Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

Phishing targeting Signal backup recovery keys: quick checks for SMEs today

What small and medium-sized businesses should look out for today.

High Saturday 27 June 2026, 10:34 UK time
Today’s look-out: Account takeover scams targeting secure messaging (Signal) backups

What to look out for today

Be alert for phishing messages that try to trick staff into revealing a Signal Backup Recovery Key (or “backup key / restore code”). UK SMEs may see this as:

  • A message pretending to be from Signal support, IT, a security team, or a colleague asking you to “verify” or “recover” an account.
  • A prompt to enter a backup/recovery key on a website, form, or “security check” page.
  • Urgent language about account suspension, policy breaches, or “new device sign-in”.

Why this matters to smaller businesses

If an attacker gets a Signal Backup Recovery Key, they may be able to restore the victim’s backup and access historical messages. For many smaller organisations, Signal is used for sensitive topics (customers, safeguarding, HR, finance, incident response and supplier coordination). That can turn a single phish into:

  • Confidentiality loss (old chats, shared documents, photos, and group context exposed).
  • Impersonation in group chats (to request payments, gift cards, bank detail changes, or payroll actions).
  • Follow-on attacks using insider knowledge (supplier names, invoice schedules, and who approves what).

Warning signs

  • Any request to share, screenshot, paste, or “confirm” a Signal backup/recovery key.
  • Unexpected security messages that push you to act quickly or in secret.
  • Someone in a Signal group suddenly changing tone: new urgency, unusual wording, or pushing for financial action.
  • Colleagues saying they’ve been “locked out” and need you to send codes/keys to help them back in.

How attackers may exploit the situation

  • Phishing to obtain the Backup Recovery Key, then restoring message history elsewhere.
  • Business email compromise-style fraud, but via messaging: convincing payment change requests, “CEO/Headteacher” style urgency, or fake supplier invoice chasing.
  • Reconnaissance: mining historic chats for names, projects, passwords shared in error, and security procedures.

What to do today

  • Send a 2-minute staff note: “Never share Signal Backup Recovery Keys or any recovery/backup codes. IT will never ask.”
  • Reinforce your out-of-band check for any payment or bank detail change (phone call to a known number, not one provided in the message).
  • Review who uses Signal for work (leadership, finance, safeguarding, ops). Ensure they understand what a recovery key is and why it’s sensitive.
  • If you suspect compromise: treat it like an account takeover—stop financial actions, preserve evidence (screenshots), and escalate internally/with your IT provider.

Ask your IT provider

  • Do we have a documented process for staff to report suspected messaging account takeovers (Signal/WhatsApp/Teams) and get a rapid response?
  • Can we add a policy reminder to onboarding and annual training: never share recovery keys/codes, and never approve payments from chat alone?
  • For finance teams: do we have payment verification controls that still work if an attacker compromises a chat account?

Patch watch - only one short paragraph, and only if relevant

Separate to the Signal phishing theme, CISA has highlighted active exploitation of a Cisco Unified Communications Manager Server flaw. If you run Cisco voice/telephony infrastructure (directly or via a provider), ask your IT partner to confirm whether you’re affected and what mitigations/updates have been applied—especially as telephony disruption can hit customer service and payment verification calls.

One action today

Send a company-wide note today: “Never share Signal Backup Recovery Keys (or any recovery/backup codes). Treat any request as a scam and report it immediately.”

Related Actions On Cyber resource

Actions On Cyber checklist: Payment change & invoice fraud verification (call-back and approval steps)

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.