We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Is WhatsApp Safe to Use in 2024? Is It Secure Against Hackers?

Husain Parvez Fact-checked by Ryan Jones Cybersecurity Researcher

WhatsApp comes with robust security measures, including end-to-end encryption and 2FA (Two-Factor Authentication). But is WhatsApp safe to use? Is the app safe from hackers? Its affiliation with Meta has certainly raised concerns over potential data collection and sharing.

The platform is used by over 2 billion users, who send approximately 100 billion messages each day. So, a high level of security and privacy is crucial. However, increasing scam messages, security threats, and other concerns have started to tarnish WhatsApp's reputation as a safe form of messaging.

This guide covers all the potential dangers and the security features WhatsApp offers to help you decide if you want to use it. I’ve also created an in-depth guide with tips for using the Meta-owned messaging app safely, including how to make the most of the app’s security settings.

Pro Tip: While WhatsApp is mostly safe for everyday use, it’s not perfect. Check out this list of the best and safest alternatives to WhatsApp for some other secure choices.

Is WhatsApp Safe?

WhatApp provides plenty of decent security measures, including end-to-end encryption (E2EE). This encryption method ensures that only the message sender and receiver can view the contents of a communication. It means that WhatsApp can’t actually decrypt or access your messages itself. Other secure messaging apps, like Telegram, use similar methods.

However, the app does have some privacy concerns and can be vulnerable to cyber threats. WhatsApp’s parent company Meta doesn’t have the best reputation when it comes to handling user data. The app has also seen plenty of instances of scams, malware distribution, and phishing. Let’s take a look at both WhatsApp’s features and its vulnerabilities to see how they balance out.

Key WhatsApp Security Features

Features Benefits
E2E encryption End-to-end encryption automatically covers all forms of communication within the app, including text messages, voice calls, photos, and videos. This safeguards your correspondence by default. WhatsApp uses Open Whisper Systems’ Signal protocol (the same protocol used by the Signal messaging app) to ward off eavesdropping or data mining.
Two-step verification (2FA) Logging in to WhatsApp requires a 6-digit registration code that the app sends to your number by SMS or phone call. 2FA adds a 6-digit security PIN to this process, giving you an extra layer of protection against hackers. You can also use biometric passkeys to unlock the app with your fingerprint or face.
Password protection WhatsApp regularly backs up your messages and encrypts these backups. However, for additional security, you can add password protection as well. The app also gives you the option to set a password-protected screen lock that kicks in after your chosen length of inactivity.
Chat lock This feature enables you to lock specific chats with a PIN or password, providing privacy for individual conversations. It's especially useful for keeping sensitive discussions confidential, allowing you to share your device without worrying about someone reading your private chats.
Archive Archiving chats allows you to hide conversations from your main chat list without deleting them. This feature is great for keeping sensitive conversations out of immediate view, while still retaining the ability to access them whenever needed.
Disappearing messages This feature allows you to customize the lifespan of your messages, making them vanish after a set amount of time (24 hours, 7 days, or 90 days). Messages will also disappear if not viewed within the designated period.
View once media Like disappearing messages, this feature lets you send photos and videos that disappear after the recipient has viewed them once. This is ideal for sharing sensitive or private media that you don't want to be retained on someone else's device.
Security notifications Each WhatsApp chat has its own security code that can be verified between users. The app provides security notifications to inform you if this code changes (which can happen if a contact reinstalls WhatsApp or changes devices). The notifications serve as a reminder to verify the contact's new security code.
Automatic spam detection While the app can’t access message contents to analyze them, it uses metadata (like IP addresses) and message-sending rates to identify possible scam communications. If WhatsApp identifies a message as spam, it can block the user number or add a ‘suspicious link’ warning to prevent you from clicking on malicious URLs.
Group privacy settings These settings allow you to control who can add you to WhatsApp groups. You can choose to allow anyone, only your contacts, or select contacts to add you to groups. It helps prevent spam and unwanted group additions, giving you more control over your messaging experience.
Block contacts WhatsApp allows you to block specific contacts, preventing them from sending you messages, seeing when you’re online (“last seen”), viewing your status updates, or calling you on WhatsApp. This is essential for managing your privacy and avoiding harassment or unwanted communication.
Account Protect This feature protects you when you start using WhatsApp on a new device. It asks you to verify your identity on your old device first, to stop hackers getting access to your account.

WhatsApp Security Threats and Risks

Despite the above features, WhatsApp still faces several privacy issues and risks that you should be aware of:

1. Data Collection by Meta

Meta collects data on how you interact with WhatsApp, your contacts, transaction data (Facebook Pay), and your location. The platform insists that this doesn’t affect the privacy of your chats. However, the information collected is still sensitive data that can be used to identify you​​ or impersonate you in the case of a security breach.

