One careless response can unlock a larger fraud.
Madrid | July 2026
Telephone fraud increasingly begins with an apparently harmless question from an unknown caller. Criminals impersonating banks, technology companies or customer service departments attempt to obtain brief voice recordings, personal information or authentication credentials. Among the most sensitive responses are an affirmative “yes” and the verification code used to register a WhatsApp account on another device.
The first warning concerns the automatic habit of answering questions affirmatively. A caller may ask whether the person can hear clearly, whether they are the account holder or whether they authorize receiving information. The objective is to capture a clean recording that can later be edited, removed from its original context or incorporated into a broader impersonation attempt.

Saying “yes” once does not normally give a stranger direct access to a bank account. Financial transactions usually require additional authentication, personal data or control of a registered device. The danger appears when the recording is combined with information obtained through leaks, social networks, previous scams or manipulated conversations.
Modern audio tools make that combination more powerful. Criminals can alter recordings, reproduce a person’s tone or create synthetic speech from relatively small voice samples. A short answer may therefore become one component within a larger social engineering operation designed to deceive relatives, employees, service providers or financial institutions.
The second warning is more immediate and technically decisive. A WhatsApp verification code is not simply another password sent by text message. It is the temporary credential required to register a telephone number on a new device, meaning that anyone who obtains it may attempt to take control of the account.
The scam usually begins when the criminal enters the victim’s telephone number into WhatsApp. The legitimate owner then receives a verification code without having requested it. Moments later, someone may call or send a message claiming that the code was delivered by mistake, is needed to confirm an appointment or must be shared with supposed technical support.

No legitimate representative should request that code. Without it, the attacker cannot normally complete the registration process on the other device. Once the victim reveals it, the criminal may gain access to the account, impersonate its owner and contact relatives or colleagues with urgent requests for money.
Account theft can spread rapidly because messages appear to come from a trusted contact. Criminals may claim to have suffered an accident, lost access to a bank account or encountered an emergency requiring an immediate transfer. The victim’s reputation becomes the mechanism that allows the next stage of the fraud to succeed.
Users should treat unexpected verification notifications as evidence that another person may be attempting to register their number. The correct response is not to answer requests for the code, but to review account security and confirm that no unfamiliar devices remain connected. Activating two step verification adds a personal identification number that creates an additional barrier against unauthorized registration.
Unknown callers also exploit urgency and authority. They may mention a suspicious purchase, a blocked account or an alleged security incident to prevent the person from thinking calmly. The more alarming the story becomes, the more important it is to end the communication and verify the claim independently.
Banks, platforms and public institutions should be contacted through their official applications, verified telephone numbers or physical branches. Returning a call to the number displayed on the screen is not always sufficient because caller identification can be manipulated. A familiar number or recognizable company name does not guarantee that the caller truly represents that organization.
Personal and financial information should never be confirmed during an unsolicited call. This includes card numbers, security codes, passwords, account balances, identification documents and one time authentication credentials. Even partial information can help criminals complete a profile already assembled from other sources.
Older adults deserve particular attention because fraud campaigns often target people who are less familiar with account verification processes. Families can reduce vulnerability by discussing common scripts before an attack occurs and establishing a rule that urgent financial requests must be confirmed through a second communication channel. Preparation is more effective than attempting to improvise while under pressure.
The real protection does not depend on memorizing two forbidden expressions. It comes from understanding that an unknown caller may be collecting fragments of identity, voice and access rather than seeking an ordinary conversation. Refusing to provide those fragments breaks the sequence before the fraud can advance.
Every unexpected call should therefore be approached as an unverified interaction. A single “yes” may be manipulated, but a WhatsApp verification code can directly compromise an account. The safest response is to disclose nothing, end the call and independently contact the organization or person supposedly involved.
La verdad es estructura, no ruido. / Truth is structure, not noise.