Signal Raises the Bar on Messaging App Security
Signal is rolling out a new layer of messaging app security focused on risky unsolicited messages and social engineering attacks. The encrypted chat service now surfaces clear, contextual Signal message warnings whenever something about a conversation could expose users to phishing, account hijacking, or other scams. This update, live on both Android and iOS, is part of a broader push to harden Signal accounts after a wave of attackers impersonating “Signal Support” inside the app. Instead of quietly treating every new chat the same, Signal now explicitly highlights situations where caution is warranted, helping users distinguish between genuine contacts and malicious approaches. The move responds to growing frustration with spam and fake support messages across chat platforms and signals that tight end-to-end encryption isn’t enough on its own—people also need smarter in-app guidance to spot and stop fraud before it spreads.
How Signal’s Unsolicited Message Alerts Work in Practice
When you receive a message request from someone you’ve never spoken to before, Signal now interrupts with an “Accept Request” pop-up instead of silently dropping the chat into your inbox. The alert reminds you to accept only from people you trust and stresses that Signal will never message you for a registration code, PIN, or recovery key. You can accept or cancel the request, which gives you a moment to question whether the sender is legitimate. Signal also shows a dedicated warning inside conversations that appear to be from “Signal” itself, telling users not to respond to chats claiming to be official support. The app explains that bad actors can create fake profile names to take over accounts. Additional educational pop-ups encourage users to review contacts carefully and be skeptical of messages containing web links, financial “tips,” or anything that feels urgent or too good to be true.
Fighting Phishing, Fake Support, and Account Hijacking
These unsolicited message alerts are designed specifically to counter the rising use of phishing and fake support scams on encrypted platforms. Attackers have been posing as Signal Support inside the app, tricking people into handing over one-time registration codes or recovery data and then hijacking accounts. Signal’s new messaging now explicitly states that the company will not contact users within a regular chat to request sensitive credentials. By embedding this guidance directly into the interface, Signal reduces the reliance on external blog posts or FAQ pages that users might never read. The app also continues to display profile warnings when it cannot confirm you’re talking to the correct person, adding another layer of friction for impostors. Together, these spam protection features aim to stop attacks at the moment of contact, turning each suspicious message into a teaching moment rather than a silent threat.
How Signal’s Approach Differs from WhatsApp’s Spam Protection
Signal’s emphasis on in-app education and unsolicited message alerts stands in contrast to platforms that rely heavily on phone-number identity, such as WhatsApp. While WhatsApp ties accounts directly to phone numbers and offers options to report and block spam, users still frequently encounter unwanted messages, scams, and fake business accounts. This phone-centric model can make it easier for attackers who harvest or guess numbers to blast spam at scale, leaving much of the burden on users to filter and report. Signal’s strategy shifts more of that work into the app’s design: it highlights risky scenarios, clarifies what the service will never ask for, and treats unexpected contact as potentially dangerous by default. Rather than trusting phone-number identity alone, Signal leans on clearer UX cues and education to help people recognize social engineering tactics before they fall victim to them.