WhatsApp Privacy and Security Settings Everyone Should Check

Open WhatsApp → tap the three-dot menu (Android) or Settings (iPhone) → Account → Two-step verification → Enable. You will be asked to set a six-digit PIN and provide a recovery email address.

This PIN is requested periodically by WhatsApp and whenever your number is registered on a new device. Without it, anyone who manages to port or duplicate your SIM number — a real threat in India, documented in multiple CERT-In advisories — cannot complete WhatsApp registration even if they have your SMS OTP. The recovery email is important: use one you genuinely control, because it is your only way back in if you forget the PIN.

Go to Settings → Privacy. You will see controls for Last Seen and Online, Profile Photo, About, and Status. Each can be set to Everyone, My Contacts, My Contacts Except…, or Nobody.

The safest baseline for most people is My Contacts for Last Seen, Profile Photo, and About. Setting these to “Everyone” means any stranger who has your phone number can confirm you are active, see your face, and read your status — information that scammers use to build convincing impersonation attempts. “Nobody” for Last Seen hides the timestamp from everyone, including your contacts, which some users prefer for personal reasons.

In Settings → Privacy, you will find Read Receipts (the blue double-ticks) and the Last Seen and Online toggle. Turning off read receipts means the other person cannot see when you have read their message — the ticks remain grey. Note that this also disables read receipts for you: you will not see when others have read your messages either.

The Last Seen and Online setting has a second part: even if you hide your last-seen timestamp, WhatsApp still shows when you are actively using the app (the “online” indicator). You can suppress this too within the same menu on recent versions of WhatsApp.

Go to Settings → Linked Devices. This shows every browser session and secondary device currently logged into your WhatsApp account. WhatsApp Web and WhatsApp Desktop sessions appear here.

Look at each entry: the device type, browser name, and the last-active timestamp. If you see a session you do not recognise — a browser you do not use, a location timestamp that does not match your activity — tap it and select Log out. A full audit should include logging out of all sessions and re-logging in only on devices you currently use. This takes under two minutes and eliminates any persistent session access someone may have established without your knowledge.

Go to Settings → Privacy → Groups. The default setting is “Everyone,” which means any WhatsApp user can add your number to a group without asking you first. This is how scam groups distributing fraudulent investment schemes, fake prize notifications, and phishing links reach new victims.

Set this to My Contacts or My Contacts Except…. When someone not in your contacts tries to add you to a group, WhatsApp will instead send you an invitation link that you can accept or decline. This single change significantly reduces unsolicited group additions.

Go to Settings → Privacy → Default message timer. This sets a disappearing-messages duration for all new chats you start. Options are 24 hours, 7 days, 90 days, or off. Enabling a timer by default does not retroactively affect existing chats.

For most personal use, seven or ninety days is a sensible default — messages disappear automatically after that period from both sides of the conversation. This is particularly relevant for financial information, OTPs, and personal documents shared over WhatsApp, which people often forget are sitting in an old chat thread.

WhatsApp uses end-to-end encryption by default. You can verify that the encryption keys between you and a specific contact have not been tampered with by going to a chat → tap the contact’s name → Encryption → Scan code or compare numbers. If the 60-digit code matches on both phones, the conversation is secure. WhatsApp will also notify you if a contact’s security code changes — this usually means they got a new phone, but in rare cases it could indicate a security event.

Go to Settings → Privacy → Calls → Silence unknown callers. Enabling this means WhatsApp calls from numbers not in your contacts are silenced — the call still appears in your call log, but your phone does not ring. This does not block the call; it simply prevents the interruption. For most users, this dramatically reduces nuisance calls from marketing and fraud numbers while keeping calls from known contacts unaffected.