In 2007, Michael Levin retired from the United States Department of Homeland Security after a distinguished thirty-year career in law enforcement. Michael served at the Department of Homeland Security as the Deputy Director of the National Cyber Security Division. Michael previously served as the Branch Chief of the U.S. Secret Service Electronic Crimes Task Force program in Washington DC. Michael was a member of the Secret Service Electronic Crimes Special Agent program and worked around computer forensics and cybercrime investigations for over fifteen years. After this distinguished career and seeing the need, Michael founded the Center for Information Security Awareness. The CFISA (cfisa.org) brought together a group of leading academics, security and fraud experts to explore ways to increase security awareness among many audiences, including consumers, employees, businesses and law enforcement.
Unfortunately, the term “fake news” is now an everyday expression, especially in the political arena. However, accusations of fake news have been around for at least half a century, notably rising in prominence in tabloids. For decades, there has been a vigorous niche of print magazines specializing in embellished and often exaggerated articles and misleading photos about celebrities. Beyond the supermarket tabloids, most consumers of news expect real journalism with fact-checking and the multiple verification of sources. We have grown to expect the articles we read will provide the information in an objective and accurate manner.
As news media has moved from print to online, the lines between professional journalism and sensationalized blogging have been blurred. With the cost of publication and distribution online dropping to pennies, greater profit margins could be realized from audiences, especially if amateur-penned blog posts were indistinguishable from reputable news articles. As they became more profitable, the art and science of making these articles provocative and alluring has improved. On social media sites, you now regularly see articles of dubious legitimacy being reposted by friends and family members duped into spreading the message. News articles reposted on social media are frequently how the fake news stories go viral.
Beyond gathering advertising eyeballs, the use of non-mainstream online news began to fester into far more sinister purposes such as political propaganda, fraudulent schemes, and even the outright spreading of malware. Popular scams have included things like famous billionaires giving away money for liking a link, free airline tickets scams, cheap name brand sunglasses, and fabricated celebrity obituaries. Behind the scenes, some of these sites are delivering adware bugs, phishing lures, and malicious code like ransomware. This is where you as a CISO need to draw the line and protect your employees and company networks.
And this is where security awareness training comes to the rescue. Many of the same principles and best practices taught in security awareness training are powerful tools in debunking fake news. Many of the practices to unmask phishing emails can weed out fake articles. The most important lesson to communicate to your users is: Slow Down and Research. Before taking any action on any news article, readers should slow down, take a deep breath, and open their minds that this might be a fake. This can be a challenge because many of these articles are designed to provoke a visceral emotional response. Strong emotions shut down critical reasoning, which pave the way for fraud and con jobs. People need to remain as objective and calm as possible until the news can be verified.
Users being users will not be likely to follow much of this advice beyond Slow Down and Research. However, one key message you can impress upon them is to contact the IT helpdesk for advice. Therefore, it’s vital that your helpdesk have a strong understanding of the fake news verification techniques described here. Just like for phishing and emailed malware, teaching your users to reach out for help is a fundamental component of your defense.
The web URL will tell you where the article originated and with this, you can verify if the posting is from a legitimate site. Often, the fake news sites have misleading URLs that look almost legitimate but are counterfeit. The real New York Times is at “www.nytimes.com” not “NYTimes.com.co”.1 Wikipedia has a page listing some of the known fraudulent sites at https://en.wikipedia.org/wiki/List_of_fake_news_websites. This would be a good thing to share with your users as part of an awareness campaign.
Beyond the Wikipedia list of fake news websites, sites like Snopes.com and other fact checker sites have been around since 1995 to help with the verification of urban legends and fake articles on the Internet. It’s a good idea to instruct users to double-check those sites and see if this is a known bogus story. It’s easy for fake photos to be used in an article, as well as claims of corroboration and verification. Watch out for articles in all caps or those that contain bad grammar and spelling errors.
Check the authors of the article or information on the source of the article. This may give you some clues as to the legitimacy of the article. You can also search for the author’s name and see what other articles they may have written, if any. Also, look closely at the date of the article. Frequently fake articles from months ago are still being passed around as current news, despite the fact they are known fakes.
Is the article a news item or provocative opinion? Official looking blogs can appear to be hard news when in fact they are just someone’s rant. Are their facts cited in the article? Are the facts attributed to known sources or just cited without context? Many bloggers couldn’t care less about the fact-checking process and are just voicing their opinion. The “About Us” section of the site may offer information on the motivations or direction of the site publishing the information. Search for information on the website to make sure you are visiting the legitimate news site you are looking for. Make sure the article isn’t a joke or a parody. Be aware that there are increasing numbers of “fake joke” articles that look very real. That outlandish article you are reacting to could easily be satire.
As we are exposed to more and more fake news articles, society will become savvier and realize this is an ongoing problem that is not going away. The safest approach in dealing with all news articles is to verify the story independently prior to clicking on the links. It just takes a few seconds to open a browser window and conduct a search on the headline to verify. Implore your users to always consider the source and do research before reacting and sharing. Ongoing security awareness training is a great way to educate your users and reduce the risk associated with this important issue.
To read more from Michael Levin, please visit The Center for Information Security Awareness blog at cfisa.org/security-blog.html.
MODIFIED: Jul 24, 2017