{"id":57713,"date":"2026-04-21T12:05:43","date_gmt":"2026-04-21T10:05:43","guid":{"rendered":"https:\/\/aboutsignal.com\/?p=57713"},"modified":"2026-04-21T13:24:29","modified_gmt":"2026-04-21T11:24:29","slug":"phishing-attempts-on-signal","status":"publish","type":"post","link":"https:\/\/aboutsignal.com\/it\/blog\/phishing-attempts-on-signal\/","title":{"rendered":"Phishing attempts on Signal \u2013 How they work and how to protect yourself"},"content":{"rendered":"

You may have received a phishing message on Signal already that claims to come from Signal\u2019s team and has asked for your verification code. First, these messages are fake so do not<\/strong> reply or share any information. Instead report and block<\/a> the contact that sent this message in your app.<\/p>\n\n\n\n

Messages you send via Signal are end-to-end encrypted. This means that the messages can only be read by you and the recipient. Although Signal has an advanced system to detect spam, the servers cannot check or block the content of messages. So there is a chance that sooner or later you will receive such a phishing message.<\/p>\n\n\n\n

In this article we will look at how these phishing attacks work, what you can do to protect yourself on Signal and what to do if an attacker was successful and was able to take over your account.<\/p>\n\n\n\n

Contenuti<\/strong><\/h2>\n\n\n\n

1. How do phishing attempts on Signal work?<\/a><\/strong><\/p>\n\n\n\n

2. What happens if an attacker takes over your account?<\/a><\/strong><\/p>\n\n\n\n

3. How can you protect yourself?<\/a><\/strong><\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

1. How do phishing attempts on Signal work?<\/h2>\n\n\n\n

Two different types of phishing<\/h3>\n\n\n\n

Phishing attacks are a social engineering<\/a> technique where attackers try to get sensitive information from their victims by pretending that they are someone else. This sensitive information can be login information, passwords, banking details or in the case of Signal a registration code, a PIN or a recovery key.<\/p>\n\n\n\n

It is important to note that such phishing attacks do NOT break Signal\u2019s strong encryption or use any vulnerabilities in Signal\u2019s code. Instead they try to trick users into revealing important information unintentionally.<\/p>\n\n\n\n

On Signal there are two different types of phishing attempts:<\/p>\n\n\n\n

    \n
  1. Classical scamming attempts where attackers try to manipulate their victims into sending them money, credit card details or other information that is not directly related to Signal.<\/li>\n\n\n\n
  2. Phishing attempts that try to take over a Signal account by getting victims to hand over their registration verification code and optionally their Signal PIN or recovery key as well.<\/li>\n<\/ol>\n\n\n\n

    In this article we will focus on the second type of phishing attacks as they are specifically aimed at Signal and require specific precautions and countermeasures as well. For advice on protecting against the first type of general phishing and scamming attempts that you find on all networking apps and platforms you can consult these general guidelines on how to recognize and avoid phishing scams<\/a>.<\/p>\n\n\n\n

    How the registration of a Signal account works<\/h3>\n\n\n\n

    But let\u2019s take a closer look at how phishing attacks might try to take over your Signal account. In order to understand that we have to understand how the registration of a new Signal account works in general.<\/p>\n\n\n\n

    In Signal, you register an account with your phone number<\/a>. So every Signal account is linked to a certain phone number (note that since at Signal everything is end-to-end encrypted the Signal servers only learn that a phone number is registered but cannot see any message content or who you\u2019re communicating with).<\/p>\n\n\n\n

    To verify that you actually own and control this phone number you will receive a \u201cverification code\u201d when you are registering at Signal. This verification code will be sent to you via SMS by default but you can also opt to get an automated phone call instead that will read you the verification code.<\/p>\n\n\n\n

    Here\u2019s what this verification code SMS from Signal looks like:<\/p>\n\n\n\n

    \"\"
    Verification code message from Signal<\/figcaption><\/figure>\n\n\n\n

    Only after you have entered the correct verification code can you register your new account at Signal, because the fact that you know the verification code proves to Signal that you actually own the phone number that you want to register.<\/p>\n\n\n\n

