Klöckner, Prien, Graichen: When the top brass clicks a phishing link

5 Min. Reading time

Bundestag President Julia Klöckner, Education Minister Karin Prien and Building Minister Verena Hubertz were compromised via Signal phishing because they forwarded a verification code to a seemingly trusted contact. Account-Takeover via messenger, technically not a classic link click. Federal Prosecutor General Jens Rommel has been investigating since February on suspicion of espionage. Patrick Graichen, former State Secretary for critical infrastructure, simultaneously posted on X a pay‑for‑likes scam and falsely accused world editor‑in‑chief Ulf Poschardt of book marketing. Different vectors, a shared management lesson: awareness was built on the wrong floor.

What is verification‑code theft? In an account takeover via Signal or WhatsApp, an attacker registers the account on a foreign device. The messenger sends a 6‑digit confirmation code via SMS to the legitimate owner. Whoever forwards this code to a seemingly trusted contact hands over the account. Protection: a two‑factor PIN in the Signal settings prevents takeover even if the code is intercepted.

What happened in April

The Signal wave has been active since February 2026. According to security circles, roughly 300 accounts are affected in Germany, with additional targets in the Netherlands. The vector is identical for the three female politicians: a known contact address asks via direct message for the 6‑digit verification code that has just arrived by SMS. Whoever forwards the code hands over the account login. Klöckner was made public on Wednesday, Prien and Hubertz followed on Friday as part of the same investigation.

Federal Prosecutor Jens Rommel opened the case already in February 2026 on suspicion of intelligence‑agency activity. BSI and the Federal Office for the Protection of the Constitution place the actor within a state‑run espionage program. Roderich Henrichmann, member of the Parliamentary Oversight Committee, publicly named Russia as the likely source. A technical attribution by the Federal Prosecutor’s Office is still pending as of 28 April 2026.

The Graichen incident follows a different pattern: a public false accusation after scam detection, without account compromise. He screenshot a WhatsApp group where money was promised for likes on influencer accounts, and tagged World editor‑in‑chief Ulf Poschardt, assuming he was behind the request. The mechanism has been staple material in every awareness training for years: foreign country code, micro‑reward, gradual escalation to prepaid fees or account details. Graichen was for years responsible for critical infrastructure and energy supply. The link to the Signal wave lies not in the vector but in the reflex: fast, mobile, without intermediate checks.

Why awareness thins out at the top

Three mechanisms explain the finding. At C‑level, the inbox is processed in 30‑second slots between meetings. Awareness trainings are built for 25 minutes of attention, which simply isn’t available there. The pre‑filter performed by office staff disappears as soon as a message lands on a private smartphone. That is exactly where Signal, WhatsApp and an increasing share of political daily coordination run. Anyone who drinks coffee with the chancellor unconsciously treats the everyday swarm scam as a lower‑level problem.

The operational consequence has been felt by security teams for years. In internal awareness tests, top‑level accounts are rarely better protected than the employee average, and in some sectors measurably worse. Communication pressure, mobile channels and delegation patterns raise the risk, and the experience bonus does not offset it. Procurement reality moves in the opposite direction: awareness budgets flow into mandatory e‑learnings for the entire workforce because they are compliance‑friendly and billable. The high‑value accounts with access to strategy papers, bidding talks and cabinet drafts remain in the same standard module.

What CISOs need to change now

Top‑level protection requires three layers. Technology locks the account, process governs the interim call, behavior trains the reflex. Anyone who only addresses one layer merely shifts the risk instead of reducing it.

Technology: Account hardening at the device level

Two‑factor PIN for Signal and WhatsApp is mandatory for the top‑50 accounts, as is the device‑pairing overview in the account settings. A session‑review routine with the office team checks monthly which endpoints are currently linked to the account. Anyone who finds an unknown entry has the first indicator before any official report. MDM profiles on corporate smartphones filter out risky messenger configurations before they become incidents.

Process: Callback rule and press office escalation

No verification code is ever forwarded via messenger, to anyone, not even to one’s own assistant or press spokesperson. Anyone who asks is verified through a callback to a known number. As soon as a board member comments on a security incident or accuses a third party on a private X or LinkedIn account, the matter must be routed to Corporate Communications before posting. The four‑eyes principle on private channels is organizationally cumbersome but, with real reach, the only safeguard against false accusations that attract press attention.

Behavior: Top-50 Coaching as its own procurement

Extract awareness for the board, supervisory board, legally responsible bodies and their direct assistants. A 1:1 coaching per quarter, delivered by an external pentester with a live demo of the current vector on a second smartphone. Duration 60 minutes, content pre‑aligned with the current BSI situation. Costs calculable, impact documentable in the audit, compliance argument solid. Coaching without technology and process remains talking material, that is the lesson of the three female politicians.

Frequently Asked Questions

What was the attack vector in the Signal wave?

The attackers contacted targets from a known address book and asked for the 6‑digit verification code that is sent via SMS to a foreign device during new registration. Anyone who passed the code on handed over the account. A two‑factor PIN in the Signal settings prevents exactly this breach, because the login additionally requires the self‑chosen PIN.

Who is behind the attacks?

Federal Prosecutor General Jens Rommel has been investigating since February 2026 on suspicion of espionage. BSI and the Federal Office for the Protection of the Constitution classify the actor as probably state‑controlled. Roderich Henrichmann (PKGr) named Russia as the likely source. An official technical attribution by the Federal Prosecutor’s Office is pending as of 28 April 2026.

Why was the Graichen tweet a security incident?

The tweet contained a screenshot of a classic pay‑for‑likes scam plus a false accusation against world editor‑in‑chief Ulf Poschardt. The technical vector differs from the Signal wave; the account was not compromised. Both cases share the reflex structure: fast, mobile, without a second pair of eyes check. The reputational fallout from public rapid shots without a press office is the management lesson.

Which immediate measure is recommended for board members?

First, enable the two‑factor PIN on Signal and WhatsApp. Second, unlearn the reflex of forwarding codes via messenger. Third, verify every unusual direct message by calling back on a known number, never by replying on the original channel.

How should CISOs reshape their awareness budgets?

Treat the Top‑50 accounts as a separate procurement category, with 1:1 coaching per quarter and live demos of current vectors. Mandatory e‑learning for staff remains relevant, but does not replace targeted protection for the accounts with strategy and bidder access. Technology and process must run in parallel, otherwise coaching remains ineffective.

Photo: Chaddy / Wikimedia Commons (CC BY-SA 4.0)

About the author: Benedikt Langer

More articles by Benedikt Langer