CISA warns against unencrypted messaging due to rising cyber threats
Unencrypted messaging is no longer just outdated, it’s dangerous. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a clear warning: if you’re sending messages over standard text systems, you’re exposing yourself or your organization to real risk. Cyber attackers, especially those aligned with nation-states, are getting smarter. They’re using advanced spyware and targeted social engineering to breach mobile devices, with high-value individuals like business leaders, government officials, and military personnel in their sights.
These threat actors are exploiting private messaging apps and unencrypted communications to gain access to internal data, operational plans, and potentially classified intelligence. CISA’s message is clear: if you’re in a leadership position and communicating through channels that aren’t end-to-end encrypted, you’re providing potential adversaries with a direct line into your systems.
Business leaders and enterprise decision-makers need to take this seriously. Communications security needs to be treated just like physical security or network integrity, it’s fundamental. Review the tools you and your team use daily. Avoid message services that rely on SMS or default messaging without verified encryption. Encrypt by default or risk exposure by design. The threat landscape has shifted, and now so must the strategy.
RCS lacks full encryption support on iOS and android
Rich Communication Services, or RCS, is the messaging protocol pushed by Google and adopted across most Android devices. It’s positioned as a modern alternative to SMS. It offers improvements like better media sharing and read receipts, but here’s the reality: RCS, in its current form across iOS and Android setups, doesn’t offer reliable end-to-end encryption across all platforms. That’s a problem.
Google has started testing encrypted RCS chat, but full rollout isn’t there yet. Apple has committed to supporting encrypted RCS messaging for iOS, and stated that this secure functionality is coming in a future software update. That might happen as early as iOS 26.2. Apple already supports end-to-end encryption in its iMessage app. But RCS is supposed to be universal. Until both platforms lock down full E2EE coverage across all devices, users are operating with false confidence.
For executives, here’s what this means: don’t assume cross-platform messages are safe just because they look modern. If you’re sharing sensitive plans or data between teams, and someone’s texting from an Android on RCS without encryption fully enabled, that data could be intercepted. So the choice isn’t whether to encrypt, it’s how soon you can eliminate all non-E2EE paths from your business communications entirely. Use messaging tools that guarantee end-to-end encryption, consistently and reliably. Waiting for full RCS encryption to be deployed is a security liability, not a policy.
Apple expected to introduce RCS encryption in upcoming iOS update
Apple is moving to bring full end-to-end encryption to RCS messaging, and not just on iPhones. According to Apple’s own statement, encrypted RCS messages will also be supported across iPadOS, macOS, and watchOS in a future software update. This marks a clear push to align with the broader industry push for secure, interoperable messaging under the RCS Universal Profile, led by the GSMA. Apple has confirmed its role in this initiative, indicating it helped lead the cross-industry effort to make this form of encryption possible.
Right now, the smart money is on iOS 26.2 as the release point for this upgrade. If Apple follows through, it fills a major gap in secure messaging between platforms. iMessage has been encrypted from the beginning, but once this update drops, standard cross-platform communication between Apple and Android could finally reach an acceptable security baseline for enterprise-grade communication.
This is important for executives and IT leaders managing mixed device fleets or BYOD ecosystems. Without end-to-end encryption in protocols like RCS, any message leaving your network environment becomes vulnerable. When the update launches, get ahead of adoption. Begin transitioning communications policies so your team’s conversations inherit encryption standards, regardless of what device they’re using. Apple taking this seriously means you should too, especially if your business values its intellectual property or customer data.
Encrypted messaging apps like signal and WhatsApp are recommended
CISA’s recommendation is direct: if you want secure messaging now, use Signal or WhatsApp. These apps already support end-to-end encryption by default, give users control over device authentication, and make it difficult for attackers to intercept or manipulate conversations. That’s more than can be said for traditional SMS, or even for RCS in its current partial rollout state.
Organizations that are still communicating over unencrypted channels are putting a target on their backs. Leadership needs to enforce the use of vetted encrypted platforms for all teams, especially those handling sensitive data or working in high-risk sectors like finance, defense, or emerging tech.
If you’re using an iPhone, one actionable step is to disable “Send as Text Message” in Settings under the Messages section. This prevents fallback to standard SMS, ensuring messages default to iMessage and retain their encrypted layer. WhatsApp and Signal both operate independently of mobile platforms, which gives you flexibility, but users need training and clear policy enforcement to ensure these apps are used correctly and consistently.
Encrypted messaging isn’t optional at this point. It’s operational hygiene. Poor communication security invites silent data breaches and regulatory headaches down the line. Fix it fast, or be forced to clean it up later.
