Is Telegram safe for the average user?

What is Telegram?

Telegram is a free cloud-based messaging app similar to WhatsApp. Besides exchanging messages, Telegram allows users to create large group chats, share files, subscribe to blogs called “channels,” post stories, place voice or video calls, send voice memos, program bots to perform automated tasks, and even buy cryptocurrency.

Founded by Russian tech entrepreneurs Pavel and Nikolai Durov in 2013, Telegram is particularly popular in Russia, India, Ukraine, and the Middle East. Its small development team is currently based in Dubai, but its servers are distributed worldwide.

The company has attracted media attention in the past due to its minimal content moderation and reluctance to cooperate with law enforcement, culminating in Pavel Durov’s departure from Russia and subsequent 2024 arrest in France.

How safe is Telegram?

For the average person, Telegram is fairly safe to use. Its security features are evidently comparable to other popular messaging apps like WhatsApp or Facebook Messenger, and installing the Telegram app won’t infect your phone with malware. But, like any other third-party app, Telegram is not entirely risk-free.

Cybersecurity experts have criticized Telegram’s default encryption settings, which are less secure than many users may believe, as end-to-end encryption is not the default setting.

In addition, Telegram’s lax content moderation has apparently made it attractive to criminals, hackers, and extremist groups, who may also appreciate the service’s alleged reluctance to cooperate with law enforcement, even when it comes to unambiguously deplorable content. Phishing may also be a problem on the platform, potentially exposing users to malware and scams.

Telegram’s main privacy and security issues

Telegram’s reputation for having a nonchalant attitude toward drugs and terrorists may not affect the average person’s experience with the app, but users should be aware of several potential privacy and security issues that could expose them to cybersecurity attacks, phishing, and other risks.

Here are some of the main privacy and security issues with Telegram:

Most messages are not fully encrypted

Telegram founder Pavel Durov has criticized WhatsApp, saying its lackluster encryption turns any phone into spyware. However, Telegram’s own default encryption settings leave much to be desired. Despite Durov’s efforts to position the app as a leader in privacy, most Telegram messages do not feature end-to-end encryption — the gold standard for private messaging.

End-to-end encryption is a process where message contents are scrambled until they reach their intended destination, making them undecipherable to third parties. In contrast, Telegram uses server-client encryption by default: meaning messages are encrypted in transit, but decrypted (unscrambled) once they reach Telegram’s servers, leaving your data potentially vulnerable to breaches. Theoretically, this could also let Telegram access your chats and hand them over to governments if required.

To protect their messages with end-to-end encryption, Telegram users need to enable a feature called Secret Chats in Telegram’s settings, a process that needs to be repeated for every new chat recipient. For group chats, end-to-end encryption is not available at all.

Telegram stores metadata

While Secret Chats render messages’ contents undecipherable to prying eyes, they can still leave some user data exposed. To combat spam and optimize performance, Telegram, like many similar messaging apps, stores certain data and metadata. This includes details such as your user name, the time you sent a message, your IP address, and other device information.

Since Pavel Durov’s arrest in 2024, the messaging app has agreed to share such user information with law enforcement more proactively, as long as they’re provided with a legitimate legal request. But even if you’re not the subject of a criminal investigation, Telegram’s collection of metadata puts your privacy at risk.

In the event of a data breach, your metadata could end up in the wrong hands. Hackers could use your IP address to track your location, monitor your online activity, and potentially hack into your device. One report even found that hackers were able to access Telegram users’ IP addresses simply by calling them via the app.

You can mask your IP address with a strong VPN, like the one included in Norton 360 Deluxe. The app’s built-in VPN will encrypt the data you send and receive online, whether you’re using Telegram or another messaging platform.

Telegram bots expose users to phishing

Like all messaging apps, Telegram struggles to contain spam. However, the platform’s reluctance to proactively moderate content may exacerbate the problem. Phishing markets, where hackers can buy leaked user data and access how-to-phish tutorials, have proliferated on Telegram, allowing even novice scammers to mount large phishing campaigns.

