Instant messaging

Instant messaging

WhatsApp, Facebook Messenger, Skype, etc. There are so many Instant Messaging (IM) apps today that they are taken for granted.

Like mobile use in general, people use this software frequently and spontaneously. But they rarely, if ever, think about the security risks. How often have you used any of the above apps today? What have you used them for?

Dismounted cyclist using mobile outside.

What does IM do?

IM applications provide the ability to transfer text messages, but most systems also allow users to transfer files. As a result, they can be used to proliferate virus infections, worms, and malware, as well as bypassing traditional controls for sharing sensitive company information.

As IM applications allow users to exchange files, including executable files, employees could use this mechanism to bypass controls implemented in the DMZ to install unauthorised programs. This risks unintentionally importing a worm, virus, or Trojan.

Some of the risks posed by IM solutions arise because communication with external agents is possible without being monitored. This can lead to hackers intercepting sensitive information. So, in certain environments, the need for monitoring could be critical, like the financial or defence sectors.

Sarbanes-Oxley (SOX) and the Financial Services Authority in the UK both require IM traffic to be recorded. Section 18 of the FSA’s Conduct of Business Sourcebook includes the requirement to record telephone and electronic communications, which includes IM.

Whilst most recorded phishing attacks have occurred via email, IM is a new vector that’s equally prone to this kind of attack. Messages claiming to be from banks, mobile providers or other institutions could expose sensitive data and lead to a more serious security breach. For example, one of the most basic attacks on Facebook messenger can occur by clicking on a URL which brings you to a fake site with the hope of harvesting your credentials.


As IM was not designed with security in mind, any reduction of its use is highly favoured.  If staff need to use it, it would be best if they used only basic functionality. They should avoid downloading files and never click on URLs.

Potential control measures for IM include:

  • Turning it off; many organisations configure their firewalls to block IM traffic altogether.
  • Logging IM traffic according to the organisation’s policy and legislative obligations.
  • Using antivirus software to scan IM traffic and identify malware in IM file transfers.
  • Educating users so that they know the risks.

Diagram showing  Instant Messaging users: Home, mobile, external services, partner

Figure 1: Instant messaging users

What's next?

Next, you're going to look at Internet Traffic and Web Services systems, and the risks and defences involved.


In this next course you will be taking a closer look at network security issues. These include old technologies like PSTN as well as more recent ones like VoIP, as well as staples like email and mobile.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.