Finland's National Cyber Security Centre, Traficom, is warning citizens of a sophisticated attack method targeting accounts on popular messaging apps. The agency reports receiving multiple alerts where users have received unsolicited one-time passcodes for services like WhatsApp and Telegram without attempting to log in themselves. This indicates a third party is attempting to register or hijack an account linked to the user's phone number, a breach that in some cases has already led to successful account takeovers.
Traficom's statement reveals the unsettling mechanics of the attack. 'It appears that in some cases, a third party has succeeded in creating an account for the service without the phone number owner entering the confirmation code received via text message anywhere,' the agency said. The consequences are severe. In confirmed cases, an existing user's account has been hijacked and reset. Following this, the attacker can enable two-factor authentication on the stolen account, permanently locking out the legitimate owner.
The Mechanics of the Account Hijack
The precise technical method behind these intrusions remains unclear. Traficom explicitly states that it is not known how the user account breaches are carried out or exactly how the confirmation messages are linked to the incidents. The agency notes that multiple verification codes can be sent in succession, a tactic suggesting the attacker is trying to fatigue the victim, potentially hoping they will inadvertently share a code or give up on securing their account.
This exploit fundamentally targets the SMS-based verification system that underpins account security for these platforms. The attack bypasses the need for physical access to the target device by intercepting or triggering the SMS code through other means, which security experts globally have long cited as a vulnerable point in two-factor authentication.
Traficom's Direct Warning to Finnish Users
The agency's guidance is unequivocal. 'If you receive an unsolicited notification of a confirmation code, someone else has entered your phone number into the service and requested a registration code,' Traficom's warning reads. Their core instruction is simple: 'Never share the confirmation code you receive from the app with others.' Sharing this code is the final step an attacker needs to complete their takeover.
Traficom addresses a common user question about prevention. The agency states that proactively preventing the creation of a Telegram or WhatsApp account for a specific phone number is impossible through direct user action. The service providers' systems allow anyone to initiate a registration attempt for any number. This shifts the entire focus of defense onto the individual user's actions after receiving an unsolicited code.
The Critical Step for Securing Your Account
In response to this threat, Traficom's primary recommendation is for users to proactively enable two-factor authentication (2FA) within the apps themselves. This security feature, once activated, requires a second form of verification—typically a separate PIN code set by the user—in addition to the SMS code when logging in on a new device. 'If you want to register a Telegram or WhatsApp account for your phone number, the only way is to create the account yourself and protect it with two-factor authentication,' the agency advises.
Enabling this feature is a straightforward process found within the settings menu of both WhatsApp and Telegram. For WhatsApp, users navigate to Settings > Account > Two-step verification to enable it. In Telegram, the feature is located under Settings > Privacy and Security > Two-Step Verification. Setting up this extra layer requires creating a custom password, which the attacker who has hijacked the SMS channel would not possess.
Understanding the Limitations of SMS Verification
This incident highlights a broader cybersecurity debate regarding the reliance on SMS for two-factor authentication. While 2FA is vastly superior to using just a password, SMS codes are considered a weaker form of the second factor compared to authenticator apps or physical security keys. SMS messages can be vulnerable to SIM-swapping attacks or, as this case suggests, other interception or triggering methods.
Traficom's alert does not specify if mobile network vulnerabilities or other external techniques are being exploited. The agency's focus remains on practical, immediate user action. They emphasize that the attack vector is active and that user vigilance is the first and most critical line of defense. The warning is not based on a hypothetical threat but on concrete reports filed with their Cyber Security Centre.
What to Do If You Receive a Suspicious Code
For Finnish users who receive an unexpected verification SMS from WhatsApp or Telegram, the protocol is clear. First, do not ignore it. Second, under no circumstances should you share the code with anyone who contacts you, as this is a common social engineering tactic. Third, immediately open your legitimate app and check your active sessions and account security settings.
If you can still log in, enable two-factor authentication immediately using the in-app method. If you find you are logged out and unable to regain access, it suggests a successful takeover may be in progress or complete. In this scenario, you must follow the account recovery processes provided by WhatsApp or Telegram directly, which often involve waiting a period before attempting to reregister the number.
The Traficom warning serves as a stark reminder that core digital communication tools are under constant threat. In Finland's highly connected society, where these apps are integral to both personal and professional life, securing them moves from a personal best practice to a matter of collective digital hygiene. The agency's alert puts the responsibility on individual users to activate the powerful security tools already available within the apps on their phones.
As the methods of cyber attackers evolve, so too must the defensive habits of everyday users. Enabling two-factor authentication is a simple, five-minute action that can prevent catastrophic account loss. The question for every Finnish WhatsApp and Telegram user now is whether they will act on this official warning before an unsolicited SMS code arrives on their screen.