It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Not just phoning it in
According to a State Department cable obtained by The Washington Post, someone is using AI to impersonate Secretary of State Mario Rubio’s voice and to send text messages over Signal. According to the cable, these messages were directed to “at least five non-Department individuals, including three foreign ministers, a U.S. governor, and a U.S. member of Congress,” and used the display name “[email protected]” in Signal messages. At the time of the report, the Post suggests U.S. officials had not yet identified the impersonator.
What you can do
- Don’t write it off! We see a lot of headlines pegging this story to Scary New AI. What this story most reminds me of, though, comes from back in 2019. Security researcher and CEO of SocialProof Security Rachel Tobac showed how voice-cloning tools can be used to compromise the journalist Donie O’Sullivan, particularly in combination with some publicly accessible information. (Thank you for volunteering as tribute, Donie.) I do think the spread of cheap and convincing voice-cloning tools meaningfully lowers the barrier to entry here, and it’s therefore something journalists should take note of.
- Use trusted contact channels instead. This experience probably rhymes with something you’ve seen before: You have probably gotten a message from someone claiming to be a familiar entity like the U.S. Postal Service or UPS, a state-affiliated organization like a toll collector or the Internal Revenue Service, or perhaps even someone impersonating your boss. Regardless, don’t just look at — or listen to — the messages. Where is this coming from? If you can’t be absolutely sure that this came from a familiar source, go find a known source and verify it there. Someone claiming to be USPS? Don’t click their links. Go to the USPS website and see what you can find instead. Someone claiming to be your boss? Hit them up wherever you normally talk to verify. The bottom line is, you don’t need to take their word for it.
Updates from our team
- Are you a documentary filmmaker? You can still join our fifth annual Digital Security Clinic for Filmmakers. This four-session virtual training course takes place once a week between July 15 and Aug. 5. You read that right — this means we have run the first session already. But it’s not too late to join the three remaining sessions and consult with our digital security trainers. To participate, register here!
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Martin
–
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation
