Share
PHISHING THREAT REPORT

The Signal "support" message asking for your backup recovery key is a scam

A message posing as automated "Signal support" claims your data is about to be lost and walks you through copying your Backup Recovery Key into a chat. The FBI warns it hands your entire message history to attackers, and that resetting your account does not undo it. Here is exactly how it works and the one real fix.

SafeBrowz Threat Research Security ResearchJuly 1, 20269 min read

Is the Signal support message asking for my backup recovery key real?

Verdict: no. Signal has no chatbot or SMS "support" line, and it will never ask you to paste a code, PIN, or key into a chat. A message claiming to be automated Signal support that walks you to Settings, Backups, and View Recovery Key, then tells you to copy that key into the conversation, is a scam. With your Backup Recovery Key an attacker can restore your entire private and group message history on their own device. Never share that key with anyone. If you already did, generate a new Backup Recovery Key in Signal immediately, because that is the only thing that invalidates the stolen one.

Why this is spreading now

On June 26, 2026 the FBI issued Public Service Announcement I-062626-PSA, "Russian Intelligence Services Continue to Target Commercial Messaging Applications", jointly with the Cybersecurity and Infrastructure Security Agency (CISA), alongside a separate coordinated warning from Ukraine's Security Service (SSU). It updates an earlier March 20, 2026 alert. The FBI attributes the activity to Russian intelligence services, including FSB officers, and names two tracked threat groups, UNC5792 and UNC4221. The US State Department "Rewards for Justice" program is offering up to 10 million dollars for information on UNC5792. The recovery-key theft against Signal is the genuinely new development in the June update.

What the scam looks like

It arrives as a message that appears to come from Signal itself, framed as an automated support or system notice. The pitch is loss. It tells you there is a "sync issue" or a backup problem and that your messages and media are at risk of permanent deletion unless you act now. The tone is calm and technical, not threatening, which is part of why it works. It reads like a routine maintenance step, not an attack.

Then it offers to walk you through the fix. The instructions look like a normal Signal settings path, because they are. The scammer is not sending you to a strange app. They are steering you through Signal's real backup screens to expose one specific value, your Backup Recovery Key, and then asking you to hand it over "so support can verify the backup".

That single string is the whole prize. It is not a login code that expires in a minute. It is the key that decrypts and restores your Signal backup. Copy it into the wrong chat and you have given a stranger the ability to rebuild your account somewhere else.

The exact steps the fake support walks you through

The message guides you through Signal's genuine menus so nothing feels off. Written out, the walkthrough looks like this:

  1. Open Settings, then Backups.
  2. Tap Configure, then Enable Backups.
  3. Tap View Recovery Key and copy the key it shows.
  4. Paste that Backup Recovery Key back into the chat with "support".

Once the attacker has that key, they use it to restore your backup on a device they control. That gives them your full private and group message history and a persistent foothold in your account. This part is Signal-specific: it targets the way Signal's encrypted backups are protected by that recovery key. The broader campaign has also hit WhatsApp and Telegram users, but through verification-code theft and malicious QR "linked device" codes, not this recovery-key trick, so do not assume the same key-paste step exists on those apps. If you have ever been pushed to paste a one-time code, our breakdown of the WhatsApp 6-digit code takeover scam shows the same "read me the number" pressure in a different form, and the QR side is covered in the QR code phishing (quishing) guide.

Why "resetting your account" does not fix it

This is the twist that makes the June 2026 warning different, and it is stated plainly in the FBI PSA: an account reset does not help. If you realize something is wrong and create a new Signal account on the same phone number, the stolen Backup Recovery Key stays valid. The attacker can still take over the new account later using that key. Wiping and starting over feels like the natural fix. Here it is not.

The only real fix is to generate a new Backup Recovery Key inside Signal. Doing that invalidates the old key for any future backup download. Anything already copied out before you rotate the key is gone and cannot be pulled back, but from that point forward the stolen key is dead. So if you shared it, do not just reset. Rotate the key.

This mirrors a pattern we see across account-takeover attacks: the artifact the attacker steals is a long-lived credential, not a one-time code, so the recovery step has to be "invalidate the credential", not "log out and back in". The Microsoft device-code phishing attack works on the same idea, tricking you into authorizing a token the attacker keeps using.

