Lorraine Williamson
Spain’s cybersecurity institute has warned WhatsApp users about Ghostpairing, a scam that can let criminals link to a victim’s account without immediately locking them out.
The warning from INCIBE, Spain’s National Cybersecurity Institute, matters because this version of WhatsApp theft can be harder to spot than the older verification-code scams. Instead of taking over the account completely at first, the attacker secretly links the victim’s WhatsApp to another device.
Why Ghostpairing is different
Many WhatsApp thefts rely on tricking someone into sharing the six-digit verification code sent by SMS. Once the criminal has that code, they can move the account to another device, and the real owner may lose access.
Ghostpairing works differently. According to INCIBE, the attacker uses social engineering to persuade the victim to open a malicious link and complete a process that links their WhatsApp account to a device controlled by the criminal.
That makes the scam especially dangerous because the victim may still be able to use WhatsApp normally. They may not realise someone else can also read conversations, access files, and send messages from the linked device.
How the scam begins
The attack often starts with a message that looks as though it has come from someone the victim knows.
INCIBE says the message may appear to come from a contact whose account has already been compromised. It can include a tempting phrase such as “is this you in this photo?” or “look at this picture where I tagged you”.
When the victim clicks the link, they are taken to a fake website that imitates a Meta-related service, such as Facebook or Instagram. The page then guides them through steps that result in their WhatsApp account being linked to another device.
This is similar to using WhatsApp Web or the desktop version, except the linked device belongs to the attacker.
What criminals can do
Once the fraudulent device is linked, the attacker may be able to view conversations and files sent through the account.
They can also impersonate the victim by sending messages to friends, family or work contacts. That can help the scam spread quickly, because a message from a trusted person is more likely to be opened.
In some cases, attackers may use the account to ask for money, send malicious links, steal personal information or compromise more accounts.
The victim may not notice immediately, especially if WhatsApp continues working normally on their phone.
How to check if someone is linked to your WhatsApp
The most important step is to check your linked devices.
On WhatsApp, users should go to Settings and then Linked devices. Any device that is not recognised should be removed immediately.
This is worth doing even if nothing seems wrong. A quick check can show whether WhatsApp is linked to a computer, browser or device that does not belong to you.
If you find an unknown device, log it out straight away.
What to do if you clicked a suspicious link
If you think you may have been targeted, the first step is to remove any unknown linked device from WhatsApp.
INCIBE also recommends scanning the device used to open the malicious link with an antivirus tool, in case malware was installed or the device has been exposed to further risk.
You should also warn close contacts not to trust strange messages from your account, especially if they contain links, requests for money or urgent-sounding claims.
Changing passwords on related accounts may also be sensible, particularly if the fake page asked for login details or personal information.
How to reduce the risk
Several simple steps make this type of scam less likely to succeed.
Do not click unexpected links, even if they appear to come from someone you know. Be especially cautious with messages about photos, tags, prizes, urgent problems or verification steps.
Check the web address before entering any information. Fake pages often look convincing, but the address may contain spelling changes, strange domains or extra words.
Keep WhatsApp and your phone’s operating system updated because updates often include security improvements.
It is also worth checking linked devices regularly. This takes only a few seconds and can reveal an attack before it causes more damage.
Why this matters
WhatsApp is one of the most widely used communication tools in Spain, both for personal and professional contact.
That makes it attractive to cybercriminals. A compromised account can be used to reach family groups, community chats, school groups, work contacts, local businesses and clients.
For residents, tourists, self-employed workers and small businesses, the risk is not only losing privacy. It is also reputational. A scam sent from your account can make others trust a link they would otherwise ignore.
A quick safety habit worth building
Ghostpairing shows how cybercriminals adapt when users become more aware of old scams.
Many people now know not to share verification codes. But fewer people check linked devices or realise that someone could be reading messages without fully taking over the account.
The simplest habit is also the most useful: open WhatsApp, check linked devices, and remove anything you do not recognise.
If a message feels odd, rushed or too curious to ignore, pause before tapping. That pause may be what stops a scam from spreading.