Is WhatsApp safe? Encryption, metadata, and the real risks

Yes, WhatsApp is one of the safest mainstream messaging apps you can use. Every personal message and call is end-to-end encrypted by default, so not even WhatsApp can read them.

The encryption isn’t where the risk lives.

The real concerns sit one layer up—metadata flowing to Meta, scams running on top of the platform, and the spyware case that reshaped how the whole industry thinks about messaging security.

Here’s what’s actually safe, what isn’t, and how to lock it down—

Quick Verdict:

Safe?Notes
Message content (text, voice, video calls)✅ YesEnd-to-end encrypted by default via the Signal Protocol
Personal data⚠️ PartialMetadata is shared with Meta; message content is not
Cloud backups⚠️ PartialEncrypted backup is available but off by default
Scams⚠️ ModeratePhishing and impersonation are common
State-level surveillance⛔ NoZero-click spyware (Pegasus) has bypassed protections

For most people, the everyday risk on WhatsApp isn’t the encryption breaking—it’s the scams running on top of it. 

Family-impersonation cons, verification-code theft, fake recruiters, romance scams, and crypto groups all rely on the same thing: a scammer knowing enough about you to make first contact feel believable.

Worth knowing:

Those scams work because so much about you is already findable online—names, numbers, family links, and home addresses sitting on people-search sites and data broker databases. 

Incogni sends opt-out requests on your behalf to hundreds of those brokers, continuously, so the personal details available about you keep shrinking even as new listings appear.

WhatsApp’s security features

In short: WhatsApp uses the Signal Protocol for end-to-end encryption on every personal message and call by default. Two-step verification, app lock, and privacy controls are all available, but a few key protections—encrypted cloud backups in particular—stay off until you turn them on yourself.

WhatsApp runs on the same Signal Protocol that powers Signal itself.

That covers everything in a personal chat: texts, voice notes, photos, videos, voice calls, and video calls. All end-to-end encrypted by default.

So WhatsApp can’t read your messages. Neither can Meta, your carrier, your internet service provider (ISP), or anyone snooping on the connection.

Two-step verification adds a six-digit PIN on top of the SMS registration code. It’s your best defense against account takeover.

Without it, anyone who grabs your phone number can re-register WhatsApp on their own device. With it, they’d also need a PIN they can’t get.

App lock (Face ID, Touch ID, or fingerprint) keeps someone with your unlocked phone out of your chats. Privacy settings control who sees your profile photo, “last seen,” “online” status, and “about” text, and who can add you to groups.

But three things stay exposed by default:

  • Metadata. Who you talk to, when, how often, and from where. WhatsApp’s privacy policy says this gets collected and shared across Meta companies.
  • Cloud backups. Chats backed up to iCloud or Google Drive aren’t encrypted unless you turn that on. Apple or Google can hand them to law enforcement.
  • Screenshots. View Once media vanishes after one view, but the other person can screenshot or screen-record it first.

The real risks of using WhatsApp

In short: WhatsApp’s risks beyond scams come down to two things: targeted spyware aimed at journalists, activists, and dissidents, and the structural privacy concern of metadata flowing to Meta. The first is rare but real. The second is permanent and tied to the platform’s business model.

Cybersecurity risks

The worst documented attack on WhatsApp never touched the encryption. It hit the software around it.

In May 2025, a US federal jury ordered NSO Group to pay WhatsApp around $168 million for using its Pegasus spyware on about 1,400 users—journalists, human-rights defenders, diplomats, and dissidents. No tap, no click. A single malicious call took over the device, then deleted itself from the call log.

But—

The number didn’t stick. In October 2025, a judge permanently barred NSO from targeting WhatsApp, then slashed the damages to roughly $4 million as excessive. NSO is appealing.

So what does this mean for you? Not much, honestly. Pegasus is a government-only product, costs millions per target, and gets pointed at high-value people. You’re not on that list.

Here’s what matters, though—

The case proved an encrypted messenger can still be cracked at the device level. That’s the real lesson: your messages are only as safe as your phone. Keep your operating system (OS) updated, skip apps from outside the official stores, and treat any surprise call or text from an unknown number as suspect.

The threat you’ll actually face is a SIM swap. An attacker talks your carrier into moving your number to their SIM, requests a fresh WhatsApp code, catches it, and logs in as you.

Two-step verification stops that. Turn it on.

Privacy and data collection

The Signal Protocol locks down your messages. It doesn’t touch your metadata.

And WhatsApp collects plenty of it—your phone number, profile, full address book (if you let it), device and connection details, location when you use location features, transaction data, and usage stats.

All of it flows to other Meta companies—Facebook, Instagram, Messenger—and feeds Meta’s ad and profile machine.

Want an outside opinion? The Mozilla Foundation’s 2025 “Nothing Personal” review scored WhatsApp 6 out of 10 on privacy. Better than most social apps, but Mozilla flagged the Meta link as the main problem.

Regulators are circling, too. In February 2026, India’s Supreme Court hinted it might reimpose a ban on WhatsApp sharing data with other Meta entities. In Europe, the EU’s Digital Markets Act has already forced Meta to open WhatsApp to third-party chats.

