BUCHAREST, March 12, 2026. Cybersecurity researchers at Bitdefender have identified a large-scale scam campaign targeting users in Romania. Attackers are sending SMS messages that appear to come from FAN Courier, the leader of the local courier market, directing recipients to a fake website. Through this site, hackers seize control of the user’s WhatsApp account and subsequently solicit money from the victim’s contacts.
The courier company FAN Courier has no connection to this campaign; it is a victim of the unauthorized use of its brand by unknown cyber attackers. This incident does not represent a security breach of FAN Courier, but rather a social engineering campaign carried out by attackers exploiting public trust in well-known brands.
According to Bitdefender data, over one million people have received these messages. The campaign does not involve installing malware on the phone; instead, it relies on psychological manipulation and the theft of login credentials.
How the attack works
The victim receives an SMS informing them that a package is associated with their phone number and that they must choose a locker for pickup. The message looks like a legitimate delivery notification, leading many people to click the link without suspicion. The link leads to a website that clones FAN Courier’s visual identity but is hosted on a domain controlled by the attackers.
In parallel, the hackers initiate the re-registration of the victim’s phone number on another device. WhatsApp sends a genuine verification code to the victim’s phone, and the fake page prompts them to enter that code under the pretext of confirming the delivery.
Once the victim enters the code, the attackers complete the authentication process on their own device and take control of the WhatsApp account. The victim is unaware that they have authorized the transfer and has no malicious software installed on their phone.
What happens after the account is hijacked
After taking over the account, attackers contact people in the victim’s contact list and send urgent requests for money. The messages usually mention an emergency and promise to return the sum the next day. In some cases, attackers ask for the money to be sent to a different bank account. There are indications that these accounts—sometimes opened at Romanian banks—belong to individuals who have themselves lost access to their bank accounts following other types of cyberattacks.
Because the money requests come from a trusted contact, recipients tend to respond without verifying the situation. This second phase of the attack is what generates financial gain for the attackers.
Signs to recognize fake messages
There are several red flags: suspicious domains that do not match the official FAN Courier website, messages sent from random phone numbers, and, most importantly, the request to enter a WhatsApp confirmation code. No legitimate courier service will ever request such a verification code.
- Do not click on courier links received via unexpected SMS messages.
- Manually enter the courier’s official address into your browser.
- Never enter WhatsApp verification codes anywhere outside the WhatsApp app.
- Enable two-step verification in WhatsApp (Settings → Account → Two-step verification).
- Verify any urgent money request received on WhatsApp by calling the person making the request.
- Use the courier company’s official app to check package status and perform other operations.
Immediate measures in case of losing a WhatsApp account
- Re-register your phone number in WhatsApp or reinstall the application.
- Notify your contacts via alternative channels to ignore any money requests coming from your account.
- If the attackers enabled two-step verification before you regained access, recovering the account may require going through WhatsApp’s security reset process.
About Bitdefender
Bitdefender is a recognized leader in IT security, providing superior solutions for prevention, detection, and response to cybersecurity incidents. Millions of systems used by individuals, businesses, and government institutions are protected by the company’s solutions, making Bitdefender one of the most trusted experts in combating cyber threats, protecting privacy and data, digital identity, and strengthening resilience to attacks.
As a result of sustained investment in R&D, Bitdefender labs discover hundreds of new threats every minute and validate 50 billion threat queries daily. The company has constantly innovated in fields such as anti-malware, the Internet of Things, behavioral analysis, and artificial intelligence. Bitdefender technologies are licensed to over 200 of the world’s most recognized security brands. Founded in 2001, Bitdefender has customers in over 170 countries and offices on all continents. More details are available at www.bitdefender.ro.
