Signal adds security warnings for social engineering, phishing attacks
by Bill Toulas · BleepingComputerSignal has introduced new in-app confirmations and warning messages as additional safeguards against phishing and social engineering attempts that could lead to various forms of fraud.
The purpose is to introduce enough friction that users get the time to evaluate the safety of an external request.
Recently, there have been attacks targeting high-profile users with bogus ‘Signal Support’ alerts, as highlighted by the FBI, the Dutch government, and the German authorities.
All incidents were attributed to Russian state-sponsored hackers, who abused the Linked Device feature to gain access to the target’s account, chats, and contacts lists.
The attack works by convincing the victim to scan a QR code or share one-time codes, supposedly as part of a verification process to protect their accounts from suspicious activity. This allows threat actors to link their device to the target account and obtain access to all the data.
“To help protect Signal users from phishing and social engineering attacks, we’ve introduced additional confirmations and educational messaging in the app to help people better detect fraudulent profiles, especially message requests from scammers posing as Signal,” the vendor explained.
The new protections are summarized as follows:
- Signal will display a ‘Name not verified’ underneath contacts that establish communication via direct messages, and also a ‘No groups in common’ to highlight the lack of any association with the recipient.
- When a new request arrives, Signal will prompt the user to confirm the acceptance while reminding them that it will never request their registration code, PIN, or recovery key.
- Safety tips are now richer, with new entries and additional info.
- Reminders to never respond to chats pretending to come from Signal Support will be pushed to users.
Source: Signal
Social engineering remains one of the most effective forms of cyberattack, providing a complete bypass of existing security measures.
Users should stay on high alert for suspicious messages from unknown contacts, especially requests to scan QR codes or share verification codes.
Signal users should also check for rogue linked devices in settings and remove any they don’t recognize.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.