FBI Warns of Russian Phishing Targeting Signal and WhatsApp Users

Cybersecurity officials are sounding the alarm after the FBI warned of a Russian-linked phishing campaign that targets users of encrypted messaging apps—especially Signal and WhatsApp. While these platforms are widely trusted for their end-to-end encryption, attackers don’t need to “break” encryption to steal data. Instead, they focus on the weakest point in most security models: the user.

This new wave of phishing aims to trick people into handing over access codes, linking attacker-controlled devices, or installing malicious software—all of which can allow criminals to view messages, hijack accounts, and potentially compromise workplaces, journalists, activists, and everyday users alike.

Why Signal and WhatsApp Users Are Being Targeted

Signal and WhatsApp are attractive to threat actors because they carry high-value conversations. Messaging app accounts often contain:

• Personal chats and sensitive images
• Business communications and internal discussions
• Verification codes sent by banks or services
• Links to shared documents, calendars, and contacts
• Private group chats with politically or financially valuable intel

Even with encryption, attackers can succeed if they convince a user to:

• Share a verification code (SMS or in-app)
• Approve a prank “security check” that is actually account takeover
• Link a new device controlled by the attacker
• Install malware or a fake “update”

How the Phishing Campaign Works

According to the FBI’s warning, the campaign uses classic social engineering tactics—often tailored to feel urgent, authoritative, or familiar. The goal is to move the victim from a normal chat environment into an attacker-controlled flow where credentials or access tokens are harvested.

1) Fake Security Alerts and Account Warnings

A common technique is impersonating a trusted service and delivering a message like:

• “Your account has been flagged for suspicious activity.”
• “A new device tried to sign in—verify now.”
• “Your messages may be at risk—confirm your identity.”

These messages push users to click a link that leads to a spoofed login page or a page asking for a code. The copy is designed to create anxiety and speed up decision-making.

2) Malicious Links Disguised as Invitations or Files

Attackers often hide behind seemingly normal prompts such as:

• Group chat invitations
• Document shares (“review this PDF”)
• Voice message or video attachments
• “Friend request” or contact verification

The link may redirect to a phishing domain that looks like a legitimate brand, or it may initiate a download for spyware, credential stealers, or remote-access tools.

3) Device Linking and QR-Code Tricks

Modern messaging apps allow users to link additional devices (for example, a desktop client). Threat actors can exploit this workflow by tricking someone into linking an attacker device—sometimes using a QR code lure, a fake “web login” prompt, or social engineering that frames the action as a security step.

Once a malicious device is linked, attackers may be able to read messages as they arrive, depending on the app’s behavior, device settings, and whether additional security features are enabled.

What Makes This Threat Especially Dangerous

This campaign stands out because it targets the communication layer rather than a single website login. Messaging apps are where people share:

• Passwords and one-time codes (even if they shouldn’t)
• Meeting locations and travel plans
• Private work discussions
• Media and confidential sources

When an attacker gains access to a messaging account, they can also run follow-on attacks that are even harder to detect—like impersonating the victim inside trusted group chats, requesting money, or sending malware links to contacts who are likely to believe them.

Who Is Most at Risk?

Although anyone can be targeted, phishing campaigns like this often focus on people with higher-value access and information. Groups that may face elevated risk include:

• Journalists communicating with confidential sources
• Government employees and contractors
• Military personnel and their families
• Activists, diplomats, and NGO staff
• Business leaders handling finance, operations, or IP

That said, broad phishing can also target everyday users at scale—especially if attackers are gathering accounts for identity fraud, extortion, or resale.

How to Spot a Signal or WhatsApp Phishing Attempt

Many phishing messages share predictable red flags. Be cautious if you see:

• Unexpected “security” messages pushing urgency
• Links that don’t match official domains
• Requests for verification codes or PINs
• Spelling/grammar issues or odd formatting
• A contact acting “off,” suddenly asking you to click something
• Pressure to act quickly (“within 10 minutes”)

A critical rule: No legitimate support agent or security system should ask you to send them your one-time code. If someone asks for it, assume it’s a takeover attempt.

Best Practices to Protect Your Signal and WhatsApp Accounts

Good security doesn’t require paranoia—it requires consistent habits. Here are practical steps that significantly reduce your risk.

Enable Strong App-Based Security Features

• Turn on two-step verification where available (WhatsApp offers a PIN-based feature; Signal includes registration lock functionality in many setups).
• Use a strong device passcode and enable biometric locking for the app if supported.
• Keep your app updated to patch vulnerabilities and improve protection against known attack patterns.

Be Careful With Device Linking

• Only link devices you personally control.
• Review linked devices in the app settings and remove anything unfamiliar.
• If you’re prompted to link a device unexpectedly, stop and verify through an independent channel.

Verify Messages and Requests Out-of-Band

If a coworker, friend, or “support” account asks you to click a link or share a code, verify using a separate method:

• Call a known phone number
• Send an email to a trusted address
• Ask a pre-agreed verification question

Avoid Clicking Unknown Links—Even From Contacts

If an attacker takes over someone’s account, they can send phishing links that look more credible because they come from a trusted name. If a link arrives unexpectedly, treat it as suspicious until confirmed.

Harden Your Phone, Not Just the App

• Install apps only from official app stores.
• Don’t allow “unknown sources” installs unless you truly need it.
• Use a reputable mobile security tool if you’re high risk.
• Back up important data securely and keep recovery options current.

What to Do If You Think You’ve Been Phished

If you suspect you clicked a malicious link or shared a code, act quickly. Speed matters in account takeover situations.

• Change relevant passwords (email first, then other services) and revoke suspicious sessions where possible.
• Check linked devices in WhatsApp/Signal and remove anything you don’t recognize.
• Enable or reset two-step verification immediately.
• Alert your contacts that your account may be compromised so they don’t trust recent messages.
• Scan your device and remove unknown apps or profiles.
• Report the incident to your organization’s security team (if applicable) and consider reporting to relevant authorities.

Key Takeaway: Encryption Doesn’t Stop Social Engineering

The FBI’s warning highlights a reality that many people overlook: end-to-end encryption protects data in transit, but it can’t protect you from giving an attacker the keys. Phishing attacks succeed by exploiting trust, urgency, and routine behavior—especially around logins, device linking, and verification codes.

By slowing down, verifying requests, enabling strong settings, and regularly reviewing your account security, you can dramatically reduce the odds of falling victim—whether you use Signal, WhatsApp, or any other messaging platform.

Bottom line: Treat unexpected security prompts and device-link requests as suspicious by default, and never share one-time codes with anyone—no matter how legitimate the message appears.

Published by QUE.COM Intelligence | Sponsored by Retune.com Your Domain. Your Business. Your Brand. Own a category-defining Domain.