golden rule in any suspicious call is never to answer with a "yes." Use alternative phrases like "I understand," "I confirm it," or simply demand that they send you the information in writing through an official channel.

The Six-Digit Secret: Be Careful with the WhatsApp Verification Code

The other major danger identified by experts is directly related to your digital identity on the world's most used messaging application: the WhatsApp verification code.

When an attempt is made to register your phone number on a new device, the platform automatically sends you a six-digit code via SMS. This code is, literally, the access key to your account.

si suplantacion2

Why Do They Want It? Account Hijacking

Fraudsters will try to trick you with urgent or dramatic stories, such as that your account has been suspended, that they are verifying a supposed purchase, or that they need the code to resolve a problem you haven't caused. If the user, deceived by an attacker, shares that code, control of the account passes into the hands of the fraudster in seconds. This is account hijacking.

Once inside your account, the fraudster:

  • You immediately lose access to your WhatsApp.
  • Gains access to your contacts, messages, and groups.
  • Uses your digital identity to commit new scams, asking your closest contacts for money, creating a chain of fraud that involves you.

The WhatsApp help center is emphatic: “This code must never be shared under any circumstances.” If someone asks for it, claiming it is necessary to verify identity or solve a problem—arguing they are your child, your bank, a WhatsApp technician, or even a friend—it is an attempt at fraud. The application will never ask you for that code over the phone or by message.

Common Factors in Both Types of Fraud: Social Engineering

Both vishing (the recorded "yes") and WhatsApp account hijacking exploit the same weakness: trust and emotional manipulation.

Cybercriminals spend time investigating a little about you (perhaps using leaked data or public information), refer to recent transactions, or ask tricky questions to induce responses or actions. They take advantage of:

  • Urgency: They tell you that you have only "five minutes" to act or that your account will be blocked.
  • Authority: They impersonate the bank, the police, or a government entity.
  • Empathy: They use the identity of a loved one who is in trouble (usually in the case of WhatsApp hijacking).

Remember: without the verification code, no one can appropriate your WhatsApp account, which highlights the importance of keeping it secret even from people you know. Furthermore, banks and legitimate companies will never ask you for full passwords or one-time codes over the phone.

What to Do if You Receive a Suspicious Call or Message

The detection of these frauds usually occurs when unusual bank movements or difficulties accessing online services are observed. For this reason, an early reaction to any suspicion is fundamental.

Immediate Security Guidelines:

  1. Hang Up Immediately: If the call is unusual, the caller insists, or the situation generates anxiety, the safest thing to do is hang up immediately.
  2. Never Trust Caller ID: Numbers can be faked (identity theft or spoofing). Just because your bank's name appears does not mean it is your bank.
  3. Verify Through Official Channels: If someone from a bank calls you about a supposed emergency, hang up and call them directly at the customer service line that appears on your card or official website. Do not return the call to the number that called you.
  4. Protect the "Yes": In unsolicited calls, avoid answering with the word "yes" and do not confirm your identity.
  5. The Code is Sacred: Never, under any circumstances, share the six-digit WhatsApp code with anyone.

Constant monitoring and direct communication with financial service providers at the slightest suspicion constitute essential measures to reduce the impact of these digital scams. The best defense against social engineering is intelligent digital distrust.