When most people think about phishing, they picture a sketchy email asking them to click a link or download an attachment. That image is outdated. Attackers have moved on, and your messaging apps are the new target.
This week, Germany’s Federal Office for the Protection of the Constitution (BfV) and Federal Office for Information Security (BSI) issued a joint warning about a campaign targeting Signal users. The attackers aren’t using malware. They aren’t exploiting software bugs. They’re using social engineering — and the app’s own features — to hijack accounts.
How the Attack Works
There are two versions of this attack, and both are disturbingly simple.
In the first, someone posing as Signal support sends you a direct message with a fake security warning. They create a sense of urgency — your account has been compromised, you need to verify immediately. Then they ask for your PIN or a verification code sent via SMS. Hand that over, and they register your account on their device. You’re locked out. They’re in.
In the second version, the attacker convinces you to scan a QR code. This uses Signal’s legitimate linked-device feature — the same one that lets you use Signal on your computer. But instead of linking your own device, you’re linking theirs. Now they can read every message you send and receive, see your contacts, and monitor your group chats. And unless you go digging through your settings, you’d never know.
This Isn’t Just a Signal Problem
WhatsApp has the same linked-device feature and is vulnerable to the same technique. Google’s threat researchers tied earlier versions of this attack to Russian state-backed groups. Ukraine’s cybersecurity agency reported similar campaigns targeting WhatsApp. And cybercriminals have since picked up the technique for scams and fraud.
The point is this: if your team communicates through messaging apps — and most do — this is a real risk.
What You Should Do Right Now
For Signal users:
- Go to Settings → Account and enable Registration Lock. This requires a PIN to register your number on any new device.
- Go to Settings → Linked Devices and review what’s connected. Remove anything you don’t recognize.
- Signal will never contact you through the app. If you get a message from “Signal Support,” it’s fake. Block and report it.
For WhatsApp users:
- Go to Settings → Linked Devices and review connected devices regularly.
- Enable two-step verification under Settings → Account.
- Never scan a QR code someone sends you unless you initiated the process yourself.
For everyone:
- No legitimate service will ever ask for your PIN or verification code through a chat message. Ever.
- Treat unexpected messages with the same suspicion you’d give a strange email.
- Talk to your team about this. The people most likely to fall for social engineering are the ones who don’t know it exists.
The Bigger Picture
Phishing is no longer just an email problem. It’s happening on every platform where people communicate — Signal, WhatsApp, Teams, Slack, even SMS. As businesses adopt more communication tools, the attack surface grows.
The attackers aren’t breaking encryption or finding zero-day exploits. They’re asking nicely and hoping you don’t think twice. That’s what makes this dangerous — it works on smart people who are busy and distracted.
If your business doesn’t have a plan for securing your communication channels beyond email, now is the time to build one. We can help.
Need help securing your business communications? Get in touch with Robb Technology Group — we’ll make sure your team is protected.