Phishing scams use deceptive messages to steal personal information from victims to access their accounts. In this second article of a three-part multimedia series on phishing scams, Reporters Without Borders (RSF) outlines the five most common phishing techniques journalists may come across, and how they can counter them.
Phishing is a form of cybercrime which consists of tricking someone into revealing personal information and account logins through deceptive messages and links. This type of attack may be used by governments, companies, or individuals who want to compromise a journalist’s work, identify their contacts, or steal money from them.
1) Email phishing
What is it? Email phishing typically involves either a message presenting a new business opportunity using the name of a real person, or a notification that the recipient’s account has been hacked. The email will trick the victim into clicking on a link, by offering to contact a person or to reset a password, while actually redirecting to a malicious website.
How to protect oneself? When in doubt, verify that the email address displayed is legitimate and that the link actually directs to it. In order to better protect oneself, it is also possible to modify the email service settings so that it systematically displays the senders’ full addresses. Some antivirus software also include features detecting phishing attempts.
2) HTML phishing
What is it? HTML phishing is a type of attack in which links on websites appear to lead to somewhere safe, like Facebook or an email login, but actually send the victim to a page that prompts them to key-in account information and password. Links may appear as an underlined “click here” or similar text, or be displayed abbreviated, so that it is hard to tell where they actually lead.
How to protect oneself? Check if the link actually goes where it seems by right-clicking on it, selecting “copy link address,” and pasting it into a text-editor. For abbreviated links, some programmes such as CheckShortURL or URLEX allow to display the full link without clicking on it.
3) Spear phishing
What is it? Spear phishing is a type of scam in which an attacker uses personal details found online about the victim to impersonate their friend or colleague in order to trick this person into handing over sensitive information.
How to protect yourself? If a known person is suddenly asking for personal or sensitive information online, verify their identity through a different means, for example by giving them a call: this person’s account could have been hacked and their information stolen.
4) Browser-in-the-browser phishing
What is it? Browser-in-the-browser (BITB) phishing displays on the victim’s browser a pop-up window asking to log into an account or hand over personal information.
How to protect yourself? Verify whether the pop-up window is legitimate by attempting to drag it outside of the original browser window. If it cannot be dragged outside of the main tab, it is probably a phishing attempt.
5) OAuth phishing
What is it? OAuth, short for Open Authorisation, is a protocol that both allows a user to log into a third-party app or website without creating an account, and that grants the app or website access to the user’s information without revealing their pseudonym or password. OAuth phishing is a deceptive scam that mimics or hacks the authentication system to steal the victim’s credentials and access their personal or professional information.
How to protect oneself? Journalists should never authenticate in an unfamiliar app using OAuth authentication. If it is necessary to log in that way, journalists should verify the legitimacy of the app or the website, review carefully what kind of information the app or website wants to access, and the risks of granting such access.