Protect.Computer
NEWS

FBI and CISA warn Russian phishing targets Signal and WhatsApp

· 1 min read · Digital scams Identity theft
FBI and CISA warn Russian phishing targets Signal and WhatsApp

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

The FBI and CISA issued a joint public warning that cyber actors linked to Russian intelligence services are actively targeting commercial messaging accounts, including Signal and WhatsApp.

The campaign focuses on phishing and social-engineering methods (not breaking encryption):

  • tricking targets into sharing one-time verification codes,
  • getting victims to approve malicious device-linking requests,
  • and abusing trusted contacts to spread additional account takeover attempts.

Why this matters

Compromised messaging accounts can expose:

  1. Sensitive chat history and contact networks,
  2. Ongoing coordination among staff and partners,
  3. Opportunities for follow-on impersonation and fraud from a trusted identity.

For organizations, this is both a privacy and operational risk: one hijacked account can quickly become a pivot point for broader compromise.

How to check if you’re affected

Use this quick verification flow from the FBI/CISA guidance:

  1. Check account/session history now
    • In Signal/WhatsApp settings, review linked devices and active sessions.
    • Remove any device you do not recognize immediately.
  2. Look for takeover indicators
    • Unexpected OTP/code prompts, sudden logout events, or contacts receiving strange messages from your account.
    • Security notifications about newly linked devices you did not approve.
  3. Identify who is high-risk in your org
    • Prioritize staff in government, media, policy, security, and leadership roles for immediate review.
  4. Validate recovery readiness
    • Confirm registration lock/PIN, account recovery controls, and trusted admin contacts are in place.

What defenders should do now

  1. Turn on strong account protections
    • Require registration lock/PIN features where available.
    • Use MFA and account recovery safeguards for linked email/phone accounts.
  2. Audit linked devices immediately
    • Remove unknown linked devices/sessions.
    • Re-authenticate accounts after suspicious prompts.
  3. Train users on messaging-specific phishing
    • Never share verification codes.
    • Treat QR/link-device prompts as high risk unless independently verified.
  4. Harden high-risk users first
    • Prioritize executives, public officials, journalists, and security teams.

Sources

Bottom line

This is a live account-takeover threat aimed at trusted messaging channels. Defenders should treat unsolicited verification or device-linking prompts as potential intrusion attempts and harden messaging account controls now.

Related reading

News
Microsoft Azure Monitor alerts abused in callback phishing campaigns

Attackers are abusing legitimate Azure Monitor alert emails to deliver callback phishing messages that pass SPF, DKIM, and DMARC checks.

News
FBI warns of phishing emails impersonating city and county officials

The FBI says scammers are targeting permit applicants with realistic fake invoices that cite real zoning details and demand payment by wire transfer, P2P apps, or crypto.

News
OFAC sanctions DPRK IT worker fraud network targeting U.S. businesses

OFAC sanctioned individuals and entities tied to DPRK IT worker fraud schemes that use stolen identities and fake remote-job personas to generate revenue and support hostile programs.

News
Infiniti Stealer targets macOS users via fake Cloudflare ClickFix prompts

Malwarebytes reports a new macOS infostealer ('Infiniti Stealer') using fake CAPTCHA ClickFix prompts that trick users into pasting malicious Terminal commands.