Phishing
Module 2: Digital attacks and Online Gender-Based Violence
Overview
- Phishing: Phishing is defined as a “cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”(1) Once this information has been provided, the hacker can gain access to, and sell, the individual’s personal accounts and claim the hacked individual’s identity (identity theft).
- Campaigns: Phishing is a prevalent form of targeted surveillance and digital security attacks which can impact journalists. Phishing campaigns can also be used to enable hackers to install surveillance technology to access a journalist’s personal information, data, and sources often without the journalist’s knowledge, to blackmail them through the misuse of personal information, and to provoke self-censorship.(2)
International law and standards
Phishing attempts, whether successful or otherwise, violate journalists’ right to privacy, data protection, and freedom of expression, with these abuses being characterised by continuity, due to the ability of perpetrators to utilise different online and offline platforms to constantly re-victimise victims, including through identity theft attacks.(3)
As such, the UNSR on FreeEx has noted that targeted digital surveillance technologies and methods targeting journalists, including phishing, are “contrary to international human rights law, according to which both reporter and source enjoy rights that may be limited only in accordance with the strict requirements of Article 19(3) of the ICCPR.”(4)
National laws
Civil and criminal liability under national laws regulating cybercrimes or computer misuse could be used to address phishing attacks against journalists.(5) As noted, 39 out of the 54 listed African countries have enacted cybersecurity or cybercrime laws.(6)
Phishing in Nigeria
In Nigeria, it is commendable that Section 32 of the Cybercrimes (Prohibition, Prevention, Etc) Act of 2015 explicitly criminalises phishing(7) while Section 22 explicitly addresses the scenario in which a phishing campaign against a journalist results in either identity theft or impersonation.(8)
For SSA countries without or with inadequate cybercrime laws, alternative legal routes that may be pursued could relate to data protection and the compromising of confidentiality and integrity of data, and/or the disclosure of personal information without the data subjects’ prior and informed consent, amounting to a violation of a journalist’s right to informational privacy.(9)
Other civil provisions, such as trespass to chattel or a breach of contract if the attack violates a website owner’s or internet service provider’s terms of use, might also be relevant.(10) Lastly, criminal offences under the Penal or Criminal Code might be relevant where, for example, a perpetrator, in carrying out a phishing attack, blackmails a journalist.