Why Signal Is Rolling Out New Phishing Protection
Signal has introduced a new wave of phishing protection designed to keep users safer from scams and social engineering attacks. The encrypted messaging app has recently been targeted by phishing campaigns, including attacks focusing on high‑value targets such as officials and journalists. Instead of exploiting software, these attacks try to trick people into giving up registration codes, PINs, or recovery keys. Signal’s answer is to build social engineering defense directly into the interface, so suspicious messages are easier to spot before any damage is done. The new message security features appear on both Android and iOS and are part of a broader effort to make account hijacking much harder. By surfacing clear warnings and practical guidance at the moment you receive a risky or unsolicited message, Signal aims to stop scammers from abusing users’ trust in the app itself.
New Message Requests and ‘Name Not Verified’ Prompts
One of the most visible changes is how Signal now handles first‑time message requests. When someone you have never chatted with before contacts you, you’ll see an “Accept Request” prompt reminding you to only accept messages from people you trust. You can then choose to accept or cancel, similar to workflows in other secure messaging tools, but with more explicit safety language. Signal also adds a prominent “name not verified” notice to profiles. Because users can choose any display name they like, Signal cannot confirm that the name you see is genuine. This reminder helps you stay cautious when someone claims to be a known contact, a company representative, or even Signal itself. These simple, well‑timed nudges are designed to slow you down just enough to double‑check who you are really talking to.
In-App Warnings About Fake ‘Signal’ Messages
A key part of Signal’s new phishing warning alerts is clear messaging about what the company will never do. Inside the app, you’ll now see guidance stating that Signal will not contact you in a chat to request your registration code, PIN, or recovery key. Any message claiming to be from Signal Support that asks for these details is a scam. The app explicitly tells you not to respond to chats “from Signal,” explaining that bad actors create profiles with official‑sounding names to hijack accounts. By making this guidance highly visible, Signal reduces the chances that users will be fooled by impersonation attempts. These warnings are especially important because phishing campaigns increasingly exploit trust in legitimate brands, and an encrypted app is no exception. Signal’s approach focuses on teaching users what real communication from the service will look like—and what it will not.
Spotting Suspicious Links, Financial ‘Tips,’ and Vague Intros
Beyond direct impersonation, many phishing attempts start with vague or intriguing messages designed to provoke a reply. Signal’s updated message security features now highlight these common red flags inside the app. Users may see educational pop‑ups advising them to be cautious with messages containing suspicious web links, unsolicited financial “tips,” or generic introductions that seem crafted to lure conversation. The app encourages users to review each new contact carefully and remember that scammers often build rapport before attempting account takeover or fraud. These in‑context lessons help train you to recognize social engineering patterns over time, rather than relying solely on one‑off warnings. Combined with end‑to‑end encryption, the new social engineering defense tools aim to ensure that even if attackers can reach your inbox, they have a much harder time convincing you to hand over sensitive information or click risky links.
How to Use These Features to Protect Your Account
To get the most from Signal’s new phishing protection, treat every new message request as a checkpoint. When you see the “Accept Request” prompt, pause and confirm you truly know the sender. If you notice the “name not verified” banner, double‑check via another channel before trusting any sensitive request. Never share your registration code, PIN, or recovery key in a chat—no legitimate support agent will ask for them inside Signal. Be skeptical of vague introductions, urgent demands, investment advice, or links from strangers. When in doubt, cancel the request and block the contact. These habits, reinforced by Signal’s built‑in warnings, create a layered social engineering defense around your account. Signal has indicated that more security upgrades are on the way, so staying updated and paying attention to new in‑app guidance will further strengthen your protection over time.