5 Min. Reading time<\/p>\n
Bundestag President Julia Kl\u00f6ckner, Education Minister Karin Prien and Building Minister Verena Hubertz were compromised via Signal phishing because they forwarded a verification code to a seemingly trusted contact. Account-Takeover via messenger, technically not a classic link click. Federal Prosecutor General Jens Rommel has been investigating since February on suspicion of espionage. Patrick Graichen, former State Secretary for critical infrastructure, simultaneously posted on X a pay\u2011for\u2011likes scam and falsely accused world editor\u2011in\u2011chief Ulf Poschardt of book marketing. Different vectors, a shared management lesson: awareness was built on the wrong floor.<\/strong><\/p>\n Key Takeaways<\/p>\n What is verification\u2011code theft?<\/strong> In an account takeover via Signal or WhatsApp, an attacker registers the account on a foreign device. The messenger sends a 6\u2011digit confirmation code via SMS to the legitimate owner. Whoever forwards this code to a seemingly trusted contact hands over the account. Protection: a two\u2011factor PIN in the Signal settings prevents takeover even if the code is intercepted.<\/p>\n The Signal wave has been active since February 2026. According to security circles, roughly 300 accounts are affected in Germany, with additional targets in the Netherlands. The vector is identical for the three female politicians: a known contact address asks via direct message for the 6\u2011digit verification code that has just arrived by SMS. Whoever forwards the code hands over the account login. Kl\u00f6ckner was made public on Wednesday, Prien and Hubertz followed on Friday<\/a> as part of the same investigation.<\/p>\n Federal Prosecutor Jens Rommel opened the case already in February 2026 on suspicion of intelligence\u2011agency activity. BSI and the Federal Office for the Protection of the Constitution place the actor within a state\u2011run espionage program. Roderich Henrichmann, member of the Parliamentary Oversight Committee, publicly named Russia as the likely source. A technical attribution by the Federal Prosecutor’s Office is still pending as of 28\u202fApril\u202f2026.<\/p>\n The Graichen incident<\/a> follows a different pattern: a public false accusation after scam detection, without account compromise. He screenshot a WhatsApp group where money was promised for likes on influencer accounts, and tagged World editor\u2011in\u2011chief Ulf Poschardt, assuming he was behind the request. The mechanism has been staple material in every awareness training for years: foreign country code, micro\u2011reward, gradual escalation to prepaid fees or account details. Graichen was for years responsible for critical infrastructure and energy supply. The link to the Signal wave lies not in the vector but in the reflex: fast, mobile, without intermediate checks.<\/p>\n Three mechanisms explain the finding. At C\u2011level, the inbox is processed in 30\u2011second slots between meetings. Awareness trainings are built for 25\u202fminutes of attention, which simply isn\u2019t available there. The pre\u2011filter performed by office staff disappears as soon as a message lands on a private smartphone. That is exactly where Signal, WhatsApp and an increasing share of political daily coordination run. Anyone who drinks coffee with the chancellor unconsciously treats the everyday swarm scam as a lower\u2011level problem.<\/p>\n The operational consequence has been felt by security teams for years. In internal awareness tests, top\u2011level accounts are rarely better protected than the employee average, and in some sectors measurably worse. Communication pressure, mobile channels and delegation patterns raise the risk, and the experience bonus does not offset it. Procurement reality moves in the opposite direction: awareness budgets flow into mandatory e\u2011learnings for the entire workforce because they are compliance\u2011friendly and billable. The high\u2011value accounts with access to strategy papers, bidding talks and cabinet drafts remain in the same standard module.<\/p>\n Top\u2011level protection requires three layers. Technology locks the account, process governs the interim call, behavior trains the reflex. Anyone who only addresses one layer merely shifts the risk instead of reducing it.<\/p>\n Two\u2011factor PIN for Signal and WhatsApp is mandatory for the top\u201150 accounts, as is the device\u2011pairing overview in the account settings. A session\u2011review routine with the office team checks monthly which endpoints are currently linked to the account. Anyone who finds an unknown entry has the first indicator before any official report. MDM profiles on corporate smartphones filter out risky messenger configurations before they become incidents.<\/p>\n No verification code is ever forwarded via messenger, to anyone, not even to one\u2019s own assistant or press spokesperson. Anyone who asks is verified through a callback to a known number. As soon as a board member comments on a security incident or accuses a third party on a private X or LinkedIn account, the matter must be routed to Corporate Communications before posting. The four\u2011eyes principle on private channels is organizationally cumbersome but, with real reach, the only safeguard against false accusations that attract press attention.