The extent of WhatsApp’s data collection has raised privacy concerns, especially in the context of how this data might be used or shared within the broader Meta ecosystem. Meta has faced scrutiny for its data safety practices in the past. For example, in January 2021, Meta (then Facebook) was fined €210 million by the Irish Data Protection Commission for failing to comply with GDPR requirements concerning data privacy practices.

In 2023, WhatsApp was also subject to a massive data leak. A database including the phone numbers of nearly 500 million global active users was offered for sale on a hacking forum. It’s thought that many of these numbers may then have been used to launch phishing attacks on the app.

2. WhatsApp Scams

The variety of scams on WhatsApp is significant, with the Federal Trade Commission (FTC) reporting a noticeable increase in social engineering or social hacking on the app. According to a report by Kaspersky, WhatsApp messages make up around 82.71% of its total blocked phishing attacks.

Other common scams include:

  • Loved ones in need. Scammers pretend to be a family member or friend in crisis — using generic greetings like “Hey mom/dad” — to solicit money from unsuspecting users.
  • Fake gifts. In this phishing trick, hackers send messages claiming to offer free gift cards. However, the links they send take you to malicious sites designed to steal your personal information. Another scam claimed it was WhatsApp’s 10th birthday, with a link offering ‘free data’ to celebrate.
  • Malicious QR codes. Linking devices under one WhatsApp account requires you to scan a QR code from the WhatsApp website. Some scammers set up fake versions of this landing page, with false QR codes that give them access to your account. Another scam asks the victim to scan fraudulent QR codes to “receive” UPI payments — stealing the money instead.
  • Fake tech support. Fraudsters can pose as WhatsApp customer service to phish for sensitive data by asking you to “verify” your identity. They can then use the information you give them to access your account and/or commit identity or financial theft.
  • Fake apps. Fake apps or fake WhatsApp sites allow cybercriminals to launch man-in-the-middle attacks, in which they intercept or alter your communications. One example is the WhatsApp Gold scam, which invited users to a fake special edition of the app. WhatsApp Web and Desktop are particularly vulnerable to being faked, as mobile stores like the Google Play Store or Apple’s App Store are more tightly regulated.
  • Verification code hack. This is when an attacker attempts to trick you into sharing the verification code WhatsApp sends you when you log in to your account. Most often, the scammer will send you a message claiming they accidentally logged in to WhatsApp with your number instead of theirs. They then request the code you’ve been sent. Giving them this code allows them to access and control your account.
  • Bogus job opportunities. Scammers promise lucrative opportunities to unsuspecting users as a pretext to extract personal or financial information as part of the “onboarding process”​. These kinds of recruiter scams have grown alongside remote working — cybersecurity firm Sophos identified a 300% increase in fake job offers spread via WhatsApp during the pandemic.

3. Backup Vulnerabilities

A study by the Darmstadt Technical University in Germany highlighted the risk posed by unencrypted WhatsApp backups on Google Drive and iCloud. The study revealed that unencrypted backups are vulnerable to access by third parties, including cloud service providers and law enforcement agencies.

E2EE automatically protects WhatsApp chats, but you have to enable end-to-end encryption for backups manually.

4. Malware and Hackers

WhatsApp is often used to spread malicious links or malware​​. The app itself can also be vulnerable to attack by cybercriminals. For example, the "Skygofree" spyware discovered by Kaspersky Lab in 2018 was able to access WhatsApp messages on Android phones via Google’s Accessibility Services.

In 2019, an attack using Pegasus spyware — software developed by the Israeli company NSO Group — exploited a WhatsApp vulnerability that allowed it to snoop on approximately 1,400 devices. Apps using a range of operating systems were affected, including iOS, Android, Windows Phone, and Tizen.

5. Fake News and Misinformation

The encryption that protects WhatsApp messages also limits the app's ability to police fake news and misinformation. Measures like message forwarding limits have been introduced, restricting forwarding to 5 groups at a time (instead of the previous 250). However, the spread of hoaxes and false information remains a challenge​​.

WhatsApp has been cited in numerous cases of widespread misinformation. These include the 2020 US presidential campaign, the 2018 Brazil elections, and the 2017 outbreak of violence in India.

6. Revenge Porn and Non-Consensual Image Sharing

WhatsApp’s encryption and ‘view once’ mode can lull users into a false sense of security when it comes to sharing sensitive media in chats — like private photos. The platform has implemented software to prevent screenshots from being taken of ‘view once’ photos. However, there’s nothing to stop someone from using another device to take a picture of sensitive media instead. These images can then be used for blackmailing or revenge porn.

