The call came from a number I didn’t recognize and had a Canadian area code.
A steely voice on the other end greeted me, identifying himself as an officer in the Canadian Armed Forces.
he had a question. Was I trying to contact him on WhatsApp to ask for information?
I paused. As an investigative reporter for ProPublica, I’m always in contact with a lot of people. However, when I racked my brain, I couldn’t think of any Canadians who had recently tried to develop it as a source.
It looks like someone is pretending to be you, the man warned.
I was at a loss. What was Fake Me asking? Did they just use my name and photo? How can I be sure that the person who warned me about this scammer is not actually a scammer?
Canadian officials promised to send a message from their government email to verify their identity and attach a screenshot of their conversation with Fake Me. I thanked him and we exchanged a few pleasantries. Before we parted ways, I asked him if there was anything he wanted to get noticed by an investigative reporter. (Unbeknownst to me, I was asking him for information. Maybe the fake me and the real me aren’t that different.)
A screenshot later sent by the Canadian showed someone with a Miami number using my ProPublica mugshot as a profile picture. I have never lived in Florida.
“This is Robert Fatuleci from ProPublica,” Fake Me wrote. “I really need to get in touch.”
The Canadian asked me not to reveal too many details about his work, which includes dealings with other countries, including Ukraine.
We have alerted ProPublica’s security team. They said there was little they could do other than report the fake account to WhatsApp.
We did so, and I put the issue aside – two weeks later, another alert arrived.
This time, he said he was a Latvian businessman who runs an organization that provides equipment to the Ukrainian military and is involved in a drone development project with the Ukrainian military.
“Hey!” the Latvian wrote to me on LinkedIn. “I’m glad we were able to chat on Signal! Let’s connect here too!”
The only problem is I’ve never chatted with him on Signal, an encrypted messaging app.
This Latvian reached out to me on LinkedIn, concerned that he wasn’t talking to Real Me on Signal. He sent a screenshot of someone using my mug shot claiming to be me.
“May I understand that you are an expert in the field of unmanned aerial vehicles?” Fake Me wrote to the Latvians, referring to unmanned aerial vehicles (a fancy term for drones).
“My client is particularly interested in the application of unmanned aerial vehicles in Ukraine,” the scammer explained.
The Latvian offered to discuss the matter over the phone, but Fake Me, who could be male or female, declined, saying he was “not comfortable” talking on the phone. They asked if “written conversations” could continue or if Latvians could “record audio messages on this topic.”
The Latvians became suspicious and insisted on a video call. Fake Me persisted and sent him step-by-step instructions claiming to be able to have a secure video chat, but in reality it appeared to be an attempt to trick the Latvian into giving up access to his email account.
The Latvian player eventually blocked Fake Me.
The impersonation was disturbing. Investigative reporting is difficult enough with public trust in the media so low and those in power increasing their attacks on journalists. Our job becomes even more difficult when scammers give potential sources another concern.
It’s unclear what Fake Me is up to, but impersonating a journalist in this way appears to be the latest evolution in online scams. ProPublica documents the dark world of pig butchery, where Asian human traffickers coerce victims into deceiving people by posing as friends or potential lovers. In these cases, the objective is cash.
However, sometimes the goal is to steal sensitive information. Even sophisticated attackers can also fall victim to so-called phishing attacks, where fraudsters impersonate legitimate organizations. One of the most notable and perhaps consequential cases occurred in 2016 when John Podesta, campaign chairman for Hillary Clinton’s presidential campaign, fell victim to an email disguised as a Google security alert, allowing hackers to gain access to his personal Gmail account. Thousands of his emails, some of which were highly damaging to Clinton and the Democratic Party, were published online.
Screenshot of conversation between Canadian officials and fake Robert. Retrieved and edited by ProPublica
Screenshots sent to me by Canadians and Latvians show that Fake Me is not asking for credit card information or encouraging anyone to buy gift cards. It doesn’t seem like it was a money-making scam.
I don’t know who else they contacted, but in both cases I was alerted that Fake Me appeared to be interested in foreign militaries. Maybe some clunky espionage?
I called Fake Me using the phone number I used to contact Canadian defense officials. I received a recorded message saying the line was not in use.
On Signal and WhatsApp, the phone number kept ringing but there was no answer.
The second impersonation was even more limited in what it could do than the first.
Signal retains little information about you. We know when someone first created an account and the phone number they used, but we don’t store anything about who they’re sending messages to. That’s by specification. Our hands-off approach is one of the reasons why it’s a safe platform for journalists to have safe conversations with their sources. But it also makes it difficult to catch spoofed accounts. Signal can’t detect red flags, such as sending messages with suspicious links. (WhatsApp can’t see the content of your messages unless you report them. There is a feature that lets you see who you’re messaging, but a spokesperson said the company rarely stores that data.)
Cooper Quintin, a technologist at the digital privacy nonprofit Electronic Frontier Foundation, said he’s never heard of a case like mine with Signal. But overall, he was noticing an increase in scams on secure messaging apps. He said Signal was doing what it could, including adding features to slow down spammers who try to send a large number of messages in a short period of time. Signal also prevents you from clicking links from unknown senders. But there are limits to what Signal can do without sacrificing the user privacy protections that make it so unique, he said.
“This is on a trajectory: as Signal grows in popularity, more attackers will start to see Signal as a potential platform for attacks,” Quintin said, insisting we speak via video chat to confirm that I am not an online impersonator who has asked for an interview about online impersonation.
Some platforms, such as Facebook and Instagram, allow users to obtain verified accounts. This account effectively verifies that you are who you say you are. But Luna Sandvik, a digital security expert who consults on security issues for ProPublica, said it’s not realistic for Signal to do the same thing. The nonprofit that runs Signal is small, and verification requires staffing that the nonprofit doesn’t have. More importantly, it would require Signal to collect more information about its users, undermining the privacy protections that underpin Signal’s popularity, she said.
Signal has not commented on this article. A WhatsApp spokesperson said: “We have a strong track record of banning people who try to defraud others and staying ahead of scammers and their schemes.” A spokesperson said WhatsApp “took appropriate action in line with our policies” against the account impersonating me, but declined to say what those actions were. In general, WhatsApp attempts to root out fraudulent accounts even before they are reported by monitoring for suspicious behavior, such as attempts to launch many accounts from a single location.
I’ve found that if you’re contacted by someone pretending to be a reporter, the best way to thwart the scam is to do a little reporting yourself.
All ProPublica journalists have a bio page. This is mine. on my profile page,[連絡先]Click the button and you’ll see my Signal handle and email. You can always check the Signal information or email address on my About Me page to verify it’s me contacting you.
This applies to all ProPublica reporters. We all have a Signal number or username in our profile and an email ending in @propublica.org.
The same goes for reporters from other stations. If someone contacts you and you have questions, check their website and social accounts for email, Signal, or WhatsApp numbers. We have heard through the media and through public accounts that scams similar to mine have affected other organizations.
It also includes small-scale deception. The New York Times recently flagged X’s account for pretending to be a news organization intern. In 2023, Reuters reported that two Chinese journalists were impersonated through their Instagram and Telegram accounts in an attempt to obtain information about activists protesting the country’s coronavirus policies. And just this month, a Reuters correspondent in Saudi Arabia warned his followers that someone was impersonating him on WhatsApp.
You should also be wary of more sophisticated campaigns. Earlier this year, the German government issued vague warnings about what it said were likely state-sponsored actors attempting to take over the Signal accounts of government officials and journalists across Europe. And last month, the FBI announced that individuals associated with Russian intelligence were posing as Signal’s security division to trick U.S. government officials and journalists into providing information that would allow hackers to take over their accounts. The FBI warned that once they have access, they can view conversations and contact lists and send messages as victims.
These scams should worry anyone interested in investigative reporting. Throughout my career, I have written sensitive stories exposing corruption in politics, finance, the military, and law enforcement. Many of them relied on brave individuals who took the plunge and shared information, sometimes at personal risk. I make every effort to protect my sources and make sure they are comfortable taking that risk. If a potential source has to doubt that I am who I say I am, they may be less likely to engage.
When journalists are being impersonated online, as I have experienced, Sandvik said they should not remain silent about it.
“If it happens, be very public about it and that’s what you’re doing now,” she said. “Let people know this is happening so when people hear from you, they know this is something to be aware of.”