Specific cybersecurity recommendations for iPhone users
CISA has issued a set of clear, actionable security steps specifically for iPhone users, especially those in sensitive positions across government, business, and defense. The reasoning is straightforward: iPhones are widely used across leadership and enterprise, so securing them is critical. Attackers know this. They’re targeting these devices knowing they’re central to operational decision-making.
The recommendations include enabling Lockdown Mode, which restricts certain device functions to prevent high-level exploits. iCloud Private Relay, Apple’s privacy relay feature, is also advised. It hides your IP address and browsing activity from service providers and potential malicious intermediaries. CISA also suggests using trusted encrypted DNS services like Cloudflare, Google, or Quad9. These help prevent DNS-based attacks like redirections and unauthorized content injections.
Additionally, iPhone users should stay on top of their app permissions under the Settings > Privacy & Security menu. If an app doesn’t clearly need access to features like your location, microphone, or contacts, revoke it. Too many breaches happen because apps are given rights they don’t need, and attackers know how to exploit that.
If you’re in a leadership role, these aren’t peripheral settings. These are core security configurations. Apply them at scale across your executive and operational teams. Confirm compliance. Build processes that keep policies enforced, even as devices and permissions change. Security starts at the device level, and Apple now makes these tools available. Use them.
Android users urged to prioritize secure devices and settings
Android presents a broader ecosystem, more device manufacturers with different patch cycles and security postures. That creates variability business leaders can’t afford to overlook. CISA is advising Android users to be highly selective when choosing devices. Stick to manufacturers with strong reputations for timely security patches and long-term update support. Samsung and Google Pixel devices typically lead in this area.
Beyond the hardware, Android users should only use RCS if end-to-end encryption is fully enabled. Be aware that without encryption clearly shown and active, messaging over RCS can still be intercepted. For browsing and communication, encrypted DNS via Private DNS settings should be enabled. Within Chrome, use the highest available privacy settings. The same applies to apps, keep Google Play Protect activated to scan for malware and flag suspicious apps.
These aren’t optional layers of defense. They form a minimum barrier to targeted attacks. If your company uses Android at scale or allows BYOD policies, start including security configuration audits as standard IT practice. Enforce device-level protections and don’t allow default configurations to persist without validation.
Executives relying on Android should ensure that the devices they carry, and authorize others to carry, meet the same high protection standards expected at the organizational level. Security divergence between iOS and Android doesn’t need to be a liability, but managing it requires deliberate execution.
Guidance for secure use of encrypted messaging platforms
Using encrypted messaging apps like Signal and WhatsApp is a step in the right direction, but using them incorrectly still leaves gaps. CISA outlines best practices that go beyond just downloading the right app. It’s about how the platform is used, by whom, and under what conditions. Cyber threat actors aren’t only exploiting platform flaws, they’re targeting user behavior.
The guidance is specific. Do not scan QR codes or accept group invitations from unknown sources. Those tactics are being used to insert malicious actors into message threads or to trigger malware installations via disguised links. Before joining any messaging group, confirm the legitimacy of the invitation by reaching out to the group administrator through a known, separate contact channel. It’s a small action that prevents large problems.
CISA also recommends reviewing all linked devices in encrypted messaging apps regularly. Unrecognized or outdated connected devices can be signs of unauthorized access. Remove any device you don’t actively use. Enable FIDO (Fast IDentity Online) authentication wherever possible. It’s more secure than SMS-based multi-factor authentication because it doesn’t rely on easily intercepted channels. Finally, stop using SMS-based MFA. It’s a common attack vector and should be replaced with biometric, hardware token, or FIDO-based methods.
For executives, the message is simple: tools alone are not enough. Encrypted apps need to be supported by security protocols and user discipline. It’s worth running internal training and audits for key personnel. These aren’t theoretical risks. The weaknesses being exploited today aren’t flaws in the apps, they’re lapses in how they’re used. Organizations that want to stay ahead need to control both the technical choices and the human factors.
Final thoughts
This isn’t about platform preferences or new features, it’s about mission-critical security. CISA’s message is clear: default settings, legacy protocols, and casual habits no longer cut it. Threat actors have scaled up. Nation-state targeting, social engineering, and spyware deployment are now part of the daily risk environment for leaders, not edge cases. Encrypted messaging and hardened devices aren’t nice-to-haves, they’re baseline requirements.
For executives, this is a straightforward call to action. Audit your communications stack. Enforce encrypted messaging across all endpoints. Prioritize hardware with reliable security support. Make device hygiene and user behavior part of your organization’s security culture, not reactive fixes after a breach.
Privacy isn’t a slogan. It’s infrastructure. And right now, it’s infrastructure that needs your direct attention.
