Signal: a phishing campaign targets users' backups

Discovered in late May 2026, a new phishing campaign targets Signal users with the aim of stealing victims' backup recovery keys. What sets this attack apart is that the fraudulent message is sent directly within the Signal mobile application. A development that shows mobile phishing is now infiltrating even encrypted messaging apps.

Mobile phishing on the rise

This new campaign is far from an isolated case. Pradeo's 2026 Mobile Security Report revealed that a professional mobile device receives an average of 288 phishing attempts per year, and that 45% of users click on the links they receive.
Smishing (SMS phishing) remains the most common vector, accounting for 55% of mobile phishing.

The trend is towards diversification of channels. Attacks no longer come solely through email, they are infiltrating SMS, instant messaging apps, and QR codes. And they share an increasingly common trait: attackers impersonate a trusted authority figure, technical support, public services, financial institutions, to push their victims into acting without verification.

Signal under attack

The attack is straightforward. Attackers send a message directly within Signal from an account presenting itself as "Signal Support". The message claims that the user's data is at risk of being lost due to a synchronisation issue, and contains a link redirecting the victim to a page outside the application, where they are asked to enter their recovery key.

This key is what allows the decryption of backups stored on Signal's servers. Stealing the key is the first step, the attackers must then gain control of the account to access the backups. An approach that no longer targets only ongoing conversations, but also the entirety of the archived message history.

Identified targets reportedly include journalists, activists, but also individuals outside activist circles, suggesting a broader campaign than initially thought.

This attack on Signal is not an isolated incident. In March 2026, the FBI and CISA had already issued a joint advisory warning of campaigns linked to Russian intelligence targeting Signal and WhatsApp, using QR codes and device-linking requests. In Germany, politicians, military personnel and journalists had been targeted using the same techniques, and CERT-EU confirmed that the campaign extended to several European countries.

Signal reminds users that it will never reach out first and will never ask for a recovery key, PIN code or registration code. Any message claiming to be from "Signal Support" should be ignored.

When phishing impersonates everyday services

The mechanism exploited against Signal, impersonating a trusted authority figure, is the same one used at scale to imitate well-known services. Attackers exploit context (tax season, parcel deliveries, administrative renewals) to trigger an immediate reaction.

In the United Kingdom, the National Cyber Security Centre (NCSC) reported a significant increase in campaigns impersonating HMRC (the tax authority), Royal Mail, the NHS and the DVLA in early 2026. Phishing-related losses exceeded £1.2 billion in 2025 according to UK Finance.

A coordinated smishing operation was also uncovered in May 2026 across 19 countries in Europe, the Americas and the Caucasus. The investigation traced 1,628 malicious URLs linked to a single infrastructure, targeting government payment portals, delivery services, road police portals, tax authorities and telecom operators. All using the same mechanism, fraudulent SMS impersonating trusted institutions to redirect victims to fake payment pages.

How Pradeo protects against mobile phishing

With phishing campaigns growing in number and sophistication, securing mobile devices is essential to protect corporate data.

Pradeo Mobile Threat Defense protects mobile devices against all threat vectors, including phishing. The solution automatically detects and blocks all malicious links received on the mobile device (SMS, instant messaging, QR codes…), preventing the user from clicking before infection or data theft occurs.