Phishing scams are designed to trick people, and even the most careful person can fall victim as the tactics continuously evolve. In this final article of a three-part multimedia series on phishing scams, Reporters Without Borders (RSF) gives advice to journalists on proactive steps to take to protect themselves against phishing.
As seen in previous articles of this series, phishing is a constantly evolving, deceptive form of cybercrime that trick victims into clicking malicious links and handing over personal information. To prevent phishing scams, journalists must employ a combination of tactics and always be aware of new emerging phishing methods.
1- Adopt cautious reflexes
- Think twice before clicking on any link in an email. Instead, journalists should type the address the link refers to by hand if it seems suspicious.
- Avoid sharing information to unknown sources. When being redirected to an unknown website, it is recommended to avoid entering personal information or a password, and first verify the trustworthiness of the site. It is advised to always carefully verify where a link leads to before clicking on it.
- Contact the alleged sender to ensure it’s not a scam. If in doubt, journalists should contact the person or company that supposedly sent the link through some other form of communication, such as phone or social media apps, to verify with them that they are the real sender.
2- Configure one’s email service
- Disable remote images and elements. Phishing emails may contain “remote images,” i.e. images connected to a distant server that alert the attacker if and when the email is opened. The “remote image” feature can usually be disabled in email services settings.
- Disable the display of HTML emails. Attackers can use HTML formatting to hide the true destination of linked URLs. The “HTML display” feature can usually be disabled in email services settings, so that it only shows unformatted text.
- Enable the display of full addresses. Some email services only show the sender’s display name instead of their full email address (e.g. the “smart addresses” feature on iOS). This feature can usually be disabled in email services settings, so that it is easier to notice when the display name does not match the email address. However, journalists should keep in mind that email addresses can be forged as well.
3- Generally keep on top of digital security
- Make sure apps and software are up-to-date. It is easy for hackers to find exploits in outdated software, so it is crucial to keep the firmware and apps on devices updated. Equally critical is to avoid devices that no longer receive firmware or security updates from the manufacturer, which leave the user at increased risk.
- Strengthen digital security. Journalists are encouraged to maintain strong account security, such as by using strong passwords, changing them and usernames frequently, and using two-factor authentication (2FA) where practical. It is also recommended to always have an antivirus software running and a VPN.
- Self-train and self-test. Journalists are encouraged to continuously deepen their knowledge on digital security. Reporters Without Borders provides a catalogue of resources for this purpose. More specifically regarding phishing attempts, Google, OpenDNS, Sonicwall and the Totem Project offer quizzes on identifying and preventing phishing.