Your Encrypted Messages Are Only Safe Until Someone Tricks You Into Handing Over the Keys — FBI Warning on Signal and WhatsApp Attacks

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued a formal joint warning last week about mass phishing campaigns targeting Signal and WhatsApp accounts. The campaigns are attributed to threat actors affiliated with Russian intelligence services, and the results are serious: thousands of individual accounts compromised, with attackers able to read private message histories, impersonate victims, and use compromised accounts to launch further attacks against the victim's own contacts.

Similar warnings have come from cybersecurity agencies in France, Germany, and the Netherlands in the same period. This is not an isolated incident or a narrowly targeted operation — it is an active, large-scale campaign that has been running continuously and producing results.

The most important thing to understand about this attack is what it does not exploit. It does not break Signal's or WhatsApp's encryption. It does not require a vulnerability in the apps or your device. It works entirely through deception — tricking you into voluntarily handing over the access that the attacker needs. When your messages are encrypted, the encryption protects them from interception in transit. It does not protect them from someone who has been given the keys to your account.

Who Is Being Targeted?

The FBI's warning names the primary target profile: current and former government officials, military personnel, political figures, and journalists. Cybersecurity agencies in France and Germany have added business leaders, lawyers, and professionals who handle sensitive information to the target list.

The reason for this targeting is straightforward. These individuals use messaging apps to communicate about things that have value to an intelligence operation: legal advice, business negotiations, financial information, sensitive personal communications, and the contact networks of people in positions of influence. A compromised WhatsApp account belonging to a managing partner at a law firm does not just expose that individual's messages — it exposes the messages of every client, colleague, and contact who communicated with them through the platform.

This matters for the UK professional services audience in particular. Lawyers, IFAs, accountants, GPs, and business owners routinely use WhatsApp and Signal for client communications — often because clients prefer it, and because it feels more secure than email. The encryption of these apps is real. But the attack being described by the FBI does not target the encryption. It targets the person using the app.

How the Attack Actually Works

The campaign uses two distinct social engineering approaches, each with different consequences for the victim. Both rely on the attacker impersonating either a trusted contact or an official service — most commonly posing as Signal or WhatsApp support staff.

Method One: Stealing the Verification Code or PIN

In the first approach, the attacker contacts the target — typically via message, email, or phone call — and poses as support staff for Signal or WhatsApp. They create a pretext requiring the target to provide their SMS verification code or app PIN, often framed as account verification, a security check, or an urgent account issue that needs resolving.

If the target provides the code or PIN, the attacker uses it to take over the account on their own device. The consequence for the victim is immediate and complete: they lose access to their own account. The attacker can now read all new incoming messages, send messages impersonating the victim, and use the victim's identity to approach the victim's own contacts with further social engineering.

The attacker cannot access the victim's historical message archive through this method — previous messages are stored on the victim's device, not transferred when the account moves. But from the moment of takeover, every new message sent to that account belongs to the attacker.

Method Two: The Linked Device Attack via QR Code or Link

The second approach is more subtle and, in some respects, more dangerous. The attacker sends a link or QR code, again typically under the guise of a security process, an invitation, or an account action requiring the target's confirmation. When the victim clicks the link or scans the QR code, a device under the attacker's control is silently linked to the victim's Signal or WhatsApp account as an additional authorised device.

Both Signal and WhatsApp support the use of multiple linked devices — this is the legitimate feature that allows you to use the app on both your phone and your laptop, for example. The attacker exploits this feature by adding their own device to your account without your knowledge.

The consequence here is different from the first method in two important ways. First, the victim does not lose access to their own account — they continue using it normally, with no obvious indication that anything has changed. The attack may go undetected for weeks or months. Second, the attacker has access to the victim's full message history, including all messages sent and received before the device was linked. This is not just access to future communications — it is retrospective access to everything the app has stored.

The Encryption Misconception

Signal and WhatsApp are genuinely end-to-end encrypted. When you send a message, it is encrypted on your device and can only be decrypted on the intended recipient's device. Nobody in the middle — not the app provider, not your internet service provider, not a government agency intercepting the data in transit — can read the content.

But encryption only protects data in transit and at rest on your device. Once an attacker is authorised as a linked device on your account, they are not in the middle. They are at the end. The encrypted message is delivered to your device and to theirs simultaneously, and they decrypt it with a perfectly valid authorisation. The encryption has not been broken. The account has been compromised through deception.