Phishing may be facilitated by Telegram bots — programs that perform automated tasks in the app. Anyone with some programming knowledge can create Telegram bots tailored to their needs. This makes hackers’ lives a lot easier because they can easily develop phishing bots that spam users — with little oversight from Telegram itself. Such bots have allegedly been used to infect thousands of devices with malware.

Scams on Telegram can take many forms. Users may get spam messages from strangers, or they may be added to groups advertising cryptocurrency investments, get-rich-quick schemes, drugs, or other contraband. Usually, the goal is to trick you into downloading malware or revealing sensitive information. Phishing bots also lurk in the comments section of Telegram channels, where they often mask as scantily-clad women with dangerous links in their bios.

Telegram bots’ nefarious use cases are not limited to phishing. Cybercriminals have also used them to sell confidential data obtained elsewhere. In one incident, medical reports from Star Health, India’s biggest health insurance company, were leaked by hackers and made available on Telegram, affecting more than 30 million customers.

Telegram bots programmed to facilitate crypto-trading have also been hacked, costing victims nearly $2 million.

To help see through phishing scams, get Norton Genie, our free AI-powered scam detector. Take a screenshot of the suspected phishing message and upload it to Norton Genie. Once uploaded, Genie can spot a scam in seconds, helping you stay ahead of phishing threats.

Telegram’s security features

Despite its problems, Telegram insists it takes privacy and security seriously, and has rolled out many features that protect users. Security concerns have also led the company to remove some controversial features — like the notorious People Nearby function, which allowed users to message people within a few miles of them.

Turning Telegram’s security features on (many of them are off by default) and adjusting your privacy settings can help you stay safer while using the app.

Here’s a short list of in-built Telegram security features:

Encryption

If you are not paranoid about law enforcement or Telegram itself reading your messages, the app’s standard server-client encryption should be sufficient. However, Telegram offers end-to-end encryption in individual chats — as long as you go to the trouble of turning on Secret Chats.

Secret chats ensure no one except you and the intended recipient can read your messages. They also can’t be synced between devices. Messages sent via Secret Chat can’t be forwarded, and screenshots are impossible. Users can also set a self-destruct timer to make Secret Chats vanish without a trace after an allotted time. Unfortunately, Secret Chats aren’t available for group chats.

How to start a Secret Chat on Telegram

Turning on a Secret Chat in Telegram takes some navigating through Telegram settings — here’s how to do it:

1. Pull up a contact and tap their profile picture. Click the three vertical dots in the top-right corner and choose Start Secret Chat.

2. Click Start when Telegram asks you if you’re sure you want to start a secret chat.

3. Wait for the recipient to come online and agree to enter the Secret Chat. Once they do, you can message each other with end-to-end encryption.

Authentication

Telegram offers authentication methods to keep users’ messages private. By default, they’re turned off, but you can enable them in your settings. Here’s a short overview of Telegram’s authentication settings:

• Two-factor authentication (2FA): 2FA is an extra layer of security that controls how you make changes to your Telegram account and access messages on a new device. For example, when you log into your Telegram account on a new phone or computer, you’ll get a passcode via SMS by default. If you enable 2FA, you’ll also need to enter a password. This helps protect your account if hackers gain access to your phone through a scam like SIM swapping.
• Passcode Lock: Turning on the Passcode Lock feature requires you to enter a 4-digit passcode or biometric data to access your messages. You can decide how much time elapses before auto-lock is turned on: 1 minute, 5 minutes, 1 hour, or 5 hours.

Custom privacy and security settings

Other features in Telegram’s Privacy and Security settings can help make Telegram safer, allowing you to better protect your privacy online.

