Signal has introduced new in-app confirmations and warning messages to help protect users from phishing and social engineering attacks that could lead to fraud or account compromise.
The new safeguards are designed to add extra friction before users respond to suspicious requests. Signal says the goal is to give people more time to think carefully before following instructions from unknown contacts, especially when those messages ask them to scan QR codes, share verification codes, or take action outside the app.
The update comes after several recent attacks targeted high-profile Signal users with fake “Signal Support” alerts. These incidents were highlighted by the FBI, the Dutch government, and German authorities, and were linked to Russian state-sponsored hackers.
To help protect Signal users from phishing and social engineering attacks, we’ve introduced additional confirmations and educational messaging in the app to help people better detect fraudulent profiles, especially message requests from scammers posing as Signal.
— Signal (@signalapp) May 11, 2026
More changes… pic.twitter.com/ASZNCXHNFM
According to reports, the attackers abused Signal’s Linked Device feature to gain access to victims’ accounts, chats, and contact lists. The scam typically works by convincing a user to scan a QR code or share a one-time code under the false claim that it is needed to verify or protect the account from suspicious activity. Once the victim follows the instructions, the attacker can link their own device to the account and access the user’s Signal data.
Signal said the new protections are meant to help users spot fraudulent profiles more easily, particularly message requests from scammers pretending to be Signal itself.
As part of the update, Signal will now show a “Name not verified” label under contacts who start conversations through direct messages. It will also display a “No groups in common” warning to make it clear when the sender has no shared connection with the recipient.
When a new message request arrives, Signal will ask the user to confirm before accepting it. The prompt will also remind users that Signal will never ask for their registration code, PIN, or recovery key.
The app is also expanding its safety tips with more detailed guidance, while reminders will warn users not to respond to chats pretending to come from Signal Support.
Social engineering remains one of the most effective ways for attackers to bypass security protections because it targets the user directly instead of the technology. Signal users should be especially careful with unexpected messages from unknown contacts and should never scan QR codes or share verification codes based on instructions from a chat message.
Users can also check their linked devices in Signal’s settings and remove any device they do not recognize.





