Signal turns the chat window into a safety checkpoint
Signal is rolling out a set of in-app phishing detection features designed to stop scams before they start. The encrypted messaging app now overlays clear warnings when a situation looks risky, especially when a message comes from someone you have never talked to before. Instead of dropping you straight into a conversation, Signal shows an “Accept Request” prompt urging you to accept only if you trust the sender. The prompt also spells out a core rule: Signal will never ask for your registration code, PIN, or recovery key. These additions are part of a broader push to harden messaging app security after the platform faced phishing campaigns aimed at high‑value targets like journalists and government officials. By building guidance directly into the interface, Signal is turning every new contact into a mini security check, making phishing attempts easier to spot and ignore.
New in-app alerts help expose fake ‘Signal’ accounts
A major focus of the update is stopping scammers who pretend to be Signal itself. Attackers have been creating profiles named “Signal” or “Signal Support” and then asking users for sensitive information that would let them hijack accounts. To counter this, Signal now displays educational pop-ups that explicitly warn you not to respond to chats claiming to be from the app. The interface emphasizes that Signal will never message you inside a conversation to request a registration code, PIN, or recovery key. Any contact doing so is a scammer using social engineering to trick you into handing over the keys to your account. These warnings are surfaced at key moments—such as when you receive a new request—so users see them when they are most relevant, not buried in a help page that few people read.
‘Name not verified’ labels and extra confirmations for new chats
Signal’s phishing detection feature also targets a subtle but powerful deception: fake profile names. Because users can type any name they like, scammers can easily impersonate a colleague, a company, or even a support agent. To address this, Signal now shows a “name not verified” notice on profiles to remind you that the displayed name is self-chosen and not confirmed by the service. Alongside this, the app adds an extra confirmation step for message requests from unknown contacts, similar to other messaging platforms. You can explicitly accept or cancel before any chat begins. Signal supplements this with additional guidance urging you to review who you are talking to and to be cautious with messages that include links or “financial tips.” Together, these changes provide social engineering protection by encouraging users to slow down and question who is really on the other side of the screen.
Why smarter phishing warnings matter for messaging app security
These updates reflect a broader recognition that the weakest link in messaging app security is often people, not protocols. End-to-end encryption protects messages from technical interception, but phishing bypasses that by persuading users to give attackers direct access. Social engineering relies on urgency, trust, and confusion—tricks that work even on security‑savvy users when they are rushed. By building Signal phishing warnings directly into the chat experience, the app shifts from passive tool to active safety partner. It highlights vague or oddly generic messages, suspicious links, and conversations pushing financial schemes as red flags. The goal is not just to block specific scams, but to train users’ instincts over time. Signal has also indicated that more security upgrades are coming, suggesting this is the start of an ongoing effort to make private messaging both encrypted and resilient against human-focused attacks.