CISA updates security guidance amid growing spyware and phishing tactics

• Agency warns that device hardening alone is not a defence against hackers exploiting human psychology through social engineering tactics.
• Clarifies that encrypted apps offer improved security but must be used alongside new risk-mitigation practices.

Amid a surge in advanced spyware and social engineering attacks, the US Cybersecurity and Infrastructure Security Agency (CISA) has released updated security guidance for iPhone and Android users, calling for stronger measures to protect against increasingly sophisticated cyber threats targeting messaging apps and mobile devices .

Last year, CISA and the FBI urged Americans to use encrypted messaging services like Signal or WhatsApp, stepping away from standard SMS. Now, as hackers target these very platforms with spyware campaigns, CISA has clarified that encrypted apps offer improved security but must be used alongside new risk-mitigation practices.

The agency warns that device hardening alone is not a defence against hackers exploiting human psychology through social engineering tactics.

Four new app security practices
CISA’s revised guidance includes:

1. Beware of social engineering: Hackers may impersonate contacts or group admins and trick users into dangerous actions—such as scanning fake QR codes. Always confirm group invitations and stay alert for suspicious requests.
2. Be suspicious of unexpected security alerts: Ignore and verify messages—even within apps—that ask for authentication codes, as attackers increasingly use fake alerts to compromise accounts.
3. Enable message expiration: Use disappearing messages to reduce long-term data exposure, subject to workplace data retention policies and laws.
4. Audit linked devices: Routinely check which devices are connected to your messaging apps, removing any that are not recognized .

Device-specific protection: iPhone & Android

For iPhones:

• Enable lockdown mode: Restricts device features to minimise vulnerabilities.
• Disable SMS fallback in iMessage: Ensures communications remain end-to-end encrypted.
• Use iCloud private relay or encrypted DNS providers: Mask IP addresses and protect DNS queries.
• Restrict app permissions: Limit access to personal data and device features.
• Choose the latest hardware: Opt for the newest iPhone models with advanced security.

For Android devices:

• Select secure models: Prioritise devices with strong update commitments and hardware security.
• Configure Google messages for end-to-end encryption: Use RCS only when encrypted.
• Secure browsing and safe browsing protections: Ensure HTTPS connections and enable Enhanced Protection in Chrome.
• Keep play protect on: Regularly check app scans to guard against malicious apps.
• Limit app permissions: Revoke unnecessary app access.

General security best practices for all users

• Use end-to-end encrypted apps for sensitive communication.
• Adopt phishing-resistant authentication: Prefer hardware security keys (FIDO standard) over SMS-based codes. Enroll critical accounts in Google Advanced Protection Program if possible.
• Utilise password managers: Choose industry-recognized options with breach alerting, and upgrade weak or repeated passwords.
• Set a carrier-level PIN: To thwart SIM-swapping attacks.
• Keep devices and apps updated: Enable automatic software updates.
• Avoid personal VPNs: Especially free services, as they add risk rather than reduce it.

CISA emphasises that while the guidance is especially crucial for those in high-risk fields—government, defence, and politics—it applies to all mobile users given the widespread and rapidly evolving nature of cyberattacks.

Implementing these combined best practices, according to CISA, offers strong protection against both nation-state and financially motivated hackers.