Do not respond to these messages, and do not send money.
En mayo, la actriz mexicana Michelle Rodríguez reveló que la cuenta de WhatsApp de su madre había sido tomada por delincuentes mediante una llamada falsa de paquetería, quienes luego solicitaron transferencias de dinero a los contactos de confianza de su familia. El incidente no es un caso aislado, sino el reflejo de una vulnerabilidad profunda en la forma en que las personas depositan su confianza en los números que reconocen. En un mundo donde la identidad digital se confunde con la identidad real, la suplantación de una voz familiar se convierte en la llave maestra del fraude moderno.
- Criminales tomaron control del WhatsApp de la madre de Michelle Rodríguez y comenzaron a solicitar transferencias bancarias a sus contactos haciéndose pasar por ella.
- El engaño partió de una llamada falsa de mensajería que manipuló a la víctima para entregar información sensible, demostrando que la ingeniería social sigue siendo el eslabón más débil de la seguridad digital.
- Rodríguez usó Instagram para alertar públicamente a sus seguidores, pidiendo que ignoraran cualquier solicitud de dinero proveniente del número de su madre.
- La firma de ciberseguridad ESET publicó un protocolo de recuperación de diez minutos que incluye recuperar el acceso, cerrar sesiones desconocidas, evaluar el daño y proteger cuentas vinculadas.
- Cada minuto de retraso amplía el margen de acción del atacante, quien puede usar la cuenta comprometida como puerta de entrada a correos, redes sociales y aplicaciones bancarias.
Un domingo de mayo, la actriz y comediante mexicana Michelle Rodríguez, de 42 años, alertó en Instagram que la cuenta de WhatsApp de su madre había sido hackeada. Los delincuentes, tras tomar el control, enviaban mensajes a los contactos de su madre solicitando transferencias a cuentas en Bancomer y Banamex. Rodríguez pidió a sus seguidores ignorar esos mensajes y ayudar a correr la voz.
El ataque se originó en una llamada fraudulenta que simulaba ser de una empresa de paquetería. Mediante engaño, lograron que la madre de Rodríguez revelara información suficiente para apoderarse de su cuenta. Una vez dentro, los criminales tuvieron acceso a toda su lista de contactos: personas que confiarían en mensajes provenientes de un número conocido.
Dos días antes de la alerta pública, la empresa de ciberseguridad ESET había publicado una guía de acción para los primeros diez minutos tras un hackeo de WhatsApp. El primer paso es confirmar la brecha: verificar si aún se puede iniciar sesión o si los contactos reportan mensajes no enviados. Luego, intentar recuperar la cuenta ingresando el número telefónico y usando el código de verificación por SMS. Si el atacante activó la verificación en dos pasos, se puede restablecer el PIN desde el correo electrónico; si ninguna opción funciona, habrá que esperar siete días.
En paralelo, es indispensable notificar de inmediato a todos los contactos para que no respondan ni envíen dinero. Si se recupera el acceso, el siguiente paso es cerrar todas las sesiones desconocidas desde la configuración de dispositivos vinculados. Después, revisar qué mensajes se enviaron, si el perfil fue modificado y qué conversaciones pudieron quedar expuestas.
Finalmente, ESET recomienda cambiar contraseñas del correo electrónico, redes sociales y aplicaciones bancarias, ya que una cuenta de WhatsApp comprometida suele ser el punto de entrada a ataques más amplios. WhatsApp, por su parte, advierte que no se debe reportar la cuenta como hackeada antes de intentar recuperarla, pues eso puede provocar una suspensión que bloquee el acceso a los propios datos. Solo si la recuperación falla, se debe contactar al soporte en support@whatsapp.com.
On a Sunday morning in May, Mexican actress and comedian Michelle Rodríguez discovered that her mother's WhatsApp account had been compromised. Criminals had seized control and were sending messages to her mother's contacts, requesting money transfers to bank accounts at Bancomer and Banamex. Rodríguez, 42, took to Instagram to sound the alarm, telling her followers to ignore any such requests coming from her mother's number and asking anyone who recognized the scam to help spread the word.
