Phishing Attacks

The Oxford dictionary defines phishing as:

“the activity of tricking people by getting them to give their identity, bank account numbers, etc. over the Internet or by e-mail, and then using these to steal money from them”

Phishing is a form of cybercrime perpetrated with various motives and against different unsuspecting victims. Using this method, the attackers reach out to the victims through mediums such as emails, text messages and even phone calls, posing as legitimate entities such as businesses, organisations or individuals luring them into clicking links or downloading attachments carrying malware with the purpose of hacking the victims’ devices. Once the device is compromised, the attackers are able to get their hands on sensitive and key information of the victim which they use for different motives such as money, blackmail, spying on and even tracking down the victims.

Journalists are particularly at risk because of their critical work and since the adversaries range from governments, corporations to private persons, different means can be deployed to have the targeted journalists’ devices compromised for various goals, the extent of which could be endangering their lives.

As International Journalists Network notes to the particular vulnerability of journalists: “Unless they cover technology, most journalists probably could not explain exactly how a cyberattack happens.”

The information that can be stolen from journalists includes contact lists, text messages, photos, emails, and documents from their devices. There are many notorious phishing products the adversaries may have access to and many of them can easily enable them to even remotely turn on the microphone, camera, record and retrieve all this information without the victim even suspecting it.

There are several methods deployed to target journalists and as Google warned in 2020, the hackers are going to the length of posing as journalists to gain trust and hack other journalists. As you’ll see in our following bite-sized training videos, the typical modus operandi for these attackers is to a) instill a sense of urgency, b) making them take an action based on that sense of urgency – exploiting the extremely busy work life of a journalist.

What can journalists do against phishing?

There are many organisations specialising in the fields of digital as well as physical safety for journalists. Many list resources and tools which can be used to prevent phishing attacks. RSF Digital Helpdesk’s bite-sized training series introduces journalists to basic digital security self-help techniques with focus on phishing attacks in this one.

You can train yourself online against phishing attacks. You can follow RSF Digital Help Desk’s bite-sized course on phishing here:

1. Introduction

Taking advantage of busy schedule of journalists, hackers operate by inculcating a sense of urgency as well as the need to take an action. Oftentimes, the things the phishing material they would send will have tell-tale signs such as the content being too good to be true.

More on how the phishing attackers operate is discussed in a quick overview video below:

As you saw in the video, how the attackers are getting smarter by the day. The techniques, tricks and steps they use, even in their primitive forms, can spell trouble for the not so advance users. One notorious and very common way is to fake package delivery pages of prominent brands. The tracking nature of those pages and realistic looking visuals are enough to intrigue unsuspecting eyes even if they are not expecting a package to be delivered. Similarly, the decoy alerts forging real prompts by tech giants meant to alert people if their account has been compromised. These real-looking prompts also lead people into believing that their accounts may have been hacked and that they need to change their passwords. Thinking they are changing their passwords, they end up entering their existing passwords into a form they believe is the password change page of a famous tech service. Especially relevant for journalists are the so called interview requests. This works a lot of the times because it’s nothing out of the ordinary for a journalist to receive interview requests in their inbox.

The video also introduced you to some of the types of phishing attacks before preparing you for the tools and techniques of your own which you can use to defend yourself against these attacks. You can go back to the overview page for the actions you can take to prevent phishing attacks.

2. How serious is the threat

3. OAuth Phishing

4. HTML Phishing

5. Email Phishing

6. Spear Phishing

7. Browser in the Browser (BITB) Phishing

Recap of things you can do

We have compiled a summary of our recommendations discussed in the bite-sized training videos to equip you to fight everyday phishing attacks.

Research into the sender:

This research can include, for example, googling contents of the email or the sender’s true email address. It’s highly likely that other people have been the targets too if this is a known scam.

Use a second medium:

This cannot be emphasised enough. When you receive a suspicious email from a sender you know, your best bet more than any technical solution is to double check with the sender using a second medium, for example a phone call or SMS, and ask if they really sent it.

Check URL of the website:

If despite avoiding it you ended up on a page asking you for your login details, you should check the URL of the website. The giveaways are usually typos and misspellings in the URL to mislead the users.

Type it manually:

If you don’t know how you ended up on a login page, it’s always best to close it. And if you intend to login to that account, type the login URL into the address bar manually or google it.

Use URL de-shorteners:

Hiding real destination URLs through URL shorteners is another favourite technique used by the attackers. If you come across a shortened URL and you’re not sure where it leads to, you don’t have to click it. There are services called URL de-shorteners out there that would do it for you and give you the un-shortened and real destination link. Using the URL de-shortener services, you can find out the real destination without having to click it yourself.

Some general digital security tips can come in handy also in case of phishing attacks. Some of these tips are:

Keep software updated:

It’s crucial to keep the firmware and apps on your devices updated. Equally critical is not to use devices that no longer receive firmware or security updates by the manufacturer. The reason for this is that it is relatively very easy for the attackers to find exploits in an old piece of software. And since it’s no longer supported, the manufacturer does not have to provide a fix such as a patch through an update, leaving the user at an increased risk.

Use 2 Factor Authentication:

This general digital security tip is very handy to prevent phishing attacks as well. You should enable 2 factor authentication (2FA) for your main accounts, ideally via authenticator apps. If in an odd chance the attacker manage to get hold of your password, they cannot immediately get in because of the 2 factor authentication. Though not fool-proof, 2FA is another layer of protection which can go a long way in protecting you against phishing attacks. You can view our digital security training video on the topic of 2FA.

Password management:

It is also a good idea to invest time in learning what makes a good and strong password and how you can stay on top of securing your passwords using tools like password managers. Watch our digital security training video on the topic of Account Security here.

There are a number of other resources you can follow.

The Totem Project:

There are also multiple external projects where easy trainings material is available which once can use to self-learn how to arm themselves at their own pace. One such project where you can take these trainings for free is the Totem Project. Check their training on phishing attacks website here.

Take tests:

There are also phishing tests/quizzes available online which you can use to self-test yourself and see if you can detect the phishing attacks yourself. Google is one of the third party services which offer these tests for free. You can take the test here and see if you can self-detect phishing attacks.

Go beyond:

It is always a good idea to go the extra mile and train yourself better than what a bite-sized course can offer. Another one of the courses you can take is by Amnesty International’s MOOC which take about three weeks to finish. You can access this course here.

RSF Helpdesk




030 609895330