How Can Journalists & Human Rights Activists Protect Against Phishing?

By Malick Nyang

Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information such as credit card numbers, bank information, or passwords – on websites that pretend to be legitimate.

Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.

In The Gambia, there has been a steady increase in recent years of cyber-dependent crimes as a result of the absence of cybercrime legislation, inadequate detection mechanisms and the fact that the judiciary does not recognize e-evidence as admissible.

Currently, a cybercrime bill is being considered in parliament, but it has been criticised for its focus on addressing cybercrime-unrelated issues like online speech and expression instead of seeking to punish cybercrime.

The majority of proposed offences have nothing to do with cybercrime, apart from having the word ‘cyber’ or ‘computer’ attached. Instead they represent a broad effort to criminalise a wide range of speech online, from ‘false news’ and ‘prurient’ speech, to causing ‘harm’ to the ‘self-esteem’ of political figures, ARTICLE 19 said in a statement in March.

Safety of Journos & HR Defenders & the Obligation to Protect

Journalists and human rights defenders around the world face major risks as a result of their work. Governments and other powerful actors, seeking to escape scrutiny and stifle dissent, often respond to critical reporting or activism with attempts to silence them.

Threats, surveillance, attacks, arbitrary arrest and detention, and, in the gravest cases, enforced disappearance or killings, are too often the cost of reporting the truth. The protection of journalists and human rights defenders, and ending impunity for attacks against them, is a global priority for safeguarding freedom of expression.

According to ARTICLE 19, states are under an obligation to prevent, protect against, and prosecute attacks against journalists and human rights defenders. Creating a safe and enabling environment for their work necessitates legal reform, the creation of special protection mechanisms, and protocols to guide effective investigations and prosecutions where attacks occur. A free press and active civil society are essential to ensure the public’s right to know, so that governments and institutions can be held accountable.

Avoiding Spear Phishing and Advanced Persistent Threats (APT) Attacks

Recent studies have found a surprisingly high number of journalists, human rights defenders, and activists who have experienced cyberattacks. Most of these attacks targeted those who received phishing emails and email attachments. These individuals are often targets because of the information they possess or distribute and their popularity.

One needs to differentiate between authentic email addresses and authentic email. Remember that hackers can send you an email from your trustworthy friend or colleague through spoofing techniques, and victims mostly trust the mail content and perform action communicated as the email address is real. At the same time, it is been spoofed by hackers.

Recently researchers discovered an APT group based in China, tracked as TA412 or Zirconium, targeting U.S.-based journalists largely using spear phishing attacks.

Fake domains are another challenge in Spear phishing attacks where victims can’t see a minor difference. e.g google.com, and googie.com look the same, but one is google with small “l” while the other is with a capital “i.” The same Turkish alphabets (Ç, Ş, Ğ, I, İ, Ö, Ü) are used to create fake URLs that look trustworthy to victims who are unaware of technicalities. Make sure you read and confirm the URL you click via your emails or messages.

The Types of Phishing Attacks

1. Email phishing: A common type of phishing that uses deceptive emails that appear to be from a legitimate company.

2. Spear Phishing: A targeted approach that sends malicious emails to specific people or groups, such as a company’s system administrator.

3. Whaling: Targets high-level executives, such as CEOs and CFOs.

4. Vishing: Also known as voice phishing, this type of phishing uses the phone to steal information or money.

5. HTTPS Phishing: A URL-based attack that tricks users into clicking a seemingly safe link.

6. Angler Phishing: Uses fake social media accounts belonging to well-known organizations to lure users to fake URLs.

7. Search Engine Phishing: Also known as SEO poisoning or SEO Trojans, this type of phishing involves hackers working to become the top hit on a search engine.

8. Sextortion: A phishing scam where a hacker sends an email that appears to have come from you and claims to have access to your email account and computer.

Phishing attacks can also be carried out through text messages, fake websites, and malicious files.

How To Recognize Phishing

Scammers use email or text messages to try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could get access to your email, bank, or other accounts. Or they could sell your information to other scammers. Scammers launch thousands of phishing attacks like these every day — and they’re often successful.

Scammers often update their tactics to keep up with the latest news or trends, but here are some common tactics used in phishing emails or text messages:

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. You might get an unexpected email or text message that looks like it’s from a company you know or trust, like a bank or a credit card or utility company. Or maybe it’s from an online payment website or app. The message could be from a scammer, who might:

• say they’ve noticed some suspicious activity or log-in attempts — they haven’t
• claim there’s a problem with your account or your payment information — there isn’t
• say you need to confirm some personal or financial information — you don’t
• include an invoice you don’t recognize — it’s fake
• want you to click on a link to make a payment — but the link has malware
• say you’re eligible to register for a government refund — it’s a scam
• offer a coupon for free stuff — it’s not real

Here’s a real-world example of a phishing email:

Imagine you saw this in your inbox. At first glance, this email looks real, but it’s not. Scammers who send emails like this one are hoping you won’t notice it’s a fake.

Here are signs that this email is a scam, even though it looks like it comes from a company you know — and even uses the company’s logo in the header:

• The email has a generic greeting.
• The email says your account is on hold because of a billing problem.
• The email invites you to click on a link to update your payment details.

While real companies might communicate with you by email, legitimate companies won’t email or text with a link to update your payment information. Phishing emails can often have real consequences for people who give scammers their information, including identity theft. And they might harm the reputation of the companies they’re spoofing.

Journalists in exile face a range of digital security challenges unique to their individual circumstances. These include hacking attempts on their accounts, online harassment, and attacks on their websites or blogs. This guide provides journalists with practical steps they can take to better ensure their safety.

General Guidance for Journalists

• Journalists should research the tech capacity of those that they feel threatened by. To do this, you can look up the name of the person, group, or authority targeting you alongside keywords, such as spyware, phishing attacks, surveillance, and hacking.

• Know the laws and regulations of the countries you are traveling to or through with regards to encryption and the use of pirated software. Read CPJ’s guide on border crossings and digital safety for more information.
• Stay up to date with the latest news on technology, especially in the region you are from and the region you are now living in. Sign up to tech newsletters which are often put out by major news outlets. Look for news on hacking, changes to laws around surveillance or encryption, as well as developments in business related to technology.

Ways to Protect against Phishing

• Use strong passwords: Avoid reusing passwords, which is a common way for attackers to gain access to accounts.

• Enable two-factor authentication (2FA): This adds an extra layer of security by requiring a code in addition to your password to log in.

• Be careful with links and attachments: Don’t click on links in suspicious emails or messages. If you receive a suspicious message, you can open a new tab in your browser and go to the organization’s website from a saved favorite or search. Avoid downloading attachments, or if you do, do so in a secure environment.

• Use secure communication: If you’re working on sensitive issues, use encrypted channels or a secure space to communicate.

• Review privacy settings: On social media, minimize the amount of personal data you share, keep your accounts private, and disable search engine visibility.

• Use a password manager: A password manager can help protect your accounts from being compromised.

• Get help: If you’re unsure about your digital security, you can reach out to a rapid response helpdesk for an online security check.