Security Experts Analyze: WhatsApp Introduces Strict Account Settings to Shield High-Risk Users From Spyware Attacks

WhatsApp is preparing to roll out a new security option designed for users who face a higher risk of targeted surveillance, including journalists, activists, and public figures. The feature, called Strict Account Settings, reflects a broader industry shift toward defensive tools that assume attackers may already be well resourced, persistent, and patient.

Once enabled, the setting places tighter limits on how people can interact with an account. Messages from unknown contacts can be restricted, and attachments or media sent by users outside a person’s contact list can be blocked outright. The idea is to reduce the attack surface that spyware operators often exploit, particularly through malicious files or unexpected message requests.

“We will always defend that right to privacy for everyone, starting with default end-to-end encryption,” WhatsApp said in a blog post. “But we also know that a few of our users — like journalists or public-facing figures — may need extreme safeguards against rare and highly-sophisticated cyber attacks.”

The move comes against the backdrop of WhatsApp’s long-running legal fight with NSO Group, the Israeli spyware vendor behind Pegasus. In 2019, WhatsApp accused NSO of abusing its infrastructure to deploy spyware against roughly 1,400 users worldwide. Meta, WhatsApp’s parent company, has since secured several favorable rulings in that case, reinforcing the platform’s argument that spyware firms should be held accountable for exploiting consumer technology at scale.

Strict Account Settings places WhatsApp alongside Apple, Google, and others that have begun offering opt-in security modes aimed at high risk users. Apple’s Lockdown Mode and Google’s Advanced Protection Program similarly trade some convenience for stronger defenses against sophisticated attacks.

Natalia Krapiva, senior tech legal counsel at digital rights group Access Now, sees the new feature as part of a necessary trend.

“It is encouraging to see more companies enabling advanced security features to protect high risk users from spyware,” Krapiva said. “While litigation is an essential tool in combating spyware, due to the high costs and jurisdictional hurdles, it may not be accessible to most victims.

“Introducing measures like this that are free and do not require advanced technical knowledge could help stop spyware harms and prevent them from happening in the future for millions of users, especially journalists, activists, and human rights defenders,” she said.

Security practitioners also view the feature as a practical response to a growing threat landscape. Adam Boynton, Senior Security Specialist at Jamf, described the update as a thoughtful attempt to make stronger protections easier to use at scale.

“WhatsApp’s new Strict Account Settings feature is a sensible step towards making stronger security easier to adopt. By bundling multiple protections into a single toggle, it mirrors the philosophy behind Apple and Android’s Lockdown Mode and is clearly a response to the rise in targeted mercenary spyware attacks against messaging platforms,” Boynton said.

“With close to three billion users worldwide, WhatsApp’s scale is exactly what makes it such an attractive target for attackers. Features like this help strike the right balance by raising the baseline level of protection without significantly degrading the user experience.

“However, no single setting should be seen as a silver bullet. Users still need to take a layered approach to security, including keeping devices and apps up to date, reviewing privacy and security settings regularly, and minimising the amount of personal information exposed through their profile,” he added.

WhatsApp says the feature will begin rolling out globally in the coming weeks. Users will be able to enable it manually by navigating to Settings, then Privacy, and selecting Advanced. For most people, everyday encryption will remain sufficient. For those who operate under the constant threat of surveillance, the company is betting that one extra switch could make a meaningful difference.