How to Use WhatsApp’s Security Features

To boost your safety and privacy on the app, follow the steps below:

1. Turn on End-to-End Encryption for Backups

This ensures that cloud-based backups aren’t vulnerable to hackers or snoops.

Step 1. Open WhatsApp, navigate to Settings and select Chats.

Screenshot of WhatsApp Settings windowYou can configure all WhatsApp settings from this panel

Step 2. Click on Chat Backup and select the End-to-End Encrypted Backup option. Now, click on the Turn On button and follow the on-screen instructions to create a password or a 64-digit encryption key.

Screenshot of WhatsApp Chat Backup settingsMake sure to remember this password or key, as you'll need it to restore your backup
Pro Tip: China blocks access to WhatsApp, so you'll normally be unable to use it while visiting the country. However, it is possible to regain access to WhatsApp in China with a quality VPN.

2. Adjust Privacy Settings

You can choose who sees your ‘last online’ activity and decide if others can know when you've read their messages by toggling read receipts. Just bear in mind that disabling read receipts means you won't see when others have read your messages either, except for group chats.

Step 1. Go to Settings in WhatsApp and click on the Privacy option.

Screenshot of WhatsApp Privacy settingsThe privacy settings also let you block contacts and set up a default message timer

Step 2. Adjust who sees your Last Seen, profile photo, About information, and status updates. You can customize each setting according to your privacy preferences. I recommend choosing Nobody as it's the safest option.

Screenshot of WhatsApp Last seen and Read receipts settingsYou can also turn on read receipts and set group privacy settings

3. Enable Fingerprint Lock, Touch ID, or Face ID

For an extra level of security, WhatsApp allows you to lock the app with your fingerprint, Touch ID, or FaceID, depending on your device. This feature ensures that only you can open WhatsApp, preventing others from accessing your messages even if they have physical access to your phone.

Step 1. Open WhatsApp and access the Settings panel. Then click on Privacy and select Fingerprint Lock.

Screenshot of WhatsApp Fingerprint lock settings optionYou can also set up your face scan to unlock WhatsApp

Step 2. Turn on the Unlock with fingerprint toggle. For Apple devices, go to Screen Lock and turn on the Require Touch ID or Require Face ID options to set up the lock.

Screenshot of WhatsApp Fingerprint lock and Screen Lock settings panelNewer Apple iPhones only come with Face ID

4. Enable Two-Step Verification

This requires a 6-digit PIN when registering your phone number with WhatsApp, helping you protect your account from unauthorized access.

Step 1. Open WhatsApp, go to Settings and choose the Account option.

Screenshot of WhatsApp Account settings optionYou can also set up security notifications and passkeys

Step 2. Select Two-step verification and tap on Enable. Just follow the on-screen prompts and set up a PIN.

Screenshot of WhatsApp 2FA settings panelYou may need to verify with a code to set up the Two-step verification feature

5. Keep WhatsApp Updated

Enable automatic updates in your device's app store to ensure you're always using the latest version of WhatsApp. This offers you the most up-to-date security features and the latest security patches to avoid vulnerabilities.

Step 1. Go to the Google Play Store and search for WhatsApp. Apple devices already update WhatsApp automatically.

Screenshot of Google Play homescreenYou can repeat the same steps to enable auto updates for other apps

Step 2. Now, click on the 3-dot icon on the top right and enable the auto updates toggle.

Screenshot of Google Play WhatsApp pageYou can also join the beta program to get the latest updates and features

Additional Tips for Using WhatsApp Safely

To ensure a secure and privacy-centric experience while using WhatsApp, follow these essential tips:

