Recently, several colleagues (and perhaps even you?) have received WhatsApp messages that read something like “I’m sorry I sent you a 6-digit code by SMS by mistake, can you please pass it on to me? It’s urgent” (see screenshot below), followed by an SMS with a code. Even though the message may be nicely disguised and look as if it comes from a trusted contact, even using comforting emojis (while putting pressure on you with “urgent!”), it can put your digital life on the line: depending on your response, everything could go down the drain…
…because this six-digit number is your account recovery code. It’s usually sent if you have lost access to your WhatsApp account. But this message was fake. It’s social engineering at its best and is sent by an attacker aiming to obtain your recovery code. They also do this to take over your WhatsApp account, and subsequently send similar malicious messages to your contacts, avalanching their attack. Your digital life could go down the drain* and, eventually, so too could that of your friends.
Don’t fall for it. As with passwords, your six digits are yours and yours only. This is true for WhatsApp codes, Instagram codes, CERN codes, passwords, PIN numbers and the six digits of your two-factor authenticator app or token. None of these digits should be shared. Ever. Not with your colleagues; not with your supervisor; not with the Service Desk; not with the Computer Security team (we have procedures in place to recover access to your CERN account if need be); not with anybody. Your password/PIN is yours and yours only. Sharing your six digits could negatively impact your private life (some colleagues who fell for the above scam are now in danger), your work and the overall reputation and operations of the Organization. This is a risk that you can only counter through vigilance and remembering that your six digits are yours and yours only.
* If you have already shared such a code, please follow this advice from WhatsApp ASAP. The Computer Security team cannot help you further with WhatsApp incidents as our official and supported method of communication is Mattermost, the reason being that CERN controls its security and privacy.
Want to learn more about computer security incidents and issues at CERN? Read our Monthly Report. For further information, questions or advice, check our website or contact us at Computer.Security@cern.ch.