For years, people have been told to move sensitive conversations off email and into encrypted messaging apps. That advice is not wrong, but it is no longer the whole story.
Government agencies are warning that threat actors tied to Russia and other hostile nation-state groups are increasingly targeting popular messaging apps, including WhatsApp, Signal, and Messenger, not because the apps themselves are necessarily broken, but because the people using them are believed to have information that provide a lot of value to attackers.
The alert focuses on what officials describe as “high-risk individuals,” which sounds dramatic until you realize the category is broader than many people assume. It includes government personnel, journalists, executives, political staff, researchers, activists, and anyone whose role gives them access to sensitive information, influential contacts, or useful networks. In plain English: if you know something important, know someone important, or have access to something important, you may already be on someone’s list.
And the playbook is not especially exotic. Attackers are not always smashing through technical defenses. Often, they are simply tricking users into opening the door.
Some of the tactics being flagged are deceptively simple:
- Asking for login or account recovery codes
- Adding an attacker-controlled device to an account
- Slipping into group chats without obvious warning
- Impersonating trusted contacts
- Delivering phishing links or malicious QR codes
That last one deserves a little extra suspicion. QR codes have become the digital equivalent of “just trust me,” and attackers know it. If a code promises to “reconnect your account,” “verify your session,” or “join a secure chat,” skepticism is the correct default setting.
The broader lesson here is that modern account compromise is increasingly less about breaking encryption and more about bypassing human caution. If an attacker can convince you to hand over a code, approve a device, or scan the wrong square of pixels, they may not need to “hack” anything at all.
If you use messaging apps, regardless of whether or not you think you might know valuable information about someone “important,” be sure to do what you can to secure your conversations.
- Use app-based security features that require approval for new devices.
- Review connected devices regularly.
- Be suspicious of unexpected login prompts, verification requests, and urgent messages asking you to act quickly.
And if someone asks for a recovery or verification code, the answer should be no, even if the request appears to come from someone you know. Because these days, “secure messaging” still matters. Secure habits matter more.
SUBSCRIBE TO WEEKLY NEWSLETTER
