Following on from our article ‘Digital Profiling for Close Protection Officers’ which addresses why EP/CP officers should exercise a disciplined approach in their use of social media, this blog explores how a disinformation campaign can prevent the protection officer from being targeted by an adversary attempting to trace their principal.
What is Disinformation?
As covered in our blog ‘Fake News’, disinformation is a step further than being mindful of your privacy and online profile, it involves taking proactive measures to maintain a false trail of information, leading any hostile reconnaissance away from you.
Generally, there is some level of information obtainable about most people in the public domain, an active campaign will take a key piece of this and surround it by disinformation.
Why is this important?
Threat actors have evolved, the threats that principals now face are not just physical, and an unwitting EPO is a key person who will be used to facilitate an attack.
EPO’s working for targeted clients face their address, email and phone numbers being compromised by adversaries for the following reasons:
Addresses – to follow, threaten, bribe, or blackmail them.
Email – in an attempt to compromise their inbox and potential messages regarding their client or even using them as the conduit to compromise the client’s email, for instance via a phishing attack.
Phone numbers – for the same reason, phishing attacks are often delivered by SMS.
Once an email or phone is compromised, access to emails from the client’s PA or family could reveal personal details, schedules, location, and future movements. This sort of compromise is easily achieved especially if the adversary has the finances to employ certain agencies located outside the UK.
How do EPO’s protect their clients from this type of threat?
Online security awareness and a disinformation campaign are key security measures that EPO’s can take to avoid being targeted by this sort of attack.
Time should be dedicated on a regular basis to maintaining your campaign. Your principals should be encouraged to consider the use of specialist security consultancies to provide advice and assist with the process for their entire staff.
The following 4 step process should be followed:
This blog is going to assume that EPO’s are already security conscious and will focus on stage 3, populating the disinformation.
This can be adapted if you think your name could be easily found but not your address or vice versa. The aim here is to obfuscate your real details, either by overloading your address with a multitude of names or by creating a false trail of addresses.
Data is extremely valuable and is frequently sold to data mining companies who in turn sell it to people search databases which can be subscribed to for a fee. These companies range in quality, some will accept details which are not as highly verified as others.
To begin with you need to decide if it is your name, address or both which you need to disguise. You need to choose the false address and details which you wish to use. It is important to consider the ethics, if there are only two people with your name in the country, adopting the address of the other person could put them in danger. A safe bet is to use the address of a building which is known to be long term uninhabited such as derelict, a public building or hostel, or an address within a block of flats which does not exist, such as adding a b to an existing number or a number higher than is genuine.
To disseminate your false information, you need to place it where it will be picked up by data collection dealers, web scrapes and web indexing, the following can achieve quick results:
- fill out online reviews, forms, surveys, questionnaires, and prize draws
- subscribe to free mailing services
- submit false CV’s to online job sites
- create blog posts containing the false information you wish to associate yourself with.
- write guest articles in publications which will be easily shared
- provide your information to associations who publish members details
- join running and sports clubs who publish results
- consider populating accounts such as linked-in with this information.
The campaign can be established further by building false social media profiles which compliment this information, it can be tricky maintaining some and generally a burner phone number will be needed to set them up but once established they can be used to easily publicise the narrative of your choosing. A good tip is to join local town interest groups, comment on various open posts and ‘like’ businesses in that area. Even with a fully locked social media profile, there are ways to establish groups that people have joined and posts that other people have tagged them in.
Another step which can be taken is to register a company, it does not have to actively trade. You can register a business with an address provided by a business formations company. Details from Companies House generally fill a significant proportion of a google search and can help to bury information which is proving difficult to remove. This however will request your full name and date of birth so is only worth considering if that information is already in the public domain. Once you have an alias business address this can be used when you need to register for genuine services, alternatively a PO box may serve this purpose.
An option which can work is to purchase a cheap web domain and use deliberately false address information when registering, some less security conscious sites will allow this data to be published and revealed in Whois searches, this is a way that the owners of websites can be traced. Services in different geographical locations can request different forms of proof of address and this is worth researching.
Phone numbers and email addresses
These can be filtered into the public domain in the same way, it is important to have a separate “burner” number for account set up, another for disinformation and a third to provide to services and deliveries to avoid cross contamination. VOIP ‘Voice Over Internet Protocol’ is a method of using internet-based phone services, this is great for ease of obtaining numbers and security but is not as widely accepted in the UK as in the US, however Sudomail is a great service which allows you 3 email accounts and a phone number on a free (or very cheap) plan, the number is ideal for providing to services and deliveries as it will ring to your normal phone and you can change both the number and email addresses very easily.
What else should protection officers be aware of?
To develop your privacy awareness further, you should consider using browsers with good privacy options such as Firefox and research script and tracker blockers such as U Block Origin and Privacy Badger, these prevent your browsing history and computer information being shared with sites that you visit. It is also important to use a VPN, this keeps your internet activity encrypted and prevents you being subject to cyber-attacks through public WIFI.
A later blog will address methods which can be used to detect if someone is actively searching for you.
To discuss our security consultancy services further, please contact us:
Email – email@example.com
Phone – 0203 633 0672
Web – www.sloaneriskgroup.com