Following on from our article Digital Profiling for Close Protection Officers, which addresses why EP/CP officers should exercise a disciplined approach in their use of social media, this blog explores how a disinformation campaign can prevent the protection officer from being targeted by an adversary attempting to trace their principal.
What Is Disinformation?
As covered in our blog ‘Fake News’, disinformation is a step further than being mindful of your privacy and online profile. It involves taking proactive measures to maintain a false trail of information, leading any hostile reconnaissance away from you.
Generally, there is some level of information obtainable about most people in the public domain. But an active disinformation campaign will take a key piece of this and surround it with false data.
Why Is This Important?
Threat actors have evolved, and the threats that principals now face are not just physical. An unwitting EPO is a key person who will be used to facilitate an attack.
EPOs working for targeted clients face their address, email, and phone numbers being compromised by adversaries for the following reasons:
Addresses — to follow, threaten, bribe, or blackmail them.
Email — in an attempt to compromise their inbox and potential messages regarding their client or even using them as the conduit to compromise the client’s email, for instance via a phishing attack.
Phone numbers — for the same reason, phishing attacks are often delivered by SMS.
Once an email or phone is compromised, access to emails from the client’s PA or family could reveal personal details, schedules, location, and future movements. This sort of compromise is easily achieved especially if the adversary has the finances to employ certain agencies located outside the UK.
How Do EPOs Protect Their Clients From This Type of Threat?
Online security awareness and a disinformation campaign are key security measures that EPOs can take to avoid becoming targets in this sort of attack.
You should maintain your campaign on a regular basis. Your principals should be encouraged to consider the use of specialist security consultancies to provide advice and assist with the process for their entire staff.
You should follow this 4 step process:
This blog is going to assume that EPOs are already security-conscious and will focus on stage 3, populating the disinformation.
You can adapt the process if you think someone could easily find your name, but not your address or vice-versa. The aim here is to obfuscate your real details, either by overloading your address with a multitude of names or by creating a false trail of addresses.
Data is extremely valuable and is frequently sold to data mining companies. They, in turn, sell it to people to search databases that can be subscribed to for a fee. These companies range in quality, and some will accept details that are not as highly verified as others.
To begin with, you need to decide if it is your name, address, or both which you need to disguise. You need to choose the false address and details which you wish to use.
It is also important to consider ethics. If there are only two people with your name in the country, adopting the address of the other person could put them in danger.
A safe bet is to use the address of a building that is known to be uninhabited. It could be a derelict, a public building or hostel, or an address within a block of flats that do not exist. You can also add a B to an existing number or a number higher than is genuine.
Disseminating Information Online
To ensure your disinformation campaign is successful, you need to place it where it will be picked up by data collection dealers, web scrapes, and web indexing. The following can achieve quick results:
- Fill out online reviews, forms, surveys, questionnaires, and prize draws;
- Subscribe to free mailing services;
- Submit false CVs to online job sites;
- Create blog posts containing the false information you wish to associate yourself with;
- Write guest articles in publications that will be easily shared;
- Provide your information to associations that publish members details;
- Join running and sports clubs that publish results;
- Consider populating accounts such as linked-in with this information;
The disinformation campaign can be established further by building false social media profiles, which complement this information. It can be tricky to maintain some, and generally, you will need a burner phone number to set them up. But once established, they can be used to easily publicize the narrative of your choosing.
A good tip is to join local town interest groups, comment on various open posts, and ‘like’ businesses in that area. Even with a fully locked social media profile, there are ways to establish groups that people have joined and posts that other people have tagged them in.
Not Actively Trading
Another potential step in your disinformation campaign is registering a company, and it does not even have to actively trade. You can register a business with an address provided by a business formations company.
Details from Companies House generally fill a significant proportion of a Google search and can help bury information that is proving difficult to remove. This, however, will request your full name and date of birth. So it is only worth considering if that information is already in the public domain. Once you have an alias business address, you can use it when you need to register for genuine services, alternatively, a PO box may serve this purpose.
An option that can work is to purchase a cheap web domain and use deliberately false address information when registering. Some less security-conscious sites will allow this data to be published and revealed in Whois searches. By doing so, the owners of websites can be traced. Services in different geographical locations can request different forms of proof of address and this is worth researching.
Phone Numbers and Email Addresses
These can be filtered into the public domain in the same way. But it is important to have a separate “burner” number for account set up, another for your disinformation campaign, and a third to provide to services and deliveries to avoid cross-contamination.
VOIP ‘Voice Over Internet Protocol’ is a method of using internet-based phone services. It is a great tool for obtaining numbers and security, even though it is not as widely accepted in the UK as in the US.
However, Sudomail is an excellent service that allows you 3 email accounts and a phone number on a free (or very cheap) plan. The number is ideal for providing services and deliveries as it will ring to your normal phone. You can also change both the number and email addresses very easily.
What Else Should Protection Officers Be Aware Of?
To develop your privacy awareness further, you should consider using browsers with good privacy options, such as Firefox. You should also research script and tracker blockers such as uBlock Origin and Privacy Badger. They will prevent your browsing history and computer information from being shared with sites that you visit.
It is also important to use a VPN, which keeps your internet activity encrypted and prevents you from being subject to cyber-attacks through public WIFI.
A later blog will address methods that can be used to detect if someone is actively searching for you.
To discuss our security consultancy services further, please contact us:
Email – email@example.com
Phone – 0203 897 22 72
Web – www.sloaneriskgroup.co.uk