Signal Users Targeted by New Phishing Attacks: Protect Your Backups!

TL;DR

• Signal says attackers are using phishing and impersonation to trick users into giving up verification codes, PINs, and backup recovery keys.
• The company has rolled out new in-app warnings and confirmations to slow scams and help users spot fake “Signal Support” messages.
• The best defenses are to enable registration lock, never share recovery keys, and report suspicious messages immediately.

Signal Users Targeted by New Phishing Attacks: Protect Your Backups!

Signal users are being targeted by phishing campaigns that impersonate Signal support and other trusted contacts in an attempt to steal account access and backup recovery keys. Reports say the attacks have been linked to Russian state-affiliated hackers, with one wave affecting hundreds of users in Germany, though Signal says the app itself was not breached.

The goal of these scams is straightforward: convince victims to reveal sensitive information that lets an attacker register the account on another device and, in some cases, access encrypted backups.

How the scam works

According to Signal’s own guidance, attackers often create fake profiles or send messages that look like official support requests.

Common tactics include:

• Asking for a registration code or SMS verification code.
• Requesting a Signal PIN.
• Tricking users into sharing their 64-character backup recovery key.
• Using urgency or warning language, such as claims that an account will be lost or locked unless the user responds immediately.

Signal emphasizes that it will never ask for verification codes, recovery keys, or payment details, and that its support team communicates only through official email addresses, not in-app messages or calls.

Why the backup recovery key matters

Signal’s secure backup system uses a recovery key that is effectively the last line of access for encrypted backups.

If an attacker gets both a verification code and a recovery key, they may be able to take over the account and access stored backup content, including past messages and some media depending on the backup plan.

That makes the recovery key especially sensitive: it is not just a convenience password, but a credential that can expose a user’s message history if stolen.

Signal’s response

Signal has started adding new in-app protections to slow down these scams and make suspicious contact easier to spot.

The new safeguards include:

• Extra warnings that profile names are not verified and can be freely chosen.
• A second confirmation step when accepting message requests.
• Prompts reminding users that Signal will never ask for registration codes, PINs, or recovery keys.
• Expanded safety tips warning users not to trust messages claiming to be from Signal Support.

Signal says more changes are coming, but it has not publicly detailed every planned defense.

How to protect your account

The most important step is to turn on registration lock in Signal’s account settings.

Other key defenses:

• Never share your SMS verification code, Signal PIN, or backup recovery key with anyone.
• Treat unexpected messages, even if they appear to come from support, as suspicious until verified.
• Use the in-app Report and Block option for suspicious contacts.
• Check for unknown linked devices in Signal’s settings and remove anything you do not recognize.
• Pay attention to message requests that pressure you to act quickly or scan a QR code.

Signal also notes that when the app itself asks you to verify a PIN or recovery key, it does so through a small in-app prompt, not through a chat message.

Warning signs of a phishing attempt

The clearest red flags are:

• A request for a code, PIN, or recovery key.
• A message claiming to be from Signal Support.
• Urgent language about account loss or suspension.
• A profile name or photo that looks official but feels off.
• A request to move the conversation outside normal support channels.

If any of those appear, stop engaging and verify through Signal’s official support route instead.

The bigger cybersecurity picture

The campaign highlights a familiar problem in messaging security: end-to-end encryption can protect message content, but it cannot stop users from being tricked into handing credentials to attackers.

That is why the current threat is not a breach of Signal’s encryption, but a social engineering attack aimed directly at users.

For now, the safest assumption is that unsolicited messages involving account recovery, support, or security verification are suspicious unless proven otherwise.

AndroGuider Team

Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.