The trend points one way: tighter limits.

For now, though, the data keeps moving.

WhatsApp scams and security incidents

In short: WhatsApp has no public history of mass user-data breaches, but it has a long and active scam landscape on top of the platform. The patterns repeat across countries and recycle into new variants, so the defense is recognition rather than any single tool.

WhatsApp itself hasn’t suffered a publicly disclosed breach of user account data the way some payment and retail apps have. The 2025 NSO case was a targeted spyware attack against roughly 1,400 specific users—not a bulk compromise.

Across every scam type, the red flags repeat: pressure to act fast, a push to move the conversation off-platform, refusal to do a quick video call, and any ask for a code, password, or payment. WhatsApp has in-app reporting tools, and the FTC’s scam guidance covers what to do once you’ve been targeted.

Here are the patterns worth knowing—

“Hi Mom” / family impersonation

A message from an unknown number opens with “Hi Mom, I lost my phone, this is my new number.” Once you reply, it moves fast to a financial emergency—a stuck bill, a lost wallet, a deadline an hour away.

Red flags: refusal to take a call, refusal to video chat, any request for money or banking details. What to do: don’t engage. Call the person you think you’re talking to on the number you already have, and report the impersonator inside WhatsApp.

Verification-code theft

Someone—often posing as a contact—messages saying “I sent you a code by mistake, can you forward it back?” That six-digit code is your own WhatsApp registration code. Hand it over and the attacker registers your number on their device, locks you out, and impersonates you to your whole contact list.

Red flags: any unsolicited request for a code, even from someone you know. What to do: never share a WhatsApp registration code with anyone. If you already have, turn on two-step verification immediately and re-register your number to kick the attacker out.

Job-offer and recruiter scams

A “recruiter” reaches out cold with a remote role, unusually good pay, and almost no requirements. After some back-and-forth, they ask for an onboarding fee, banking details for “payroll setup,” or a small purchase you’ll be “reimbursed” for.

Red flags: real recruiters use LinkedIn and corporate email, not cold WhatsApp messages—and real jobs never charge candidates fees. What to do: verify the company through its official website and contact its actual HR team through the channels listed there.

Investment and crypto group scams

You’re added to a group chat that looks like a trading community. A “mentor” posts screenshots of returns while other “members” report their own wins. Eventually the mentor steers you to a specific exchange or a “managed account.”

Red flags: unsolicited group additions, guaranteed returns, urgency around limited-time deals, and exchanges nobody outside the group has heard of. What to do: leave the group, report it inside WhatsApp, and report the scam to the FTC.

Romance scams

A match from a dating app moves to WhatsApp early, builds an emotionally close relationship over weeks or months, then surfaces a financial emergency only you can solve.

Red flags: avoidance of video calls, profile photos that reverse-image-search to other people, and any financial request—however small—at any stage. What to do: stop responding, save the conversation as evidence, and report it to the FBI’s IC3 and to WhatsApp.

How to use WhatsApp safely

Most WhatsApp risk is avoidable with a few settings and one habit: verify before you trust.

  1. Turn on two-step verification. 
    Go to “settings” → “account” → “two-step verification**.” Add an email so you can recover the PIN. This single setting blocks SIM-swap takeovers.
  2. Turn on end-to-end encrypted backups. 
    Go to “settings” → “chats” → “chat backup” → “end-to-end encrypted backup.” Without this, your iCloud or Google Drive backup isn’t covered by encryption.
  3. Lock the app. 
    Go to “settings” → “privacy” → “app lock,” then turn on Face ID, Touch ID, or fingerprint—whichever your phone supports. Useful if someone grabs your unlocked phone.
  4. Tighten privacy settings. 
    Under “settings” → “privacy” restrict “last seen,” “profile photo,” “about,” and “status” to your contacts or nobody. Restrict “groups” so strangers can’t add you to spam groups.
  5. Block unknown account messages. 
    Go to “settings” → “privacy” → “advanced” → “block unknown account messages.” It cuts down on cold-contact scam volume.
  6. Never share a WhatsApp registration code. 
    Not with strangers, not with friends, not with anyone claiming to be WhatsApp support. WhatsApp will never ask for it.
  7. Verify identity by video before sending money. 
    A 30-second video call disarms most impersonation scams. Scammers can fake a voice—they can’t fake a face.
  8. Use disappearing messages and View Once for sensitive content. 
    Set a default disappearing-messages timer on chats where you share sensitive things, and use View Once for one-off photos or voice notes. 
    WhatsApp blocks screenshots of View Once media in the app, but workarounds exist—so treat anything sensitive as potentially saveable.
  9. Keep your OS and WhatsApp updated. 
    Exploits target the code around the encryption, not the encryption itself. Updates are where those holes get patched.