How real Signal support and linked devices actually work

Knowing the genuine setup is the fastest way to catch the fake. A few facts the scam depends on you not knowing.

Signal has no SMS "support" and no chatbot. There is no automated Signal agent that texts you or messages you in-app to walk you through a fix. Real help lives at support.signal.org, and the app itself is at signal.org. A conversation that claims to be "Signal support" inside your chats is not Signal.

Signal will never ask for your codes, PINs, keys, or payment details. Not in a chat, not on a call. Your Backup Recovery Key, your Signal PIN, and any verification code are yours alone. Any "support" that asks you to read one out or paste it is an attacker.

Linked devices are limited and visible. Signal allows one phone plus up to five linked devices, and you add one by scanning a QR code with your phone under Settings, Linked Devices. Open that list, and remove anything you do not recognize. An unfamiliar linked device is a red flag on its own.

Turn on a Signal PIN and Registration Lock as general best practice. Under Settings, Account, enabling a Signal PIN with Registration Lock blocks anyone from re-registering your number on a new device without your PIN. This is Signal's own recommended hardening, separate from the FBI's specific fix. To be clear about attribution: the FBI PSA's named remedy is regenerating your Backup Recovery Key; the PIN and Registration Lock are Signal's standing best practice. Both are worth doing.

How SafeBrowz blocks this threat

Be honest about where a browser tool fits here. Much of this scam happens inside the Signal app, in a chat, where a browser extension cannot see it. But these campaigns very often include a link, to a fake "Signal support" page, a bogus "verify your account" form, or a lookalike login, and the page is where a detection engine can act. Here is what SafeBrowz does with that link, using its 3-layer detection (Local + APIs + AI).

  • Layer 1, local detection, runs inside the browser with 60+ URL pattern signatures and 550+ brand signatures. It resolves the final landing host and checks whether a known brand, in this case Signal, is being imitated on a domain that is not Signal's own. A page pushing "Signal support" or "recover your account" while sitting on a lookalike domain is flagged before the form even finishes rendering.
  • Layer 2, reputation and API checks, aggregate threat intelligence including Google Safe Browsing, PhishTank, URLhaus, and scam-TLD signals, so a link someone else has already reported is caught on reputation alone.
  • Layer 3, AI content analysis via our proxy (Premium), reads the live page in 100+ languages and recognizes a credential-capture or "read me your key" layout impersonating a brand, which is what flags a brand-new page no blocklist has seen yet.

Honest scope: SafeBrowz can flag a fake Signal login or support page if the scam sends you a link, before you interact with it. It cannot stop a code or key you type or paste directly into a chat, because that never touches the browser. That is why the human habit, never sharing your recovery key, plus regenerating the key if it leaks and turning on Registration Lock, sits alongside the engine. The free browser extension does this on desktop, and the SafeBrowz Android app on Google Play applies the same engine to links you open on your phone, where most of these messages are read.

Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

๐Ÿ›ก LIVE CHECK

Check a suspicious link right now

Got a "Signal support" or "recover your account" link and not sure about it? Paste it below. Our 3-layer engine (Local + APIs + AI) follows the link, reads the page it lands on, and returns a verdict in about three seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

The fake addresses to watch for

Signal's real presence lives in two places only: the app at signal.org and help at support.signal.org. Anything else claiming to be Signal support or a Signal "recovery" portal is fake. These are illustrative lookalike patterns, not live sites, to show the shape the scam reuses.

  • signal-support-verify[.]com (Signal support is on support.signal.org, never a separate "verify" domain)
  • signal-recovery[.]help (Signal has no external "recovery" portal that needs your key)
  • signal-backup-restore[.]net (backups are handled inside the app, not on a website)
  • account-signal[.]support (the brand name shuffled onto a cheap TLD is a classic phishing tell)

If a message ever sends you to one of these instead of into the Signal app itself, treat it as hostile. When a link looks plausible but you are not sure, our guide on how to tell if a website is a scam walks through reading the real domain in the address bar.

