The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Posing as a journalist on Signal and WhatsApp
ProPublica’s Robert Faturechi recently published a story examining two incidents in which he learned that someone was masquerading as him, both apparently in search of information from people with connections to the war effort in Ukraine.
In the first instance, a Canadian defense official reached out and provided screenshots to warn him that someone was messaging through WhatsApp, using Faturechi’s name and profile photo. “This is Robert Faturechi from ProPublica,” the screenshots read. “I really need to get in touch with you.”
Two weeks later, the journalist received another alert. This time, the impersonator was speaking to a Latvian businessman who sells drone equipment to the Ukrainian military. The businessman became suspicious when the impersonator insisted on speaking via text, refusing to take a voice or video call. Afterward, he alerted Faturechi via LinkedIn, sharing Signal screenshots that showed that the impersonator wanted to learn more about unmanned aerial vehicles.
What you can do
As Faturechi points out, he’s not the only one with an imposter running around, and this problem, while rare, probably isn’t going away.
- Be proactive about advertising the right channels. One of the only ways to get ahead of impersonation is to make it very easy for people to find your contact information in the first place. This means posting your contact information on every channel you can, including on your newsroom’s website, social media, and your personal website. Read our guide on security considerations for confidential tip pages. We also consult with newsrooms on how to build out their tip pages and secure channels. Contact us if you need assistance.
- Double check the source of truth before reaching out. Whether you are a journalist or a potential source, you’ll want to just make sure you don’t pull a Michael Waltz and invite the wrong person into your Signal or WhatsApp messages. Many media organizations will post their journalists’ contact information in the byline. Verified users on social media accounts may also be useful shortcuts for checking that you’re talking to the right person.
- Trust your gut about unusual outreach. The Latvian businessman in this story grew suspicious because the fake Faturechi insisted on conducting the conversation via text, and refused to let their voice be heard. Trust your instincts. If something seems off, just like phishing, you can always do a quick search to find the “source of truth.”
- On WhatsApp, you can report conversations. Using the report feature, you can send Meta up to five of the last messages you received in a conversation. Learn how. Note that Signal does not have any way to decrypt your messages and does not offer an equivalent feature.
- Spotlight the imposter in your journalism. If someone impersonates you, that could be a story. But it also helps your potential sources and those who follow your work understand this possibility, and how to reach out to you safely. As Faturechi pointed out, “It turns out, if you’re contacted by someone pretending to be a reporter, the best way to scuttle their scam is to do a little reporting of your own.”
Updates from our team
- In case you missed it, my colleague Caitlin Vogus and I examined how the U.S. intelligence community may spy on Americans who use VPNs, and the need to reform foreign intelligence surveillance law. Give it a read!
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Martin
–
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation
