Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Signal and WhatsApp phishing: what does it mean for identity security?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: A state-backed phishing campaign is targeting government sources and journalists through Signal and WhatsApp by abusing trust, direct-message prompts, and account re-registration rather than technical exploits, according to Swarmnetics and the Dutch Ministry of Defence. The pattern shows that messaging security still depends on user verification and account recovery controls, not encryption alone.

NHIMG editorial — based on content published by Swarmnetics: Signal & WhatsApp Phishing Campaign by Russian Spies Targets Government Sources and Journalists

By the numbers:

Questions worth separating out

Q: What breaks when phishing targets Signal or WhatsApp accounts instead of email?

A: The main failure is that encryption does not stop identity compromise.

Q: Why do encrypted messaging apps still need anti-phishing controls?

A: Because encryption protects message content, not account ownership or user intent.

Q: What do security teams get wrong about phone-based phishing?

A: They often treat phone calls as a low-tech nuisance instead of an identity risk.

Practitioner guidance

  • Harden messaging account recovery paths Require stronger verification before number transfer, re-registration, or linked-device approval on Signal and WhatsApp accounts used for sensitive communications.
  • Train users on platform-specific phishing cues Teach recipients to reject unsolicited credential prompts, QR-code join requests, and messages that impersonate platform support.
  • Monitor for account state anomalies Watch for duplicate group-chat presence, sudden 'Deleted' usernames, and unfamiliar linked devices, then treat those signals as compromise indicators rather than user error.

What's in the full analysis

Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:

  • Examples of the phishing lures used against Signal and WhatsApp users, including platform-support impersonation and malicious QR-code prompts
  • The specific warning signs the Dutch authorities highlighted, such as linked-device anomalies and account identity changes
  • The account recovery and re-registration behaviours that can make a takeover look like a routine login issue
  • The broader intelligence context behind the campaign and why state-backed operators continue using low-complexity social engineering

👉 Read Swarmnetics' analysis of the Signal and WhatsApp phishing campaign →

Signal and WhatsApp phishing: what does it mean for identity security?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Trust abuse is the real control failure here, not encryption failure. This campaign shows that secure messaging can still be undermined when identity verification depends on user judgment alone. The attacker does not need a novel exploit if the recovery and re-registration path can be socially engineered. Practitioners should treat messaging trust as a governed identity process, not an assumption built into a secure channel.

A few things that frame the scale:

  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.

A question worth separating out:

Q: Who is accountable when a trusted messaging account is taken over?

A: Account owners, security teams, and platform administrators all have a role, but the governance failure sits with whichever process allowed recovery or re-registration to be too easy. For sensitive users, accountability should include verification policy, reporting thresholds, and device-trust review, not only user awareness.

👉 Read our full editorial: Signal and WhatsApp phishing exposes trust gaps in government messaging



   
ReplyQuote
Share: