...or Travel Leaves Marks on You - A. Bourdain
“Hello, this is microsoft calling regarding your pc…” you might assume that this sentence is nearing the point where everyone has heard it. The regionality of scams and the nature of just how many different ways there are to separate someone from their money isn’t particularly intuitive. Banking trojans, tech support fakes, investment fraud, impersonation of loved ones, and good old fashioned romance scams are all finding their niche somewhere in the world.
The viability of this kind of crime is highly dependent on the target. Using a sim swapping attack against someone with a flip phone and an investment broker on speed dial isn’t going to net the attacker the kind of results they want. Calling someone in Latin America to tell them they have a virus on the PC they don’t own isn’t going to get them to pay you. Banking Trojans thrive in places where electronic transfer of funds has become a preferred way to pay. The “GLOBAL THREAT LANDSCAPE” (a phrase I’ve come to loathe) looks a whole lot more personalized when you’re away from home.
Whether you’re doing a risk assessment for a story, a threat modeling exercise for the organization, or planning international travel it pays to widen the scope of your search to include regional threats that may become applicable as circumstances change. Typical attacks on small and medium businesses are only your end of the story.
The risks sources face might not always be familiar to a journalist, or even newsroom IT/security. Finding a way to get a local perspective on risk should be done early in the process. Striking a good balance between paranoia and performance can feel impossible, and deadlines do not help. Having everyone involved apprised of the potential consequences and openly discussing the status of mitigation efforts can unfortunately be devalued during crunch time. Giving the editors the information necessary to decide the fate of a story is a fraught endeavor.
It took me almost three years to get an editor to understand that the risk assessment should be part of green-lighting a story, not an afterthought while booking travel or writing a final draft.
P.S. - Growing the geographic point of view of your security policy won’t happen overnight, and you’re going to have to advocate for the time and resources necessary. Just looking for regional risks for this piece was by far the hardest part, and I'm someone who has been planning a crowd sourced (and vetted) database of regional risks and border crossing information for several months.
Comments