Messaging apps such as WhatsApp, Messenger and Signal are an important part of how we communicate every day.

The NCSC and international partners have seen growing malicious activity from Russia-based actors using messaging apps to target high-risk individuals.

High-risk individuals face a greater likelihood of attacks against their accountsdue to a combination of their role and potential access to sensitive information and important people.  You might be a high-risk individual if your work or public status means you have access to, or influence over, sensitive information that could be of interest to threat actors.

The NCSC has previously reported on the targeting of government officials’ accounts by China state-affiliated APT31, Russian Federal Security Service (FSB) actor Star Blizzard and Iran's Islamic Revolutionary Guard Corps (IRGC).

Attackers may attempt to:

• Trick you into sharing login or account recovery codes.
• Add their own device to your account without you noticing.  
• Join group chats without detection.
• Impersonate someone you know.
• Phish you using malicious links or QR codes. 

While anyone can be the victim of social engineering there are key actions you can take to reduce the risks against your personal accounts:

• Do not share sensitive information via messaging apps.
• For work communications, use corporately provided messaging services and devices where available and abide by your organisation’s policies.
• Do not share verification codes or scan unexpected QR codes.
• Enable two-step verification (for Signal users this is called Registration Lock in Settings).
• Enable passkeys where available (both WhatsApp and Signal support passkeys).
• Regularly check for linked devices in settings, review group members and remove or verify any participants you do not recognise independently.  
• Beware of impersonations, unknown contacts and contacts appearing more than once.
• On personal accounts use disappearing messages that automatically delete after a set period – by turning this on you will limit what a successful attacker could access if they do manage to get in. However, you should have regard to any applicable record keeping requirements.
• The NCSC’s guidance for high-risk individuals on protecting accounts and devices supports all these recommended actions and includes information on accessing Individual Cyber Defence services to further improve your personal cyber resilience.
• The following NCSC advice should be considered:
  • Device Security guidance - choosing an enterprise instant messaging solution
  • Secure communications principles

Those working in government should follow government guidance on the use of non-corporate communications channels.  

• Google has issued content about how multiple Russia-aligned actors are actively targeting Signal Messenger.
• Microsoft’s post also outlines the threat against messaging apps including lures designed to tricks users of these services.