A dangerous scam is actively targeting Signal users right now, and it’s working because it exploits fear rather than technical weaknesses.
The Most Critical Fact: Signal Never Contacts You First
This single rule defeats the entire scam. Signal’s official policy is clear — no support agent will ever send you a message, initiate a conversation, or ask you to verify anything through chat. If a message claims to be from “Signal Support,” it is fake, full stop. No exceptions, no edge cases.
What the Attack Actually Looks Like
Victims receive an unsolicited Signal message warning that their backed-up chats and media face permanent deletion due to a mysterious “sync issue.” The message demands they share their 64-character recovery key immediately to prevent data loss. Everything about the message — the urgency, the threat of losing years of photos and conversations, the authoritative tone — is designed to stop you from thinking clearly and make you act fast.
Why Your Recovery Key Is So Valuable
Signal’s Secure Backup feature (launched September 2025, priced at $1.99/month for 100GB) stores your messages and media in encrypted cloud storage. The recovery key is the only thing that can unlock that archive. Signal itself cannot read or decrypt your backup — the key never leaves your control by design. If a hacker obtains your key, they can download your entire backup from Signal’s servers and read every message, photo, and video you’ve ever sent. There is no technical barrier stopping them once they have it.
Why This Scam Is Particularly Effective
Three factors make this attack unusually dangerous. First, Secure Backups is a relatively new feature, so many users don’t fully understand how it works or that it even exists. Second, it’s Signal’s first paid service, making users more likely to expect — and trust — official-looking support messages. Third, the attack runs entirely inside the Signal app itself, so messages look visually identical to real conversations, with no warning signs like suspicious email domains or external links.
How to Protect Yourself Right Now
The most urgent action is to never share your recovery key with anyone under any circumstances. Signal will not ask for it, your contacts don’t need it, and no “technical issue” requires it. Store your recovery key on paper in a secure physical location — avoid screenshots, cloud storage, email drafts, or any digital format that could be compromised.
If you receive one of these messages, do not respond at all, even to say no. A reply confirms your account is active. Block the sender immediately, then report the incident to Signal’s official support address: support@signal.org. That email address is the only legitimate way Signal handles user support.
If You Already Shared Your Key
Stop all communication with the sender at once. Contact Signal support immediately, and check whether your account settings allow you to regenerate a new recovery key, which would invalidate the stolen one. Monitor for any unusual activity and, if your conversations contained sensitive material, notify affected contacts.
The Bigger Picture
This isn’t an isolated incident. Signal issued phishing warnings in March 2026 after officials were targeted, and the FBI connected earlier Signal phishing campaigns to Russian intelligence services. In May 2026, Signal added new in-app security confirmations and warnings specifically to address the growing wave of social engineering attacks. The current backup phishing campaign represents an escalation of these ongoing efforts.
Quick Reference
| If a message… | It is… |
| Claims to be Signal Support | Fake |
| Requests your recovery key | A scam |
| Creates urgency about data loss | A manipulation tactic |
| Came without you reaching out first | Fraudulent |
Signal’s encryption is not broken. The vulnerability here is human psychology — and awareness is your strongest defense.