Are you getting irritating spam messages on Signal? This is normal, and that does not make it a less secure app than advertised.
At the end of 2020, the planned change in WhatsApp‘s terms of service led to a large departure of users to its competitor Signal. Many people have discovered the messaging application, touted for its model of privacy.
But a few months later, these new users are already getting angry. They receive phishing and spam emails on the so-called “secure” app: a fake Amazon promises them an iPhone 12, they are told they’ve won bitcoin, or they receive sexual spam.
This is an example of a phishing link currently being sent to Signal users. // Source: @ Sebweb33 on Twitter
Would Signal lie to its users? Well, no, not at all. It is simply that the “security” it offers is poorly understood. Could it do more to fight against this spam? Maybe, but the problem with spoofed messages goes way beyond the app itself.
The very principle of Signal makes spam detection difficult
Signal protects the confidentiality of your exchanges, with an open source encryption algorithm – that is, verifiable by anyone. It is this property alone that gives it the adjective “secure”.
Concretely, Signal will apply a layer of encryption to the messages you send. More exactly, your app will encrypt them, using an almost unique key. Only the recipient of the message will have a duplicate of this key, and only his smartphone will be able to decrypt the message you sent him and read its content. If someone – a cybercriminal, a police officer, or a Signal employee, for example – intercepts the message between the two devices, they will not be able to read the content. This is why Signal counts among its historical users activists who fear repression from different governments; journalists who must guarantee the anonymity of their sources; or by criminals who want to escape police surveillance.
Problem: This guarantee of confidentiality of messages hampers the deployment of spam filters. Since Signal cannot read the content of messages you receive, the app cannot, for example, block all those that contain a link identified as dangerous.
In other words, Signal ensures that no one other than you can read the message you have just received. On the other hand, the app does not guarantee the integrity of its content: the message can relay fake news, it can contain a link to malware or even threats. Signal will not protect you from this, and does not claim to do so at any time.
Why am I receiving phishing messages on Signal?
Another misconception is that just because you receive a phishing message from an unknown number on Signal doesn’t mean that the organization has experienced any security issue.
To send yourself a message on Signal, all you need is your phone number. And getting it is a pretty straightforward task: an unscrupulous company you entrusted it to might have sold it; it could be included in one of the many data breaches detected each week; or you could post it publicly on one of your social networks. For example, the stolen Facebook database contains as many as 500 million phone numbers that thugs can easily sprinkle with fraudulent messages.
One question remains: why do criminals send you these messages on Signal rather than by SMS? Several tracks:
Signal allows you to display a user name and profile picture of your choice. This will create a more credible sender profile, and increase the chances of phishing success. Since Signal's "security" is poorly understood, some users will think that the content of the message is harmless because otherwise Signal would have blocked it. SMS spam campaigns have a certain cost per message, although it is low. Sending a message campaign on Signal would be inexpensive. The popularity of the app over the past few months has made the app more attractive to cybercriminals.
What is Signal doing against spam messages and what could it do better?
You may not have noticed it, but spam messages you receive do not appear like messages from people saved in your directory. And for good reason, Signal considers them as contact requests, and offers you three options: accept the message, delete it or block the sender. Until you choose one of these options, the links in the message are disabled, meaning you won’t be able to click on them.
This is good protection: the overwhelming majority of malicious messages require a user click to close their trap. While this feature doesn’t prevent them from receiving an unnecessary notification, it does get people thinking about the risk they are taking when viewing a message from an unknown sender.
Your number is compromised, not Signal
Don’t hesitate to block suspicious messages: companies imitated by thugs don’t communicate through third-party messaging apps like Signal. And if someone really needs to contact you, they can make a call or text you, since they have your phone number.
As How to geek notes, some users ask Signal to create a feature to automatically block messages sent by strangers, whose number is not saved on the smartphone. Others ask for a malicious number reporting feature, such as it exists on WhatsApp for example. But at this time, Signal has not commented on these requests.
If you are really annoyed by the phishing received on Signal, you can still remove the application. But since receiving spam is first and foremost a sign that your phone number is compromised, this action will not solve all of your problems.
Photo credit from one: CCO / WIkimedia