Here’s an overview of Telegram’s privacy and security settings:

• Basic privacy settings: You can adjust who sees your phone number, profile photos, bio, and other information in your Privacy and Security settings. You can generally choose between “Everybody,” “My contacts,” and “Nobody.”
• Last Seen settings: By default, Telegram displays the exact time users last logged in to the app. Changing this setting to “Nobody” will make the app display an approximate time instead, such as “Online,” “Last seen recently,”  “Last seen within a week,” “Last seen within a month,” or “Last seen a long time ago” (which also displays when you block someone).
• Auto delete for messages: Turning on this feature, also called the self-destruct timer, will cause all your new messages throughout the app to disappear without a trace (for both you and the recipient) after a certain amount of time passes.
• Inactive account deletion: You can ask Telegram to automatically delete your account if you are inactive for a certain amount of time (12 months is Telegram’s standard suggestion).
• Synced contact deletion: By default, your Telegram contacts are stored on the app’s servers, which makes it easy to sync your messages between devices. However, you can ask Telegram to delete your contacts from its servers and disable contact syncing in your settings.
• Block and report: You can block and report any user on Telegram. When you get a message from someone who isn’t in your contact list, two options will automatically display right below the user name: “Add contact” and “Block user”. Clicking “Block user” opens a window that allows you to report spam and delete the chat.
• Clear chat history: You can fully clear your chat history for a specific chat by opening the chat, clicking the three vertical dots in the top-right, and selecting “Clear History”. Telegram also allows you to clear the chat for the recipient. 

Telegram Premium, a paid service, offers additional privacy benefits. For example, Telegram Premium users can prevent all people who aren’t in their phone contacts from messaging them, which helps combat phishing.

How to protect yourself on Telegram: 10 tips

Telegram is reasonably safe if you take the right precautions. Below, we list 10 tips for safeguarding your privacy and security on the app:

1. Hide your phone number: Accidentally adding a spammer to your contacts in Telegram could reveal your phone number. To help prevent this, adjust your privacy settings so nobody can see your number.
2. Don’t add strangers to your contacts: Adding someone you don’t know to your contacts on Telegram could reveal sensitive information, including your phone number, IP address, and birthday.
3. Stop others from adding you to groups: By default, anyone can add you to a group on Telegram, which can expose you to spam. To change this, open your settings, choose “Invites,” and ensure only your contacts can add you to groups.
4. Use Secret Chats: Secret Chats are the only way to ensure your messages are encrypted end-to-end, which protects them from hackers and other prying eyes. Always use private chats to discuss sensitive topics, and remember this feature isn’t available for group chats.
5. Use two-factor authentication (2FA): Activating 2FA can help ensure no one can access your Telegram account, even if hackers (or the government) intercept your text messages.
6. Create strong and unique passwords: Use strong passwords, and don’t use the same ones across multiple platforms. That way, if your password is compromised, hackers can’t use it to access your other accounts across the web. A password manager, like the one offered by Norton 360 Deluxe, can help you create and keep track of them.
7. Delete old messages or turn on Auto delete: Telegram allows you to delete any message without a trace, both for yourself and the message’s recipient. Secret Chats also have an auto-delete feature which causes messages in the chat to disappear for all users after a specified time. 
8. Avoid sharing too much personal information: It never hurts to be too cautious online. Avoid sharing personal details like your full name and address, and don’t ever share banking details or passwords, especially if you don’t know the contact personally.
9. Be careful with Telegram bots: Be suspicious of bots you encounter in Telegram channels or groups. While many bots perform fun or useful functions, others can expose you to malware or try to steal your data. Do not give them access to your contacts.
10. Use a VPN: A VPN (virtual private network) can help keep the data you send and receive online more private by masking your IP address. Norton 360 Deluxe's top-of-class VPN can help ensure your browsing remains more private.

Telegram vs other messaging apps

While Telegram’s standard encryption policy may lack transparency, the app offers many features that other messengers may not have. These include its open API and bot platform, easy syncing between devices, self-destructing messages, encrypted file sharing, and more.

Telegram’s seamless UI, hands-off moderation, and wealth of customizable settings have contributed to its popularity: it already has over 900 million monthly active users.

