The call came from a number I didn’t recognize, with a Canadian area code.
A steely voice on the other end of the line greeted me, identifying himself as a Canadian military official.
He had a question: had I contacted him on WhatsApp, trying to ask him for information?
I took a break. As an investigative reporter at ProPublica, I contact many people all the time. But as I racked my brain, I couldn’t think of any Canadians I’d recently tried to develop as sources.
It looks like someone is pretending to be you, the man warned.
I was lost. What was Fake Me asking? Were they just using my name or my photo too? How can I be sure that the person who warned me about this imposter wasn’t an imposter themselves?
The Canadian official assured me that he would send a message from his government email to confirm his identity, and that it would include screenshots of his conversation with Fake Me. I thanked him and we exchanged a few pleasantries. Before saying goodbye, I asked him if there was anything he would like to see on an investigative reporter’s radar. (Without even realizing it, I was working with him to get information. Maybe Fake Me and Real Me aren’t so different.)
Screenshots the Canadian sent later showed someone with a Miami number using my ProPublica photo as their profile picture. I have never lived in Florida.
“This is Robert Faturechi from ProPublica,” Fake Me wrote. “I really need to contact you.”
The Canadian asked me not to publicly reveal too many details about his work, but it involves relations with other countries, including Ukraine.
I alerted our security team at ProPublica. They told me there was little we could do other than report the fake account to WhatsApp.
We did so and I put the matter behind me – until two weeks later when I received another warning.
This time it was a Latvian businessman who said he headed an organization supplying equipment to the Ukrainian army and was involved in a drone development project with Ukrainian forces.
“Hey!” the Latvian wrote to me on LinkedIn. “It was great chatting on Signal! Let’s connect here too!”
The only problem was that I had never chatted with him on Signal, the encrypted messaging app.
The Latvian contacted me on LinkedIn because he was worried about not talking to Real Me on Signal. He sent screenshots of someone using my headshot and pretending to be me.
“Am I correct in understanding that you are an expert in the field of drones? Fake Me had sent a message to the Latvian, referring to unmanned aerial vehicles, a fancy term for drones.
“My clients,” the imposter explained, “are particularly interested in the application of drones in Ukraine.”
The Latvian had offered to discuss the topic in a phone call, but Fake Me (who could be male or female) declined, saying they were not “comfortable” speaking on the phone. They asked to continue the “conversation in written form” or if the Latvian could “record a voice message on this topic”.
The Latvian, who became suspicious, insisted on a video call. Fake Me relented, sending him step-by-step instructions that they claimed would result in a secure video chat, but this actually appeared to have been an attempt to trick the Latvian into giving up access to his email account.
The Latvian finally blocked Fake Me.
The imitations were worrying. Investigative journalism is difficult enough when public trust in the media is so low and those in power are increasing attacks on journalists. Fraudsters who give potential sources another thing to worry about only make our jobs more difficult.
I can’t be sure what Fake Me does, but posing as a journalist in this way seems to be the latest development in online deception. ProPublica chronicled dark world of pig butcheryin which human traffickers in Asia force their victims to scam people by posing as friends or potential romantic interests. In these cases, the goal is cash.
But sometimes the goal is to steal sensitive information. And even the most sophisticated actors can fall victim to so-called phishing attacks, in which fraudsters impersonate legitimate entities. One of the most notable and perhaps most important cases was that of John Podesta, chairman of Hillary Clinton’s 2016 presidential campaign, was the victim of an email claiming be a Google security alert, allowing hackers to access his personal Gmail account. Thousands of his emails, some of them are very damaging to Clinton and the Democratic Party, were published online.
From the screenshots the Canadian and Latvian sent me, I could tell that Fake Me wasn’t asking for credit card information or tricking anyone into buying a gift card. It didn’t seem like a lucrative scam.
I don’t know who else they contacted, but in both cases I was alerted Fake Me seemed to be interested in foreign military personnel. Perhaps a clumsy intelligence operation?
I tried calling Fake Me using the phone number they used to reach the Canadian defense official. I received a recorded message that the line was not in service.
On Signal and WhatsApp, the number rang and rang, with no answer.
We could do even less against the second imitation than against the first.
