Phishing scams use deceptive messages to steal personal information from victims to access their accounts. In this first article of a three-part multimedia series on phishing scams, Reporters Without Borders (RSF) explains the risk they present for journalists, how to spot them and how to protect yourself against them.
Phishing is a type of cybercrime in which thieves use a string of deceptive emails, messages, phone calls, and links to trick their victim into revealing passwords and personal information, which is then used to hack into their private accounts. A phishing attempt usually takes the form of an email or text that seems to be from a known contact or a legitimate organisation, but is actually from an imposter. It only takes one second to click on a deceptive link, and the damage may be irreparable, so journalists should always stay on the lookout when receiving emails and think twice before handing over information.
Phishing poses significant risk to journalists
Journalists are at particular risk of being targeted by phishing scams due to the nature of their work. Governments or companies might want to track a journalist down, ruin their reputation, find out what they know, or stop a story from being published.
If a journalist falls for a phishing scam and inadvertently reveals their personal information, the consequences may be very serious: a journalist can lose their credibility, their income, and put themselves and others at risk. Adversaries might use stolen account information to identify sources and contacts; find, steal, or delete evidence; post further phishing scams from the journalist’s account, which their contacts will be more likely to trust and fall for; or identify and reach a journalist’s contacts for blackmail or harassment.
How to spot a phishing scam
- Was I expecting this message? Journalists should always be suspicious if a sender contacts them unexpectedly.
- Does the message use emotion to provoke action? Attackers might use fear, the promise of success, or friendship to get targets to act quickly or irrationally.
- Does the signature name match the email address? The name used in the email may be different from the actual email address the message was sent from. Always check the email address for accuracy, but be aware that even email addresses can be forged.
- Are there spelling mistakes? Phishing emails are often poorly written with spelling mistakes. This can include the text of the message itself or the email address. For example, a phishing scam could use “email@example.com” instead of “firstname.lastname@example.org,” tricking the eye of anyone who is not looking too closely.
- Is the link accurate? If the email contains a link, the attacker may make it look like it goes to a trusted website such as Youtube or X (Twitter), when it actually redirects to somewhere else like a fake login page. To check, right-click or hover the cursor over the link, select “copy link address” and paste it into a text-editor to display the full URL.
- Do I really need to click on the attachment? Attackers can hide malware in an attachment. Journalists should never click on an attachment unless they are 100% sure that it is from a legitimate source.