Journalists and newsrooms are increasingly the victims of hacking and malware, and often hackers target them through their email. Virtually every "sophisticated" hack of an individual reporter or entire newsroom starts with a relatively simple attack: phishing and spear phishing.

Phishing is a social-engineering attack where an adversary crafts an email in such a way to trick you into divulging information that could be used against you or your network; gain access to, and ultimately commandeer your account; or introduce malware and/or viruses to your machine. Spear phishing is just like phishing, except the attacker uses information he or she already knows about you to specially tailor their phishing email. There are plenty of ways to be phished, and it happens incredibly frequently. Prepare yourself with our guide to mitigate or avoid phishing or spear phishing attacks.

What’s in your threat model?

Learn threat modeling. This is a technique that encourages you to clearly assess who your potential adversaries are, what exactly they would be interested in getting out of you, and what would happen to you if they succeeded. Try asking yourself, and others you work with, these following questions, and be as specific with your answers as you can.

  • Who would be most likely to target me?

  • How much money, time, and skill do they have to dedicate to targeting me?

  • What would they most likely want from me (i.e. money? incriminating information? access to my friends or other trusted contacts?)

  • What would happen to me if they were successful?

From there, look at how you normally communicate, and try to assess where your processes are vulnerable to those specific threats. If you’d like more information about threat modeling, have a look at the work by Jonathan Stray, whose work in this field has helped numerous journalists.

2FA to the rescue

One of the most important advances in credential security is two-factor authentication. Two-factor authentication (or 2FA) relies on the idea that services are more secure if you access them with something you know (i.e., your passphrase), and something you have (i.e. physical access to your phone). With 2FA, each log in will require an extra step after you input your password: you’ll be prompted to enter a 6-digit code that is displayed only on the device you have control over. This code can come to you via SMS from the service itself (as is the case with Twitter), or is displayed in an app on your phone (such as Google Authenticator or Authy). That way, if someone ever gets your password, they still could not log in as you unless they had physical control over your phone as well.

Turn on two-factor authentication for any and all services that you can, starting with your gmail account. Better yet, get a YubiKey, a small USB device that you either plug into your computer, or tap to your phone using NFC, to enable this securely. In the event that you get phished (it happens to the best of us!) no one will be able to use the password they recovered because they would also need to have access to your Yubikey to make use of it.

The website Two Factor Auth has an exhaustive list of services that support 2FA, as well as direct links to directions for enabling it everywhere it’s available.

Sometimes, the "from" field is lying to you

Understand that things like the "from" field in your emails can be forged to trick you. While it’s difficult for someone to send an email using someone else’s address, it can be done. It’s also incredibly easy to create an email address that is similar enough to your contact’s to fool you with.

In the first case, scrutinizing the email headers might tip you off to a forgery. However, not all email clients make this clear, or alert you to when someone is attempting to trick you this way. Here’s an example of this attack in action: an email claiming to come from a legitimate gmail address arrives in my inbox, but was not sent from one of Gmail’s real servers. This is why there is a yellow phishing warning at the top of the message.

Information in the source of an email cannot be easily forged, and so that bit of information is more trustworthy than the name/email address associated with the email. Be aware of this threat, and choose an email client that has your protection in mind. As much as we criticize Google for being a huge monolith that reads your emails to turn them into ad revenue, Google provides a lot of protection against this attack.

The second case concerns a trick called typo-squatting: when someone purchases a domain that looks a lot like a legitimate domain you’re familiar with, but it’s misspelled just a bit to trick you. For example, I once received an email from someone at the "gooogle" domain (notice the 3 o’s?!) That was a phishing attempt that wanted me to log into their phony site to steal my real Google credentials.

Beware attachments

Attachments can carry malware and viruses, and commonly accompany phishing emails. The best way to avoid malware from attachments is to never download them. However, downloading documents is often part of a journalist’s job. As a cardinal rule, don’t open any attachments immediately, especially if they come from people you do not know. If possible, ask the person that sent you the document to copy-paste the text in the email.

If you have to open the attachment, it should only be opened in a "sandboxed" environment: a program, service, or even a dedicated machine that enforces separation between documents you open and the computer you use. Once again, Google Drive is a very efficient sandbox. So instead of downloading an attachment and opening it on your computer, right click on the attachment and open it in the Chrome browser. If you do not have Google Drive linked to your computer, send the attachment to Google Drive and view it from the web interface.

If you are really suspicious but still need to open the attachment, you could also use an airgapped machine (a computer that never touches a network) to view documents, and print out the ones you need for later. (Also, have a look at the Tails operating system for such a task.)

On the other hand, sometimes bad actors will send you attachments you have no intention of viewing, and those are likely to contain malware. Usually, these attachments include (but aren’t limited to) JavaScript (.js/.jse) files, or Windows Script files (.wsh/.wsp). Your computer might run these files automatically, and that’s one way malware gets into your machine. Change your settings so that certain files never execute, but instead open up in a text editor application. Ideally, whichever text editor you use should not sync to the cloud.

On Windows:

  1. Open your Control Panel, and navigate to Programs->Default Programs (a simple search for “default programs” should bring you there as well.)

  2. Select “Associate a file type or protocol with a program.”

  3. Scroll down to the file type you’ll want to change, select it, and click “Change program…”

  4. Click “More apps” in the chooser window that pops up, and select Notepad, or your text editor of choice. Click “OK” to save your changes.

While this is usually less of an attack vector for Mac users, here’s how to change a file’s default application on a Mac:

  1. Open a Finder window and do a search for the type of file you wish to change (“.js” for example).

  2. Control-click on a resulting file, and select “Get Info.”

  3. Change the “Open with:” option to your text editor of choice.

  4. Click “Change All…” so each file of that type will open in the same way.

Click with caution

Be skeptical of links in emails. There’s a simple trick for making sure a link in an email will send you to where it’s supposed to: use your mouse to hover over any link before clicking on it, to see what the actual URL is.

If it’s a link shortener instead of the full URL, don’t click on it at all. Furthermore, don’t follow links to domains you are unfamiliar with. If in doubt, perform a search for the domain, with the domain name in quotation marks with a privacy-preserving search engine (like DuckDuckGo) to see if it’s a legitimate web site. This isn’t a 100% fix, but it’s a good precaution to take.

Finally, if you click on any link from an email, and are asked to log in, do not do it.

In-line images are little tracking beacons

Turn off your email client’s ability to display images automatically. Whenever an image is loaded into your email display, a request is made to wherever on the internet that image is hosted. Adversaries have cribbed this play from the marketing industry: they use this trick to find out who has opened their email and when-- kind of like a tracking beacon. Gmail has the option to prevent images from loading automatically-- turn this on immediately! Here’s how: navigate to "Settings" from the gear icon at the right of the page. In the "General" tab (which is the first tab), select "Ask before displaying external images".

You can always enable images to load per email, or even per sender.

Stand up for yourself and others!

If anyone is sending you unsolicited attachments, links, or images, and seems suspiciously insistent that you open them immediately, kindly tell them to "go fly a kite!" Not only is what they’re doing rude, it could indicate that they intend to trick you, and are using social pressure to get you to complete their exploit. On the other hand, be mindful of these tricks, and try not to barrage people with links, images, and attachments in your email communications. Not only does it show that you care about the safety of the people you communicate with, but it encourages a culture among your connections that is alert, aware, considerate, and privacy-forward.