Signal keeps extremely little information about its users; it knows when someone first created their account and the phone number they used to do so, but doesn’t store anything about the person it’s messaging. This is intentional. The hands-off approach is part of why it is a secure platform for journalists to speak securely to their sources. But it also makes it difficult to detect impostor accounts. Red flags, such as sending messages with suspicious links, are not detectable by Signal. (WhatsApp can’t see the content of messages unless a user reports them. It has the ability to see who its users are messaging, but a spokesperson said it’s rare for the company to store that data.)
Cooper Quintin, technologist at the digital privacy nonprofit Electronic Frontier Foundationsaid he had never heard of a case like mine on Signal. But overall, he noticed an increase in scams on the secure messaging application. Signal was doing what it could, he said, like adding a feature that slows down potential spammers who try to send many messages in a short period of time. Signal also makes links from unknown senders unclickable. But there are limits to what Signal can do, he said, without compromising the privacy of its users.
“It fits a trajectory. As Signal becomes more popular, more attackers are starting to view it as a potential platform for attacks,” said Quintin, who insisted we speak via video chat to be sure I wasn’t an online impersonator asking to quiz him about online identity theft.
Some platforms, like Facebook and Instagram, allow users to get verified accounts in which the site essentially confirms that they are who they say they are. But it wouldn’t be possible for Signal to do the same, said digital security expert Runa Sandvik, who consults on security issues for ProPublica. The nonprofit that runs Signal is small, and verification would require staff it doesn’t have. More importantly, she added, it would force Signal to collect more information about its users, undermining the privacy protections that make it popular.
Signal did not provide any comments for this article. A WhatsApp spokesperson said that “we have a strong track record of banning those who try to scam others and staying one step ahead of scammers and their tactics.” The spokesperson said WhatsApp “took appropriate action in accordance with our policies” against the account that impersonated me, but declined to say what that action was. In general, WhatsApp attempts to eliminate fraudulent accounts, even before they are reported, by monitoring suspicious behavior, including attempting to launch multiple accounts from a single location.
It turns out that if you’re contacted by someone pretending to be a journalist, the best way to bust the scam is to do your own reporting.
Every ProPublica reporter has a bio page. Here is mine. On my bio page you will find my Signal ID and email if you click the Contact Me button. You can always check the Signal information or email address on my bio page to verify that I am the person contacting you.
This is true for every ProPublica journalist: We all have our Signal numbers or usernames on our profiles, and we all have an email ending in @propublica.org.
The same goes for journalists from other media. If someone contacts you and you have doubts, check their website and social accounts to check their email or Signal or WhatsApp numbers. We have heard through the media and in published accounts about scams similar to mine that also hit other organizations.
They include smaller scale deceptions. The New York Times recently reported an account on X falsely claiming to be an intern for the news agency. In 2023, Reuters reported that two of its journalists in China were spoofed through Instagram and Telegram accounts attempting to obtain information about activists protesting the country’s COVID-19 policies. And this month again, a Reuters correspondent in Saudi Arabia warned his supporters that someone was pretending to be him on WhatsApp.
There are also more sophisticated campaigns that you need to be vigilant about. The German government issued a vague warning this year about what it described as likely a state-sponsored actor attempting to commandeer the Signal accounts of government officials and journalists across Europe. And last month, the FBI announced that individuals associated with Russian intelligence services were impersonating r for Signal’s security service to trick U.S. government officials and journalists into providing information that would allow hackers to take over their accounts. Once they gained access, the FBI warned, they would be able to view conversations and contact lists, and send messages as a victim.
These scams should worry anyone interested in investigative reporting. Throughout my career, I have produced sensitive reporting exposing wrongs in politics, finance, the military and law enforcement. Many of them relied on courageous people who took a leap of faith and shared information, sometimes risking their lives. I go to great lengths to protect my sources and make sure they are comfortable taking that risk. If potential sources have to doubt my identity, they may be less likely to engage.
When journalists are impersonated online, as I was, Sandvik said they should not remain silent.
“If and when it happens, be very public about it, and that’s what you’re doing right now,” she said. “Let people know it’s happening so that if they hear from you, they know it’s something to watch out for.”