Red flags: when a Signal "support" message is a scam

  • It claims to be automated Signal "support" or a system notice. Signal has no chatbot and no SMS support line. Any "Signal support" conversation in your chats is fake.
  • It warns your data will be lost unless you act now. Manufactured loss-pressure, a "sync issue" or "backup failure" with a deadline, is the core hook.
  • It walks you to View Recovery Key. The entire path exists to expose that one value so you copy it out.
  • It asks you to paste a key, code, or PIN into the chat. Signal never asks for these. Sharing them is the takeover.
  • It sends you to a link instead of into the app. Real Signal actions happen inside Signal, not on a "signal-recovery" or "signal-verify" website.
  • You see a linked device you do not recognize. Check Settings, Linked Devices, and remove anything unfamiliar.

Any one of these is reason to stop. Two or more, and you should assume the message is hostile and report it.

What to do right now

  1. Do not share your Backup Recovery Key, PIN, or any code. No legitimate Signal process asks for them in a chat or on a call.
  2. If you already shared your recovery key, regenerate it now. In Signal, generate a new Backup Recovery Key. This invalidates the old one for future backup downloads, which is the FBI's named fix. A plain account reset does not do this.
  3. Check your linked devices. Open Settings, Linked Devices, and remove anything you do not recognize. Signal allows one phone plus up to five linked devices.
  4. Turn on a Signal PIN and Registration Lock. Under Settings, Account, enable both so no one can re-register your number without your PIN. This is Signal's standing best practice.
  5. Report and block in-app. Use Report, then Report and Block on the message so it stops reaching you.
  6. Report to the FBI. File the incident at ic3.gov, referencing PSA I-062626-PSA if relevant.

Updated July 1, 2026.

Flag the fake support page before you click

SafeBrowz is a free browser extension for Chrome, Firefox and Edge (Safari coming soon) plus a live Android app that follows a "Signal support" or "recover your account" link to where it lands and flags a fake page before you interact with it. It recognizes 550+ brands, auto-flagged when a page tries to impersonate them, with AI content analysis in 100+ languages for brand-new clones. Free forever, no account needed. Questions: [email protected].

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Android Get on Android

Bottom line: a Signal "support" message asking for your backup recovery key is a scam, because Signal has no chatbot and never asks for your keys. Never share the key, and if you already did, regenerate a new Backup Recovery Key in Signal, since the FBI warns a plain account reset does not undo it. Turn on Registration Lock, and put SafeBrowz on your browser so any fake "Signal support" page gets flagged before you ever click through.

Frequently asked questions

Is a message from "Signal support" asking for my recovery key real?

No. Signal has no automated chatbot and no SMS support line, and it never asks you to paste a code, PIN, or key into a chat. A message posing as Signal support that walks you to View Recovery Key and asks you to copy it into the conversation is a scam. The FBI warns that this hands your full message history to attackers.

What can someone do with my Signal backup recovery key?

Your Backup Recovery Key decrypts and restores your Signal backup. With it, an attacker can rebuild your account on a device they control, giving them your full private and group message history and persistent access. It is not a one-time login code, so sharing it is far more damaging than reading out a short verification code.

Does resetting my Signal account fix a stolen recovery key?

No. The FBI PSA states plainly that an account reset does not help. If you make a new account on the same phone number, the stolen Backup Recovery Key stays valid and the attacker can take over the new account later. The only fix is to generate a new Backup Recovery Key in Signal, which invalidates the old one for future backup downloads.

Who is behind the Signal recovery key attacks?

The FBI and CISA attribute the activity to Russian intelligence services, including FSB officers, in PSA I-062626-PSA dated June 26, 2026, with Ukraine's Security Service (SSU) issuing a coordinated warning at the same time. Two tracked groups are named, UNC5792 and UNC4221, and the US State Department is offering up to 10 million dollars through Rewards for Justice for information on UNC5792.

How do I protect my Signal account?

Never share your Backup Recovery Key, PIN, or any code. Check Settings, Linked Devices, and remove anything you do not recognize. Turn on a Signal PIN with Registration Lock under Settings, Account, so no one can re-register your number without the PIN. If your recovery key leaked, regenerate it in Signal, and report the message with Report and Block.

How does SafeBrowz help against this scam?

Much of this scam happens inside the Signal app, where a browser tool cannot see it, but the campaigns often include a link to a fake support or "verify your account" page. SafeBrowz runs a 3-layer engine (Local + APIs + AI) that resolves where a link lands and flags a page impersonating Signal on a non-Signal domain before you interact with it. It cannot stop a key you paste into a chat, so pair it with never sharing your recovery key and turning on Registration Lock.

Related reading