    During the registration process you will also be asked to create a Signal PIN<\/a>. This PIN is used to store your encrypted profile information (contacts, group memberships, settings) at Signal and enable you to recover it if necessary (more on that later). You can come up with a Signal PIN yourself and this can be a numerical or alphanumeric code. Signal does not know this PIN and cannot restore this PIN.<\/p>\n\n\n\n

    How attackers try to take over your Signal account<\/h3>\n\n\n\n

    Since we now have a good understanding of how the registration process at Signal works we can take a closer look at how phishing attacks that try to take over your account actually work:<\/p>\n\n\n\n

    First an attacker would take a phone, install the Signal app and start the process to register a new account. But instead of entering their own number the attacker would enter your phone number to register. But in order to complete the registration they need the verification code. And this verification code is sent to your number. So the attacker needs a way to find out the verification code, and they need to do it quickly so the timing doesn\u2019t look suspect.<\/p>\n\n\n\n

    So that\u2019s why they send out the phishing message to the victim. These messages often claim to come from \u201cSignal Support\u201d or the \u201cSignal Security Chatbot\u201d and they often look something like this (they also might be translated to your native language):<\/p>\n\n\n\n

    \"\"
    Fake phishing message asking for your verification code<\/figcaption><\/figure>\n\n\n\n

    These phishing messages can differ a bit and also look something like this (examples taken from the FBI\u2019s warning website<\/a>):<\/p>\n\n\n\n

    \n

    \u201cDear user,
    This is Signal Security Support ChatBot.
    We have noticed suspicious activity on your device, which could have led to data leak. We have also detected attempts to gain access to your private data on Signal. To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support ChatBot. DON’T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES.\u201d<\/mark><\/p>\n<\/blockquote>\n\n\n\n

    \n

    \u201cSignal Security Team
    Recently, attempts to hack users of our messenger with the connection of third-party devices to the account have become more frequent.
    In this regard, Signal updates Terms of Service & Privacy Policy and introduces Mandatory Two-factor Verification for users.
    Stay safe and thank you for using the most
    secure messenger with end-to-end encryption.\u201d<\/mark><\/p>\n<\/blockquote>\n\n\n\n

    \n

    \u201cOur system has detected a recent login attempt to your account from an unrecognized device or location. As a security measure, we have blocked this attempt and sent a verification code via SMS to your registered phone number.
    If this was NOT you:
    To secure your account and block this unauthorized access please reply to this message with the verification code you just received.
    If this WAS you:
    You can safely ignore this message.
    The login attempt will be automatically approved shortly.
    Thank you for helping us keep your account secure.\u201d<\/mark><\/p>\n<\/blockquote>\n\n\n\n

    \n

    \u201cDear user,
    This is Signal Security Support Chatbot. Another Samsung Galaxy S 10 device is connected to your account.
    Location: Drohobych, Lvivska oblast, Ukraine – IP: 178.212.97.211
    If it were not you, send: \/Cancel\u201d<\/mark><\/p>\n<\/blockquote>\n\n\n\n

    \n

    \u201cDear user,
    We noticed suspicious activity on your device, which have led to data leak. We have also detected attempts to gain access to your private data in Signal. To prevent this, we ask you to pass verification procedure, which will take less than a minute. Please let us know as soon as you are ready. Best regards,
    Signal support\u201d<\/mark><\/p>\n<\/blockquote>\n\n\n\n

    Sometimes these attacks ask you to send your verification code right away, sometimes they want some general reply from you first so the attacker can make sure you\u2019re online and responsive before asking for your verification code.<\/p>\n\n\n\n

    However the attacks evolve, one thing stays the same: As soon as you send the attacker your verification code that you receive via SMS the attacker has everything they need. They already knew your phone number and entered it during the registration process. But they now also have the verification code associated with this phone number. Signal assumes that the attacker actually owns your phone number (because the attacker has the verification code) and lets them register your phone number.<\/p>\n\n\n\n

    If it plays out like described, the attacker has been successful. They are now able to take over your Signal account and can start to reach out to other people on Signal and pretend to be you. But there\u2019s good news:<\/p>\n\n\n\n

    1. The attacker has no access to your old messages and conversations. They also have no access to your profile information or contact list (for more see the next section on Signal PIN). Instead a completely new Signal account associated with your phone number has been created.<\/p>\n\n\n\n

    2. Since the attacker has registered your account on a new device, the so-called \u201csafety number<\/a>\u201d of your conversations will change. This safety number is linked to a key on your physical device and it is used to detect attacchi man in the middle<\/a>. That means that all your conversation partners will get a small note in their chats that shows that something has changed with your account. This message will be shown in their 1:1 chats with you and also in groups where both of you are members.<\/p>\n\n\n\n

    \"\"
    Notification of a safety number change in a Signal chat<\/figcaption><\/figure>\n\n\n\n

    Ideally they will note that change and become a bit suspicious. Even more ideally they will reach out to you on a different channel (say via email or a phone call) and confirm with you that there\u2019s a good reason for this change of your safety number (you lost your old phone for example and got a new one).<\/p>\n\n\n\n

    What they shouldn\u2019t do is just to ask in your Signal chat if everything is alright. Because since your account is controlled by the attacker now they can just reply that everything is okay and come up with a good excuse. To prevent that, your friends can send a question where they are sure that only you will know the correct answer (\u201cwhere did we first meet?\u201d or \u201cwhat\u2019s the name of my dog?\u201d)<\/p>\n\n\n\n

    3. On your phone you will be logged out of your Signal account immediately and will see a prominent message that you are not registered at Signal anymore reading something like this:<\/p>\n\n\n\n

    \u201cThis device is no longer registered. This is likely because you registered your phone number with Signal on a different device.\u201d<\/em><\/p>\n\n\n\n

    So you will notice this attack very soon and since you still control your phone number you can register your phone number again at Signal, receive a fresh SMS verification code and take back your account quickly. That is unless the attacker has attempted to change the phone number of your account, but we will come back to this in a bit<\/a>.<\/p>\n\n\n\n

    In the next section let\u2019s take a closer look at what actually happens when an attacker has been able to take over your account and how different scenarios and settings in Signal work to make it harder for an attacker.<\/p>\n\n\n\n

    2. What happens if an attacker takes over your account?<\/h2>\n\n\n\n

    The attack scenario we have described in the last section was just the most simple scenario that hasn\u2019t included the role of the Signal PIN yet.<\/p>\n\n\n\n

    As we have mentioned in our description of the Signal registration process, you are asked to set a numeric or alphanumeric Signal PIN while registering. While you can choose to set no PIN at all (by clicking on the three dot menu during registration) it is a good idea to use the Signal PIN and set a secure PIN while you\u2019re at it. This allows Signal to store your profile information, your contacts list, group memberships, your settings and your block list encrypted on the server and recover it for you when you register your account again.<\/p>\n\n\n\n

    This means that if you have not set a Signal PIN at all, or an attacker doesn\u2019t know your Signal PIN, they will never be able to access your profile information, group memberships or contact list.<\/p>\n\n\n\n

    By choosing a Signal PIN you can also activate a powerful protection layer against any phishing attacks by enabling a security setting in Signal that is called \u201cregistration lock\u201d. You can enable the registration lock in the settings of your Signal app in the section \u201cAccount\u201d (if the option is not available you will have to set a PIN first).<\/p>\n\n\n\n

    \"\"
    Settings for Signal PIN and registration lock<\/figcaption><\/figure>\n\n\n\n

    When the registration lock setting is enabled (note that it is not enabled by default) an attacker who wants to register a Signal account with your phone number needs to know two things:<\/p>\n\n\n\n