<\/p>\n Extract awareness for the board, supervisory board, legally responsible bodies and their direct assistants. A 1:1 coaching per quarter, delivered by an external pentester with a live demo of the current vector on a second smartphone. Duration 60 minutes, content pre\u2011aligned with the current BSI situation. Costs calculable, impact documentable in the audit, compliance argument solid. Coaching without technology and process remains talking material, that is the lesson of the three female politicians.<\/p>\n The attackers contacted targets from a known address book and asked for the 6\u2011digit verification code that is sent via SMS to a foreign device during new registration. Anyone who passed the code on handed over the account. A two\u2011factor PIN in the Signal settings prevents exactly this breach, because the login additionally requires the self\u2011chosen PIN.<\/p>\n Federal Prosecutor General Jens Rommel has been investigating since February 2026 on suspicion of espionage. BSI and the Federal Office for the Protection of the Constitution classify the actor as probably state\u2011controlled. Roderich Henrichmann (PKGr) named Russia as the likely source. An official technical attribution by the Federal Prosecutor’s Office is pending as of 28 April 2026.<\/p>\n The tweet contained a screenshot of a classic pay\u2011for\u2011likes scam plus a false accusation against world editor\u2011in\u2011chief Ulf Poschardt. The technical vector differs from the Signal wave; the account was not compromised. Both cases share the reflex structure: fast, mobile, without a second pair of eyes check. The reputational fallout from public rapid shots without a press office is the management lesson.<\/p>\n First, enable the two\u2011factor PIN on Signal and WhatsApp. Second, unlearn the reflex of forwarding codes via messenger. Third, verify every unusual direct message by calling back on a known number, never by replying on the original channel.<\/p>\n Treat the Top\u201150 accounts as a separate procurement category, with 1:1 coaching per quarter and live demos of current vectors. Mandatory e\u2011learning for staff remains relevant, but does not replace targeted protection for the accounts with strategy and bidder access. Technology and process must run in parallel, otherwise coaching remains ineffective.<\/p>\n Photo: Chaddy \/ Wikimedia Commons (CC BY-SA 4.0)<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Signal verification code theft at Kl\u00f6ckner, Prien, Hubertz plus Graichen own goal on X. Three CISO moves for 2026.","protected":false},"author":50,"featured_media":13545,"comment_status":"closed","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Kl\u00f6ckner signal phishing","_yoast_wpseo_title":"Kl\u00f6ckner, Prien, Graichen: When the top brass clicks a phishing link","_yoast_wpseo_metadesc":"Signal verification code theft at Kl\u00f6ckner, Prien, Hubertz plus Graichen's own goal on X. Three CISO moves for 2026.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/04\/kloeckner-prien-graichen-top-level-phishing-april-2026-cover-hero.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/04\/kloeckner-prien-graichen-top-level-phishing-april-2026-cover-hero.jpg","_yoast_wpseo_twitter-image-id":0,"_wp_old_slug":["kloeckner-prien-graichen-top-level-phishing-april-2026-2"],"footnotes":""},"categories":[3,251],"tags":[],"class_list":["post-13557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aktuelles","category-news"],"wpml_language":"en","wpml_translation_of":13513,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/13557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=13557"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/13557\/revisions"}],"predecessor-version":[{"id":15139,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/13557\/revisions\/15139"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/13545"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=13557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=13557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=13557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
What happened in April<\/h2>\n
Why awareness thins out at the top<\/h2>\n
What CISOs need to change now<\/h2>\n
Technology: Account hardening at the device level<\/h3>\n
Process: Callback rule and press office escalation<\/h3>\n
Behavior: Top-50 Coaching as its own procurement<\/h3>\n
Frequently Asked Questions<\/h2>\n
What was the attack vector in the Signal wave?<\/h3>\n
Who is behind the attacks?<\/h3>\n
Why was the Graichen tweet a security incident?<\/h3>\n
Which immediate measure is recommended for board members?<\/h3>\n
How should CISOs reshape their awareness budgets?<\/h3>\n
Reading tips from the editorial team<\/h3>\n
\n
More from the MBF Media Network<\/h3>\n
\n