Are you getting irritating spam messages on Signal? This is normal!

spam messages on signal

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Are you getting irritating spam messages on Signal? This is normal, and that does not make it a less secure app than advertised.

At the end of 2020, the planned change in WhatsApp‘s terms of service led to a large departure of users to its competitor Signal. Many people have discovered the messaging application, touted for its model of privacy.

But a few months later, these new users are already getting angry. They receive phishing and spam emails on the so-called “secure” app: a fake Amazon promises them an iPhone 12, they are told they’ve won bitcoin, or they receive sexual spam.
This is an example of a phishing link currently being sent to Signal users. // Source: @ Sebweb33 on Twitter

Would Signal lie to its users? Well, no, not at all. It is simply that the “security” it offers is poorly understood. Could it do more to fight against this spam? Maybe, but the problem with spoofed messages goes way beyond the app itself.
The very principle of Signal makes spam detection difficult

Signal protects the confidentiality of your exchanges, with an open source encryption algorithm – that is, verifiable by anyone. It is this property alone that gives it the adjective “secure”.

Concretely, Signal will apply a layer of encryption to the messages you send. More exactly, your app will encrypt them, using an almost unique key. Only the recipient of the message will have a duplicate of this key, and only his smartphone will be able to decrypt the message you sent him and read its content. If someone – a cybercriminal, a police officer, or a Signal employee, for example – intercepts the message between the two devices, they will not be able to read the content. This is why Signal counts among its historical users activists who fear repression from different governments; journalists who must guarantee the anonymity of their sources; or by criminals who want to escape police surveillance.

Problem: This guarantee of confidentiality of messages hampers the deployment of spam filters. Since Signal cannot read the content of messages you receive, the app cannot, for example, block all those that contain a link identified as dangerous.

In other words, Signal ensures that no one other than you can read the message you have just received. On the other hand, the app does not guarantee the integrity of its content: the message can relay fake news, it can contain a link to malware or even threats. Signal will not protect you from this, and does not claim to do so at any time.
Why am I receiving phishing messages on Signal?

Another misconception is that just because you receive a phishing message from an unknown number on Signal doesn’t mean that the organization has experienced any security issue.

To send yourself a message on Signal, all you need is your phone number. And getting it is a pretty straightforward task: an unscrupulous company you entrusted it to might have sold it; it could be included in one of the many data breaches detected each week; or you could post it publicly on one of your social networks. For example, the stolen Facebook database contains as many as 500 million phone numbers that thugs can easily sprinkle with fraudulent messages.

One question remains: why do criminals send you these messages on Signal rather than by SMS? Several tracks:

Signal allows you to display a user name and profile picture of your choice. This will create a more credible sender profile, and increase the chances of phishing success.
Since Signal's "security" is poorly understood, some users will think that the content of the message is harmless because otherwise Signal would have blocked it.
SMS spam campaigns have a certain cost per message, although it is low. Sending a message campaign on Signal would be inexpensive.
The popularity of the app over the past few months has made the app more attractive to cybercriminals.

What is Signal doing against spam messages and what could it do better?

You may not have noticed it, but spam messages you receive do not appear like messages from people saved in your directory. And for good reason, Signal considers them as contact requests, and offers you three options: accept the message, delete it or block the sender. Until you choose one of these options, the links in the message are disabled, meaning you won’t be able to click on them.

This is good protection: the overwhelming majority of malicious messages require a user click to close their trap. While this feature doesn’t prevent them from receiving an unnecessary notification, it does get people thinking about the risk they are taking when viewing a message from an unknown sender.

Your number is compromised, not Signal

Don’t hesitate to block suspicious messages: companies imitated by thugs don’t communicate through third-party messaging apps like Signal. And if someone really needs to contact you, they can make a call or text you, since they have your phone number.

As How to geek notes, some users ask Signal to create a feature to automatically block messages sent by strangers, whose number is not saved on the smartphone. Others ask for a malicious number reporting feature, such as it exists on WhatsApp for example. But at this time, Signal has not commented on these requests.

If you are really annoyed by the phishing received on Signal, you can still remove the application. But since receiving spam is first and foremost a sign that your phone number is compromised, this action will not solve all of your problems.

Photo credit from one: CCO / WIkimedia

Subscribe To Our Newsletter

More To Explore

Wanna take it to the next level?

drop us a line and let's get started

We're Here To help

Feel free to contact us, and we’ll be more than happy to answer all of your questions.

a2Da Digital

a2Da Digital is a brand of a2Da Enterprises

Ahtri 12
10151 Tallinn, Estonia

[email protected]

+372 712 4283
Hours : 08:00 to 18:00 Mon – Fri
Support 24×7 Submit a Ticket Here
Registered in Tallinn, EE : 14740580
VAT : EE102279616

By completing this form, you consent to a2Da Digital, in its capacity as data controller, collecting your data in order to be able to respond to your message. To assert your right of access or removal, see our Privacy Policy.

Notre entreprise est un collectif de personnes extraordinaires dont le seul objectif est de construire les solutions dont vous avez besoin.

Des interlocuteurs disponibles, compétents et à votre disposition pour vous aider à définir vos besoins et les traduire en outils performants et faciles à utiliser.

Nous répondons à vos demandes au plus vite de manière claire et compréhensible.

Contactez nous à [email protected] avec vos questions.

Nous maintenons nous même notre matériel 24/7 et avons construit une infrastructure sécurisée, efficace et fiable.

Ceci nous permet de vous proposer des produits adaptés à tous les budgets et à forte valeur ajoutée.

Nous ne revendons pas des packs d’hébergement… Nous disposons de nos propres serveurs, maintenus, mis à jour et gérés par nos propres équipes.