Read our guide to secure messaging for an in-depth comparison of the privacy and security features of popular apps like Telegram, WhatsApp, and Signal.

Remember that scams abound on WhatsApp, Telegram, and most other messaging apps and social media platforms. That makes it all the more crucial to take your online security seriously.

Secure your online messaging with Norton 360

You are never 100% safe online, despite the best efforts of messaging apps to protect users. Telegram may take pride in its privacy settings, but its apparently hands-off approach to moderation can expose you to scams and phishing. Even its supposedly private Secret Chats could leave your IP address exposed.

Norton 360 Deluxe can help you take back control of your digital life. Our robust suite of cyber-protection tools includes powerful anti-malware protection and a built-in VPN, helping ensure sensitive data like your IP address isn’t leaked and keeping your internet connection private. Plus, Norton 360 features an AI-powered scam-detection engine that helps you easily identify phishing attacks and other scams that can happen on messaging apps.

FAQs

What is Telegram used for?

Telegram is primarily used for private messaging via one-on-one chats, groups, and encrypted Secret Chats. Users can also place voice or video calls, leave voice memos, and share files. Another popular Telegram feature, channels, allows people to broadcast blog posts to large audiences. Unfortunately, due to light content moderation and a reputation for privacy, Telegram has apparently also been used for some illicit activities.

Is there extremist content on Telegram?

Yes. According to reporting, researchers and authorities in various countries have found extremist content on Telegram, including far-right extremism, terrorist propaganda, misinformation, and child exploitation material. Telegram does little to moderate groups and channels or censor hate speech, but because Telegram doesn’t have an algorithmic news feed, the average Telegram user is unlikely to encounter extremist content.

Telegram groups and channels are primarily shared by word of mouth, although a new “Similar Channels” tab was rolled out in 2023 to help users find content that’s similar to what they’re already subscribed to.

How do I delete my Telegram account?

To delete your Telegram account, open your app settings and find the Telegram FAQ section near the bottom. In the “Your Account” section, find “Delete your Telegram account” and follow the instructions.

Can people see your phone number on Telegram?

Yes. Your phone number is visible by default, although you can hide it so no one can see it by adjusting your privacy settings.

Will my contacts know when I join Telegram?

Yes. To sign up for Telegram, you must provide a phone number, and the app will request access to your contacts. Once granted, it notifies your phone contacts who are already on Telegram that you’ve joined the app. In turn, Telegram will send you notifications when someone in your phone contacts creates an account.

Are Telegram links safe?

If you get a message from a stranger via Telegram that contains a link, it almost certainly isn’t safe. Block and report Telegram messages from strangers immediately. Links to Telegram are different — URLs formatted as “t.me/somewords” lead to Telegram channels or groups, and you probably won’t get a virus just by clicking them (although you should still use caution).

Because Telegram takes a light approach to moderation, the group or channel you land on may expose you to risks. Antivirus software like Norton 360 Deluxe can help mitigate the damage if you accidentally click a malicious link.

Are Telegram messages private?

By default, Telegram messages are not 100% private, because they’re not encrypted end-to-end. Theoretically, Telegram messages could be intercepted at the server level and handed over to a government or exposed to data breaches. Telegram’s Secret Chats, which need to be turned on manually, are encrypted end-to-end, so the content of these messages is private.

Neither Telegram nor a government can access what you write in a Secret Chat. However, some metadata, like your user name, IP address, and the time you sent or received a message, may still be visible.

Why aren’t Telegram chats end-to-end encrypted by default?

Telegram’s standard server-client encryption model makes it easier to conveniently sync messages across multiple devices. Telegram apparently doesn’t want to sacrifice user-friendly functionality for privacy features that many users may not require. With its large channels and groups, Telegram is increasingly being used as a social media platform and not just a messaging app — and ironclad encryption may be unnecessary for users willingly broadcasting to millions of people.