Skip to main content
CybersecuritySocial Engineering

Signal Bolsters Defenses Against Social Engineering, Phishing Attacks

Smartphone screen showing messaging interface with blurred contacts and verified name label.

“To help protect Signal users from phishing and social engineering attacks, we’ve introduced additional confirmations and educational messaging in the app to help people better detect fraudulent profiles, especially message requests from scammers posing as Signal,” the vendor explained.

Signal's new in‑app confirmations and warning messages

Signal has rolled out in‑app confirmations and warning messages designed to introduce friction — deliberate pauses and reminders — so users have time to evaluate an external request. The vendor summarized the changes with a short list of visible prompts and richer safety tips intended to make fraudulent activity easier to spot.

  • Signal will display a “Name not verified” label beneath contacts that initiate direct messages, and a “No groups in common” indicator to highlight when a sender has no shared connections with the recipient.
  • When a new request arrives, Signal will prompt the recipient to confirm acceptance and will remind users that the app will never request their registration code, PIN, or recovery key.
  • Safety tips have been expanded with additional entries and more detailed information.
  • Users will also receive reminders to never respond to chats that claim to come from “Signal Support.”

How the Linked Device social‑engineering attack operates

The incidents that prompted the change were not technical bypasses of encryption; they were social‑engineering campaigns that manipulated victims into linking an attacker’s device to a legitimate account. According to the reporting, attackers convinced targets to either scan a QR code or share one‑time codes presented as part of a verification step. Once the attacker’s device was linked, they could obtain access to the account, the victim’s chats, and the contact list.

Signal’s new confirmations are explicitly aimed at that exact vector: stopping users from following instructions to scan QR codes or share verification material when the request originates from an unknown or unverified account.

Who flagged the attacks and how they were attributed

FBI, the Dutch government, and German authorities highlighted the campaigns in public notices, reporting a pattern of bogus “Signal Support” alerts employed against high‑profile users. All incidents were attributed to Russian state‑sponsored hackers, who abused the Linked Device feature to gain access to accounts and communications.

The advisories from those authorities, as reflected in Signal’s summary, treated the activity as targeted social engineering rather than a systemic cryptographic failure — a distinction that shapes the vendor’s response toward user education and interaction design changes.

What Signal asks users to do now

Signal’s public guidance accompanying the new messages is practical and limited: stay alert to suspicious messages from unknown contacts; do not scan QR codes or share verification codes at another party’s request; and check settings for any rogue linked devices and remove those you do not recognize. The app itself will now reiterate that it will never ask for registration codes, PINs, or recovery keys — the exact items attackers have sought to extract.

What this means for high‑profile users, the named authorities, and everyday Signal users

  • High‑profile users: The campaigns targeted this group through social engineering that leveraged impersonation of “Signal Support.” Those at elevated risk will likely find the extra labels and explicit reminders useful as immediate visual cues that a request is untrusted.
  • FBI, the Dutch government, and German authorities: Having identified and attributed these incidents to Russian state‑sponsored hackers, these agencies have signaled the risk to other potential victims and created the context for vendor mitigations such as Signal’s confirmations.
  • Everyday Signal users: The new messaging is focused on behavior — do not share one‑time codes, do not scan QR codes for verification at another party’s request, and routinely inspect linked devices in settings to remove unfamiliar entries.

Social engineering remains, as the vendor puts it, “one of the most effective forms of cyberattack” because it can bypass technical protections by exploiting human trust. Signal’s response is a classic usability‑security tradeoff: add friction and clearer language where attackers have already shown they can succeed. Whether those prompts materially reduce successful account takeovers will be evident only as the new warnings reach wider adoption and as authorities continue to track similar campaigns.

Original reporting: https://www.bleepingcomputer.com/news/security/signal-adds-security-warnings-for-social-engineering-phishing-attacks/