The breach had occurred through a social engineering attack—a fake delivery call that tricked her mother into revealing information that allowed the attackers to take over the account. Once inside, the criminals had free access to her mother's contact list, a ready-made network of people who might trust messages appearing to come from a familiar number. Rodríguez emphasized that her family was working to regain control and that everyone in her household remained safe, but the incident underscored how quickly a single compromised account can become a tool for mass fraud.
Two days before Rodríguez's public warning, the cybersecurity firm ESET had published detailed guidance on exactly what to do in the first ten minutes after a WhatsApp account is hacked. The window is narrow and the steps are precise. In the first minute, a victim needs to confirm the breach by checking whether they can still log in, whether they've received notifications that their number was registered on another device, or whether their contacts are reporting messages they never sent. Once the breach is confirmed, action must follow immediately.
Within the next two minutes, ESET recommends attempting to recover the account by logging in again with your phone number. The system will send a verification code via SMS or phone call. If the attacker has enabled two-step verification and you don't know the PIN, you can reset it through your email. If neither option works, you'll have to wait seven days before regaining access. The moment recovery is attempted, victims should notify everyone in their contact list to prevent the criminal from conducting further fraud in their name. The message is critical: do not respond to these messages, and do not send money.
If account recovery succeeds, the next three minutes should be spent closing any unknown sessions. In WhatsApp settings, under linked devices, a victim can identify and terminate any sessions they don't recognize, effectively locking the attacker out. Then comes damage assessment. Between minutes seven and eight, the victim should review what happened while the account was compromised: which messages were sent, whether the profile picture was changed, whether any conversations were deleted or archived. This inventory reveals what information may have been exposed and what contacts might need a direct warning.
The final two minutes of the critical window should be spent securing everything else. Change your email password immediately. Update passwords on social media accounts. Reset access to banking apps and any financial services. A compromised WhatsApp account is often a foothold for broader attacks, and the attacker may already be probing other accounts linked to the same phone number or email address. Speed matters because every minute of delay gives the criminal more time to cause damage.
WhatsApp's own support team added one crucial caveat: do not report the account as compromised before attempting to recover it. Reporting a hacked account can trigger a suspension that locks you out entirely, potentially costing you access to your data. Try recovery first. Only if recovery fails should you contact WhatsApp support directly through the app or at support@whatsapp.com, explaining that your number has been compromised. The company's recommendation reflects a hard truth about account takeover scams: the victim and the platform are sometimes working against each other in the race to regain control.
Citações Notáveis
They are sending messages requesting money to bank accounts. Do not respond to them.— Michelle Rodríguez, warning her followers on Instagram
If you report the account as compromised before recovering it, we could suspend it, and you could lose access to your WhatsApp account or your data.— WhatsApp support guidance
A Conversa do Hearth Outra perspectiva sobre a história
How does someone's WhatsApp get taken over through a fake delivery call? That seems almost too simple.
It is simple, and that's the danger. The attacker calls pretending to be from a delivery service and asks you to confirm your phone number or verify a code. You think you're helping process a package. You give them information. They use it to request a verification code from WhatsApp, and once they have that, the account is theirs.
So it's not a technical hack—it's social engineering.
Exactly. They're not breaking into servers. They're manipulating a person into handing over the keys. And once they have the account, they have access to hundreds of contacts who all trust that number.
Why is the ten-minute window so critical?
Because in those first minutes, the attacker is still actively using the account. They're sending messages, they're trying to extract money. If you regain control quickly, you can stop them before they've done much damage. After ten minutes, the window closes—you've either recovered it or you haven't, and the damage is done.
What's the worst-case scenario if someone doesn't act fast?
Financial loss, obviously. But also reputation damage. Your contacts think you're a scammer. And the attacker may have already moved on to compromise your email or banking apps using the same techniques. One breach becomes many.
Why did Rodríguez go public instead of just handling it privately?
Because silence helps the scammer. If her mother's contacts don't know the account is compromised, they might actually send money. By warning people publicly, she cut off the attacker's ability to profit. It's also a public service—everyone who sees her warning learns what to watch for.