If a messaging app asks for a login check, distrust the message before the app

• Checked: 2026-06-29 09:30 KST
• Primary sources: CISA, FBI IC3

This is not an app outage notice. It is a warning that phishing messages inside messaging apps are being used to steal logins, sessions and verification codes. On June 26, 2026, CISA and the FBI updated a public warning saying Russian intelligence-linked actors are targeting commercial messaging applications in ongoing phishing campaigns.

The public-life angle is simple: the attack often begins in an ordinary chat window on your phone. Work contacts, relatives, banks, delivery alerts and travel updates all live in the same place. That makes fake “security check,” “new device login,” or “send me the code” messages more dangerous than they look.

User checks

1. Do not use links inside the message to sign back in. Open the official app or site yourself.
2. If anyone asks for a verification code, backup code or QR scan, verify the person through another channel first.
3. Check that two-factor authentication, recovery email and recovery phone details are still yours.
4. If you already clicked, change the password, review logged-in sessions and rotate any reused passwords elsewhere.

Official links

• CISA updated PSA on messaging-app phishing
• FBI IC3 PSA published June 26, 2026

Bottom line: The risk today is not “messaging apps are unsafe.” The risk is that official-looking login requests inside messaging apps are being used as the doorway.