Signal Quishing Attack:
How Hackers Mirror Your Chats

(2026 Anti-QR Phishing Guidance)

---

Signal Quishing Attack – TL;DR Brief

---

The “Ghost Device” Paradox: Why Encryption Won’t Save You

Signal is brilliant. It’s the gold standard. But end-to-end encryption (E2EE) only protects the pipe, not the endpoint. If an attacker becomes a “Linked Device,” they aren’t breaking the encryption – they are sitting inside it with you.

Think of it like this: You have an unbreakable steel door on your house. But if you casually hand a duplicate key to a bloke in a high-vis vest because he said he was the “Key Inspector,” that door is useless.

Real-World Context: Threat actors like UNC5792 have been caught using this exact “Signal quishing attack” to target activists since early 2025 ¹. It isn’t a theory; it is an active campaign.

---

What is a Signal Quishing Attack?

“Quishing” is a portmanteau for QR Code Phishing ².

In a standard phishing attack, you might spot a dodgy URL like signa1.org. In a quishing attack, the trap is visual.

1. The Bait: You get an email or message saying “Signal Desktop Update Required” or “Verify your Safety Number for this Group”.
2. The Switch: The attacker opens Signal Desktop on their own computer. It generates a legitimate “Link New Device” QR code.
3. The Mirror: They paste that code into their fake website. The site mimics Signal’s design perfectly.
4. The Sting: You scan it with your phone. You think you’re verifying a login. Actually, you just authorised a computer in a remote location to send and receive messages as you.

Pro Tip: Always check the URL before scanning. Legit Signal links are always signal.org. Anything else is rubbish – Always feel free to check on URLscan.io or VirusTotal if you’re unsure.

---

⚠️ The 2026 Danger: History Sync is Now Live

This is the bit that keeps me up at night, actually that’s just me. However..

Old versions of Signal didn’t sync past history. If a hacker got in, they could only see new messages. That changed with the post-2025 History Sync rollout ³. When you link a new device, Signal now offers to transfer your message history and up to 45 days of media to the new device.

What this means for you:
If you fall for a Signal quishing attack, the hacker doesn’t just get your future chats. They potentially grab your entire text archive and your last six weeks of photos in seconds. It is a complete digital extraction.

---

How to Audit Your Linked Devices (Do This Now)

Stop reading. Pick up your phone (or continue if reading from mobile)

Last week I audited a mate’s phone after he mentioned weird notifications – We found a bloody ghost Linux device linked at 2AM (forgive me Dr. Hubman). Fortunately, we had it gone in 30 seconds. Here’s how:

1. Open Signal.
2. Tap your profile icon (top left).
3. Tap Settings > Linked Devices.

What you should see:

• Ideally? Just your actual computer (e.g. “Baizaar’s MacBook”).

Red Flags to look for:

• “Generic PC” or “Linux Desktop” you don’t own.
• A device added when you were asleep.
• A location that makes no sense.
• Last active “5 minutes ago” when your desktop is switched off.

The Kill Switch:
If you see anything dodgy, tap it and hit Unlink. This instantly severs the connection and the hacker’s screen goes blank ⁴.

---

Hardening Your Defences: The “Paranoid Productivity” Setup

To stay unhackable, do these five things.

1. Enable Registration Lock
This stops someone from stealing your phone number via a SIM swap.

• Go to Settings > Account > Registration Lock.
• Set a PIN and don’t forget it. Secure it in a password manager like Proton Pass.

2. Verify Safety Numbers
If you’re discussing corporate secrets, don’t trust the chat blindly.

• Click the contact’s name > View Safety Number.
• Read it out to them over a different channel (like a phone call).

3. Never Scan a QR Code Sent Inside a Chat
Signal will never ask you to scan a code to “verify” your account or “join a premium group.” You only scan a QR code when you initiate the link from your own physical computer.

4. Enable Screen Lock & Incognito Keyboard

• Settings > Privacy > Screen Lock.
• Turn on Incognito Keyboard to stop third-party keyboards from logging your PIN.

5. Stack with a VPN
Pair Signal with a no-logs VPN to hide metadata. Signal combined with Proton VPN beats Telegram for true privacy. Telegram stores cloud chats unencrypted; Signal doesn’t. We’ve tested this extensively in our Proton VPN Review.

---

🔍 Spotting Fake Signal QR Codes: Red Flags Checklist

• URL Mismatch: Look for signall.org or signal-desktop.com.
• Unexpected Context: Legit Signal never emails QR codes.
• Urgency Pressure: “Scan now or lose access!” is a classic scam tactic.
• Design Flaws: Blurry codes or mismatched fonts are dead giveaways.
• No Notification: If you scan and your phone doesn’t vibrate or show “Device Linked,” something is wrong.

---

Signal vs Alternatives: When to Switch?

App	E2EE Default?	Linked Device Risk	Best For
Signal	Yes	High (Quishing)	Activists/Journalists
Session	Yes	Low (No phone number #)	Max anonymity
SimpleX	Yes	None (No IDs)	Ultimate privacy
Telegram	No	Medium	Large Groups

Tradeoffs:

• Stay with Signal if you need disappearing messages and polished group calls.
• Switch to Session if phone number linkage is a dealbreaker.
• Go SimpleX for zero-metadata paranoia.

---

FAQ – Signal QR phishing

Can a hacker read my old messages if they link a device?

Yes. With the History Sync feature, a newly linked device can pull your full text history and recent media .

Does Signal notify me if someone links a device?

Yes, but it is subtle. You will see a banner in your chat list. If a hacker sends you 50 spam messages immediately after linking, they can push that notification off your screen. Notifications are finicky at the best of times, worth a check anyway.

I scanned a code and nothing happened. Am I safe?

Probably not. If you scanned a code and didn’t get a success message, you might have authorised a background session. Check your Linked Devices immediately.

What’s safer than Signal for teams?

Session or SimpleX. No phone numbers means no SIM swap risk. However, they lack Signal’s polish for large groups.

---

Limitations & Risks (The Small Print)

• No Magic Bullet: Unlinking a device kicks the hacker out, but if they already downloaded your history, they have that data forever.
• Metadata Leaks: Signal still knows when you are online. Use Proton VPN to obscure your IP.
• Physical Access: If someone steals your phone while it is unlocked, they can link devices directly. Always use biometric locks.

---

Ethics & Transparency

• Source: This guide is based on Signal updates (post-2025) and UNC5792 threat reports.
• No Fear-Mongering: Signal remains vastly more secure than SMS or WhatsApp. This guide is designed to make you a smarter user, not to scare you off.

1. Cyber Insider – Alex Lekander “Russian Hackers Exploit Signal’s Linked Devices to Spy on Users” https://cyberinsider.com/russian-hackers-exploit-signals-linked-devices-to-spy-on-users/ ↩︎
2. Proofpoint – “Role of Technology in Combating and Detecting Quishing” – https://www.proofpoint.com/uk/threat-reference/quishing ↩︎
3. Signal – “Introducing Signal Secure Backups” – https://signal.org/blog/introducing-secure-backups/ ↩︎
4. Signal – “Unlinking devices” – https://support.signal.org/hc/en-us/articles/360007321111-Unlinking-devices ↩︎