Signal confirms targeted phishing attacks leading to account takeovers
4 min. read 
Published on
Signal has confirmed that a wave of targeted phishing campaigns has led to account takeovers affecting some high-profile users, including journalists and government officials. The company says attackers are not exploiting flaws in Signal’s encryption or infrastructure. Instead, they are using social engineering tactics to trick victims into sharing authentication codes and account credentials.
Signal emphasized that its end-to-end encryption remains secure and that the attacks rely entirely on manipulating users rather than breaking the platform’s technical protections. Once attackers gain access to verification codes or account PINs, they can register the victim’s phone number on another device and take control of the account.
These incidents highlight a broader cybersecurity trend where attackers focus on human-targeted phishing tactics rather than exploiting software vulnerabilities.
How the phishing attacks work
The phishing campaigns typically begin with attackers impersonating trusted contacts or support representatives. In several reported cases, attackers used a fake “Signal Support Bot” to contact potential targets and persuade them to share sensitive login information.
Victims are tricked into providing:
- SMS verification codes used for Signal registration
- Signal PINs used for account security
- Device registration confirmation details
Once attackers obtain these credentials, they can register the victim’s phone number on another device and gain control of the account.
After the takeover, attackers can impersonate the victim and communicate with their contacts, potentially exposing private conversations or spreading further phishing messages.
Key details about the attack campaign
| Item | Details |
|---|---|
| Platform affected | Signal messaging service |
| Attack type | Targeted phishing and social engineering |
| Primary targets | Journalists, government officials, and high-profile users |
| Goal | Harvest SMS verification codes and Signal PINs |
| Result | Account takeover through unauthorized device provisioning |
| Encryption status | Signal confirms encryption remains uncompromised |
Signal stressed that these attacks do not involve weaknesses in its encryption system.
Instead, attackers rely on convincing victims to provide authentication information voluntarily.
Why social engineering works in messaging apps
Messaging platforms often rely on phone numbers for account registration and verification. While this approach simplifies account setup, it also creates an opportunity for attackers who can obtain verification codes through deception.
Attackers frequently combine phishing techniques with impersonation tactics to increase credibility. For example, they may pose as technical support staff or automated bots offering assistance.
Because the messages appear legitimate, victims may feel pressured to respond quickly and provide the requested information.
Security experts say that social engineering attacks continue to succeed because they target human behavior rather than technical flaws.
Signal’s response and security guidance
Signal says it is working to strengthen safeguards that help users recognize and avoid phishing attempts. The company also reminded users that official Signal support will never contact them through in-app messages, SMS, or social media to request verification codes or PINs.
The platform already warns users during account setup that verification codes should never be shared with others.
Signal also recommends enabling additional account protections such as registration lock, which requires a PIN when registering a phone number on a new device.
Security tips to prevent Signal account takeover
Users can reduce the risk of account compromise by following these security practices.
- Never share SMS verification codes with anyone
- Do not reveal your Signal PIN to third parties
- Enable registration lock within Signal settings
- Verify the identity of anyone claiming to be support staff
- Ignore unsolicited messages asking for authentication information
High-risk users such as journalists or government employees should also adopt stricter operational security practices when communicating through messaging platforms.
Indicators of a phishing attempt
Security teams and users should watch for suspicious activity that may indicate an attempted account takeover.
Common warning signs include:
- Messages from accounts claiming to be Signal support
- Requests for verification codes or PINs
- Urgent instructions to confirm account access
- Unknown contacts requesting authentication information
Users encountering these messages should ignore them and report the incident.
FAQ
No. Signal confirmed that its infrastructure and end-to-end encryption remain secure. The attacks rely on phishing and social engineering rather than technical vulnerabilities.
Attackers trick victims into sharing SMS verification codes or Signal PINs. With this information, they can register the victim’s phone number on a new device.
The phishing campaigns appear to focus on high-profile users such as journalists, government officials, and individuals who handle sensitive information.
Users should never share verification codes, enable registration lock, and ignore messages claiming to be Signal support asking for authentication details.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages