Users of chat applications like Signal should be cautious when they receive a message from someone they don’t know. Also, they should never share SMS verification codes or Signal PINs with anyone else.

That’s what chat app Signal states in response to reports that Signal and WhatsApp accounts of Dutch civil servants have been hacked via targeted phishing attacks.

Earlier this week, the General Dutch Intelligence Agency (AIVD) and Dutch Military Intelligence and Security Service (MIVD) announced that WhatsApp and Signal accounts used by officials, military personnel, and journalists have been hacked by state-sponsored hackers from Russia.

The attackers, pretending to be a support chatbot, managed to gain access to these accounts by sending phishing emails in an attempt to retrieve verification codes and PIN codes. These codes allow them to take over a user’s account.

In addition, the Russians also abuse a feature that allows devices to be linked, a functionality called “linked devices.” At that moment, users often don’t realize their accounts can be accessed remotely.

Once an account has been successfully compromised, the hackers can read messages sent to the account.

Signal says that it’s aware of the recent reports on targeted phishing attacks and that it takes these reports seriously.

“Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts,” the chat app states in a message on X.

Signal confirms that attacks on individual Signal accounts rely on social engineering. “Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information,” the chat service continues.

Signal claims to build “robust technical safeguards” to protect its platform, but “user vigilance is ultimately the best defense against phishing.” Therefore, users should never share their SMS verification code, PIN code, passwords, or backup recovery keys.

The company also emphasizes that Signal will never initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. “If anyone asks for any Signal related code, it is a scam,” the chat service says.

In an online support page, Signal recommends that users should assume that unexpected messages may be phishing attempts.

Furthermore, users ought to contact customer support via its official email, inspect links and files before clicking or opening, block suspicious contacts, keep the app updated, stop communicating if they suspect a scammer is contacting them, and notify the local authorities if they suspect financial or identity fraud.

---

Unlock more exclusive Cybernews content on YouTube.