Movies show hackers typing furiously until "ACCESS GRANTED" flashes on screen. Reality is less dramatic and more uncomfortable: most accounts are stolen because the owner gave away the key without realising it. Once you understand the actual methods, protecting yourself takes about twenty minutes.
Method 1: Phishing — you type the password yourself
The most common attack is embarrassingly simple. You receive a message — "Your account will be suspended", "You have won airtime", "See who viewed your profile" — with a link. The link opens a page that looks exactly like Facebook or your bank. You type your password. The page belongs to the attacker. Done.
No code was "hacked". You logged into a costume.
The defence is a habit, not a tool: never log in through a link somebody sent you. If a message says there's a problem with your account, close it and open the app or type the website address yourself. A real problem will be waiting there. Ninety percent of the time, there is no problem.
Method 2: One password, reused everywhere
Websites get breached constantly — some small forum you registered on in 2019 leaks its database, and your email-plus-password combo ends up in criminal collections traded online. Attackers then feed those lists into automated tools that try the same combination on Facebook, Gmail, banking apps — everything. It's called credential stuffing, and it works because most people reuse one password everywhere.
If your password is the same on ten sites, your security equals the sloppiest of those ten sites.
The defence: different passwords per account, stored in a password manager (the ones built into Chrome, Samsung and iPhone are fine to start). You remember one strong master password; it remembers the rest. This single change defeats the most industrialised attack on the internet.
Method 3: The WhatsApp six-digit code trick
This one is stealing accounts across Africa right now. An attacker — often already controlling a friend's hijacked account — messages you: "I sent a code to your number by mistake, please forward it." Moments earlier they entered your number into WhatsApp's login screen, so the SMS code that arrived is the key to your account. Forward it and your WhatsApp is gone — and the attacker starts messaging your contacts asking for money, or for their codes.
The defence: never share a verification code with anyone, for any reason, no matter who asks. There is no legitimate scenario where another person needs a code sent to your phone. Also enable WhatsApp's own PIN: Settings → Account → Two-step verification. With the PIN on, a stolen SMS code alone isn't enough.
Method 4: SIM swap — stealing the phone number itself
More targeted but devastating: an attacker convinces or bribes their way into having your number moved to their SIM. Suddenly they receive your calls, SMS — and every "reset code" your accounts send. From there, they reset your passwords one by one.
The defence: prefer app-based two-factor authentication (Google Authenticator or similar) over SMS codes where offered, because app codes live on your device, not your number. And treat your number like a key: if your phone suddenly loses all service for no reason, contact your network fast — that's the classic SIM-swap signature.
Method 5: The "free" app tax
Cracked APKs, modded WhatsApp versions, "free" versions of paid software — a portion of these carry keyloggers and info-stealers that quietly read what you type and upload your saved passwords. You install the thief personally, bypassing every other protection.
The defence: official stores only, and be suspicious of any app demanding permissions it doesn't need. A flashlight app has no business reading your SMS.
The 20-minute setup, in order
- Turn on two-step verification for WhatsApp (Settings → Account → Two-step verification). 2 minutes.
- Add two-factor authentication to your email first — email is the master key, since every other account resets through it. 5 minutes.
- Change your email and banking passwords to unique ones and let your phone's password manager save them. 8 minutes.
- Check your recovery details (backup email and number on your Google/Apple account) — attackers change these to lock you out; make sure they're yours and current. 3 minutes.
- Tell your family about the code trick. The next attempt on you will likely come through someone you trust. 2 minutes.
None of this needs technical skill, and it moves you from the easy 95% of targets into the group that isn't worth an attacker's time. That's the honest goal of personal security — not being unhackable, just being expensive.