This is a conceptually important distinction. Many professionals choose Signal or WhatsApp for sensitive client communications specifically because of the encryption. The choice is not wrong — encrypted messaging is meaningfully more secure than unencrypted email for many threat models. But encryption protects against interception, not against account takeover through social engineering. The two defences are different, and one does not substitute for the other.

Why This Pattern Appears in Broader Criminal Campaigns Too

The FBI's warning focuses on Russian intelligence-linked operations targeting high-value individuals for espionage purposes. But the techniques being described — impersonating support staff to obtain verification codes, using QR codes to link attacker-controlled devices — are not exclusive to nation-state operations. Exactly the same social engineering patterns appear in criminal campaigns targeting business professionals for financial gain.

Business email compromise — the attack pattern discussed in our posts on law firms, IFAs, and accountancy practices — increasingly incorporates messaging app impersonation alongside email. An attacker who has mapped a target's professional relationships through LinkedIn or social media can send a convincingly personalised WhatsApp message impersonating a trusted contact, asking the target to click a link or provide a code that gives access to their account. From that position, the attacker can then impersonate the victim in communications with their clients, colleagues, and partners.

For a law firm, this means an attacker sending payment instructions to a conveyancing client from the fee earner's own WhatsApp account — an identity the client has been communicating with and trusts. For an IFA, it means the attacker having access to sensitive financial conversations that can be used for targeted fraud. The intelligence value of the communications and the financial value of the access are different, but the attack technique is the same.

What To Do: Immediate and Ongoing Actions

Review Your Linked Devices Right Now

Both Signal and WhatsApp display a list of all devices currently linked to your account. Reviewing this list takes less than two minutes and will tell you immediately whether any unauthorised device is connected.

In WhatsApp: Settings > Linked Devices. In Signal: Settings > Linked Devices. Review every entry. If you see a device you do not recognise, remove it immediately. This terminates that device's access to your account and all future messages. It does not retrieve messages that were already read.

This review should be a regular habit — monthly at minimum for anyone using these apps for professional communications.

Enable the Registration Lock PIN

Signal has a feature called Registration Lock that requires your PIN whenever your account is registered on a new device. With this enabled, an attacker who obtains your SMS verification code cannot complete account registration without also knowing your PIN. This directly addresses Method One of the attack.

In Signal: Settings > Account > Registration Lock. Enable it and set a strong PIN that you have not used elsewhere. WhatsApp has an equivalent called Two-Step Verification: Settings > Account > Two-Step Verification.

Both apps also allow you to set a trusted email address that can be used for PIN recovery. Ensure this is an email account with strong security — ideally one with MFA enabled, given that the email account is now itself a recovery path into your messaging account.

Never Share a Verification Code or PIN with Anyone

Signal has stated publicly that their support team will never contact users via in-app messages, SMS, or social media to ask for a verification code or PIN. WhatsApp's guidance is identical. If anyone — however convincingly they have framed their request — asks you to provide a verification code, an SMS code, or an app PIN, the answer is no.

This is not a situation where context changes the answer. There is no legitimate reason for anyone, at any organisation, to need your messaging app verification code. An attacker who has done their research will construct a convincing scenario — an urgent account issue, a verification requirement from your IT department, a security check from the platform itself. The scenario is always fabricated. The code is the only thing that matters to them.

Be Cautious with Unexpected QR Codes and Links

Treat any unexpected message, email, or communication that asks you to scan a QR code or click a link as suspicious by default, regardless of who it appears to be from. Verify unexpected requests through a separate channel — call the person on a number you already have, or contact the organisation through their official website — before taking any action.

QR codes are particularly effective social engineering tools because they are visually opaque — you cannot tell where a QR code will take you until you have already scanned it, by which point the action may be complete. If you did not initiate the process that requires scanning a QR code, treat it with the same scepticism you would apply to clicking an unexpected link in an email.

Consider What You Communicate Through Messaging Apps

For professionals in regulated sectors — solicitors, IFAs, GPs, accountants — this attack pattern is a prompt to review what categories of information are being communicated through personal messaging apps and whether those communications belong on a platform whose security depends entirely on the individual user's behaviour.

This is not an argument against using encrypted messaging. It is an argument for being deliberate about it: using it with MFA-protected accounts, reviewing linked devices regularly, training staff on the specific social engineering patterns being used against these platforms, and considering whether particularly sensitive client communications should use a more controlled channel.