WhatsApp vs Signal vs Telegram

Encryption (default)Metadata collectionOwned byBest for
WhatsAppSignal Protocol, on all chatsSignificant—shared with MetaMetaPersonal messaging
SignalSignal Protocol, on all chatsMinimal—phone number onlySignal Foundation (nonprofit)Privacy-focused messaging
TelegramOnly in “Secret Chats” (off by default)Significant—includes content of non-secret chatsTelegram FZ-LLCChannels, groups, communities

Telegram has a privacy reputation in some circles, but it only encrypts the optional “Secret Chats” by default. 

Everything else, including regular group chats, sits on Telegram’s servers in a form Telegram can read—and it has its own active scam landscape to navigate.

For most people, WhatsApp’s protection of message content is enough. For the strongest practical privacy without giving up usability, Signal is the closer fit.

What to do if something goes wrong on WhatsApp

  1. Block and report the contact. 
    Open the chat → tap the contact’s name → “block” → “report contact.” This sends WhatsApp the last few messages and helps shut the account down.
  2. If your account was taken over:
    Sign back in by requesting a fresh registration code via SMS or call. Once you’re back in, the attacker is signed out automatically. Then turn on two-step verification right away.
  3. If you sent money to a scammer: 
    Contact your bank or payment provider immediately to attempt a reversal or chargeback. Document everything—screenshots, transaction IDs, and the phone number and names used.
  4. Report the scam to authorities. 
    In the US, file with the FTC and, if money was involved, the FBI’s Internet Crime Complaint Center (IC3). Outside the US, report to your national cybercrime and consumer protection agencies.
  5. If you’re being impersonated: 
    Warn your contacts through another channel—call, SMS, another app—and ask anyone targeted to report the fake account inside WhatsApp.
  6. If an account takeover led to identity theft: 
    Act fast and check whether someone is using your identity. The longer it runs, the harder the cleanup.

WhatsApp and your personal data

In short: WhatsApp’s message content is end-to-end encrypted, but the metadata it collects flows into Meta’s broader data ecosystem. The practical questions are what control you have over that sharing, what happens to your data when you delete your account, and how much of your information sits outside any single platform.

Metadata is the data WhatsApp keeps about you, and it lives across Meta’s infrastructure—not just inside the app. So the real question is how much control you have over it.

In the EU and UK, users get stronger controls under the General Data Protection Regulation (GDPR) and the Digital Markets Act. 

That includes the right to request a copy of your data and the right to deletion. Outside those regions, the controls are thinner. You can adjust ad personalization on Facebook and Instagram, but the metadata sharing into Meta’s ad graph is largely baked into WhatsApp’s terms.

Delete your account and WhatsApp removes your message history and profile information. But copies of messages held by people you’ve chatted with stay on their devices, and metadata in WhatsApp’s logs is retained for the periods set in the privacy policy. A deleted account isn’t the same as one that never existed.

Here’s the bigger picture—

Any single platform’s privacy controls only cover what you do inside that platform. 

Your wider *digital footprint*—what’s findable about you across the web, on people-search sites, in aggregated marketing profiles—isn’t shaped by WhatsApp’s settings, even though WhatsApp is one of the apps feeding it. 

Treating online privacy as a per-app problem misses most of the surface area, which is exactly where a continuous data-removal service like Incogni earns its place.



FAQ

Can hackers access your WhatsApp?

For ordinary users, the realistic routes are social engineering (phishing for your verification code) and SIM swap to hijack the phone number tied to your account—both blocked by two-step verification. State-grade spyware can compromise the device itself, as the 2025 NSO Group case confirmed, but those attacks target specific high-value individuals, not general users. The encryption itself hasn’t been broken.

Is WhatsApp safe for sending private photos?

Photos in personal chats are end-to-end encrypted in transit, so WhatsApp can’t see them. The risk is on the receiving side—the recipient can save, screenshot, or forward them. View Once makes a photo disappear after one view, but screenshots and screen recordings can still capture it on most devices. For genuinely sensitive content, assume the recipient could keep it forever.

Is WhatsApp safe for kids to use?

WhatsApp’s official minimum age is 13 in most countries and 16 in parts of the EU. In March 2026, WhatsApp added parent-managed accounts for pre-teens, letting guardians control contacts, calling, and group permissions. But the standard app is built for open social messaging—anyone with a phone number can message a child unless privacy settings are locked down. For younger kids, the FTC’s parental-controls guidance covers the broader supervision question across messaging apps.

Can WhatsApp messages be subpoenaed or accessed by law enforcement?

WhatsApp says it doesn’t store message content once it’s delivered, so there’s no message archive to subpoena. What law enforcement can request is metadata—account information, IP addresses, connection logs—and, in some cases, cloud backup contents from Apple or Google. That’s exactly why turning on end-to-end encrypted backups matters.

Is WhatsApp safer than regular SMS?

Yes, by a wide margin for message content. SMS travels in plaintext across the cellular network and is readable by carriers and anyone with interception tools. WhatsApp encrypts every message end-to-end by default, so nobody in the middle—including WhatsApp—can read them. The trade-off is metadata: SMS metadata sits with your carrier, while WhatsApp metadata sits with Meta.

Is this article helpful?
YesNo
Scroll to Top