  • Be cautious of suspicious messages. Stay alert to messages that seem unusual or ask for personal information. Telltale signals often include grammar or spelling errors. Verify the identity of the sender through other means if necessary.
  • Regularly review linked devices. Check which devices are linked to your WhatsApp account and log out from any that you don't recognize or no longer use. This can be found under WhatsApp Web in the app settings.
  • Recognize and avoid common scams. Educate yourself on the various scams that target WhatsApp users, such as phishing attempts, fake job offers, and lottery scams. If something sounds too good to be true, it likely is (you can always verify messages by contacting companies directly). Look out for fake apps and only download WhatsApp from official sources.
  • Limit who sees your WhatsApp Status. Like Instagram Stories, your WhatsApp status allows you to add videos or images that can be viewed for 24 hours. These updates are vulnerable to screenshotting or screen recording. To limit who sees your status, go to Updates, tap the 3 dots next to My status, then Status Privacy, and choose from the options. You can select from My contacts, My contacts except, or Only share with.
  • Turn off location settings. You can turn off location permission for WhatsApp in your device settings. This prevents the app (and Meta) from getting access to your location, though it means some features — like sending your live location to contacts — will no longer work.
  • Don’t give out your phone number. Only share your phone number with people you trust. Your phone number is key to your WhatsApp account, and sharing it widely can increase your risk of being targeted by scammers.
  • Use antivirus software or a VPN. Security software that comes with malware detection and malicious link warnings can help you avoid clicking on any dangerous links.
  • Never share your registration code or 2FA PIN with others. These are critical to keeping your account secure. Genuine WhatsApp customer support reps won’t ask for this information. If you choose to use the app’s password protection features, also make sure to choose strong passwords.
  • Update your device and app regularly. Ensure your device's operating system is up-to-date to benefit from the latest security improvements. It’s a good idea to keep the WhatsApp app updated for the same reason.
Pro Tip: Like WhatsApp, VPNs use encryption to protect everything you do online. The best services, like ExpressVPN, also come with cyber threat protection that automatically blocks your device from accessing dangerous websites. So you’re protected even if you accidentally click on a dodgy link in WhatsApp.

Editor's Note: Transparency is one of our core values at vpnMentor, so you should know we are in the same ownership group as ExpressVPN. However, this does not affect our review process.

FAQs on Using WhatsApp

Is WhatsApp safe for sending private photos?

Not necessarily. The app offers end-to-end encryption for all its messages, including photos. It also has a ‘view once’ feature to send self-destructing media that can’t be screenshotted. However, nothing is stopping the recipient of such photos from using another device to capture them instead — which can be a key part of online dating scams. Always exercise caution when sending private photos to anyone.

Can I safely use WhatsApp for business?

WhatsApp is fairly safe for business use. The end-to-end chat encryption and 2FA ensure that messages, documents, and calls are secure. That said, you can make it even safer by enabling end-to-end encryption for backups and fingerprint locks too.

There’s also a tailored WhatsApp Business service you can use, that lets you create a business profile, automate messages, and organize your customer chats with labels.

Why would someone use WhatsApp instead of texting?

WhatsApp is encrypted and free to use, whereas traditional texting can incur charges. The platform also has additional safety features not offered by SMS. Last but not least, WhatsApp supports free international messaging and provides a platform for voice and video calls, as well as media sharing (which can cost a lot or exceed file size limits for texts).

Is WhatsApp safe for kids?

WhatsApp can be safe for kids with proper guidance and monitoring from parents. The app offers end-to-end encryption, which helps in keeping conversations private. However, issues such as exposure to inappropriate content, talking to strangers, and cyberbullying exist. There’s also a lot of scamming, fake news, and misinformation on the platform, so it’s important to educate your children about these risks.

That said, WhatsApp doesn’t have any specific parental controls and the app itself recommends that it shouldn’t be used by anyone under 13.

Can WhatsApp protect against government surveillance?

WhatsApp's end-to-end encryption is designed to secure messages against snooping. The app also comes with multiple security features that keep your messages protected. Enabling 2FA and fingerprint protection can help to protect your WhatsApp account from unauthorized access.

That said, WhatsApp itself still collects a lot of your metadata (such as the time of communication and contact details). The platform could potentially share your information with authorities under specific legal circumstances — for example under warrants or subpoenas.

Wrapping Up

WhatsApp offers a high level of security for its users, primarily through its end-to-end encryption feature, which ensures your messages stay unreadable. Its additional security features make the platform safe to use in most everyday situations.

That said, it’s still important to be aware of Meta’s data-logging policies, as well as scams on the platform. Always be cautious about sharing personal information and ensure you’re making the most of the app’s security settings.

Privacy Alert!

Your data is exposed to the websites you visit!

Your IP Address:

Your Location:

Your Internet Provider:

The information above can be used to track you, target you for ads, and monitor what you do online.

VPNs can help you hide this information from websites so that you are protected at all times. We recommend ExpressVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering 61% off.

Visit ExpressVPN

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address

Comments (1)
Vern
13 Aug 2024
13 Aug 2024

How useful is the 2FA? I have it on (without email) and have been getting so many notifications lately that someone is trying to log into my account. I tried to contact WhatsApp support but they just give a generic reply that there has been suspicious activity regarding registration and registration can’t be done now.

If the hacker successfully got the sms verification code by sms swap or other means, can they reset the 2FA and thereby negate its usefulness?

I’m assuming since I’m still logged into WhatsApp, it means they have not been successful yet. Is that true?

Thanks!