Phishing scams are digital fraud techniques that can trick people into willingly giving up their information, thereby providing access to their secure accounts. In this article, cybersecurity expert Ben Finn explains to Reporters Without Borders (RSF) how to identify and prevent phishing scams.
Journalists and media organisations can be subjected to phishing scams due to the sensitive information they work with. Scammers can gain access to a journalist’s secure accounts or sensitive information and use it to blackmail or jeopardise their positions. It could also lead to the journalists being forced to not publish a story or give up information about their sources.
Many digital security threats can be overcome with antivirus software, firewalls or encryption tools, but phishing scams are digital fraud techniques that rely on the human element: scammers will exploit people’s lack of vigilance or naivety and trick them into willingly giving up information.
Scammers use these techniques on multiple people from the same organisation or surrounding the same individual. The scam works when they are able to collectively gather enough information to break into their digital systems and cause serious damage.
Types of phishing scams
- Common phishing techniques: Ordinary phishing scams usually take the form of spam bots on social media, scam emails, or suspicious pop-ups on websites. They encourage the victims to click on links or enter personal information. While most tech-savvy journalists are able to recognise these scams immediately, other phishing techniques may be more difficult to identify.
- “Spear phishing”: The scammer sends customised emails or messages to the victim which contains specific information related to them. These are less likely to be filtered out of inboxes as spam and more likely to be opened by the victim who may think the email is from someone they recognise.
- “Social engineering”: The scammer uses deception, often via email or phone, to manipulate the victim into divulging confidential information and gain access to their digital systems. These scammers will create believable lies and cover stories or impersonate a company representative or a fellow worker, or may even manipulate the victim in divulging personal information such as their name, phone number, email address etc.
How to protect oneself from phishing attempts
- Limit the “administrator” rights. On digital devices, the rights to access secure systems can require a password, or can only be given to the “administrator” of the device and not to other accounts. If few people have the power to complete security verifications, scammers would have fewer points of entry into a device.
- Set up identity verifications methods. There could be instances where a legitimate stakeholder (partner, funder etc.) requests to gain access data from the digital devices of a journalist or the media organisation. Journalists and media organisations should have a robust verification process in place to confirm the claimant’s identity. As a principle, employees should not divulge any sensitive information to outsiders without a specific authorisation.
- Share little information online. Journalists should be wary of the personal information they put on social media. Any information can be exploited by scammers to trick victims into believing they are speaking with someone they know.
- Regularly undergo digital security training. Journalists and media organisations should regularly participate in digital security training and remind their team members that even a mundane interaction, such as someone reaching out to confirm with them if they work for the company, can also be a way for the scammer to get deeper access into the organisation.
For more detailed information, check out RSF series on phishing attacks.
Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal enterprise tools across large enterprises, including cybersecurity focused efforts. He has been engaged in training on proper security in the context of an oppressive nation-state, specifically in Myanmar. He has also been working with multiple groups in Taiwan to train them on proper security and safety measures.